Jump to content
  • Advertisement
Sign in to follow this  

Unable to read the UNWIND_INFO of ntdll

This topic is 2439 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I'm trying to read the unwinding information in ntdll.dll.
for some reason I'm getting weird results. I thought I was doing something wrong, but then I used "dumpbin" to see what it gets me, and I received the same.
00002BD4 00016FAA 00016FCF 00141991
00002BE0 00016FCF 0001701B 0014355D
00002BEC 0001701B 00017060 00144CCD
00002BF8 00017060 00017067 00124440 --> from here forward, it's ok...
Unwind version: 1
Unwind flags: None
Size of prologue: 0x07
Count of codes: 3
Unwind codes:
07: ALLOC_SMALL, size=0x48
03: PUSH_NONVOL, register=rsi
02: PUSH_NONVOL, register=rbx

The 3 first lines display the address of the runtime function info, the start and end address of the runtime function and the address of the unwinding information.
I can find the first 3 lines myself with my program, but what I get when reading it makes no sense.
Does anybody know what the 3 first "runtime function" that I can also see with dumpbin (But I can't see their information) mean?

Share this post

Link to post
Share on other sites
Sign in to follow this  

  • Advertisement

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

GameDev.net is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!