Jump to content
  • Advertisement
Sign in to follow this  
Idov

Unable to read the UNWIND_INFO of ntdll

This topic is 2351 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I'm trying to read the unwinding information in ntdll.dll.
for some reason I'm getting weird results. I thought I was doing something wrong, but then I used "dumpbin" to see what it gets me, and I received the same.
00002BD4 00016FAA 00016FCF 00141991
00002BE0 00016FCF 0001701B 0014355D
00002BEC 0001701B 00017060 00144CCD
00002BF8 00017060 00017067 00124440 --> from here forward, it's ok...
Unwind version: 1
Unwind flags: None
Size of prologue: 0x07
Count of codes: 3
Unwind codes:
07: ALLOC_SMALL, size=0x48
03: PUSH_NONVOL, register=rsi
02: PUSH_NONVOL, register=rbx

The 3 first lines display the address of the runtime function info, the start and end address of the runtime function and the address of the unwinding information.
I can find the first 3 lines myself with my program, but what I get when reading it makes no sense.
Does anybody know what the 3 first "runtime function" that I can also see with dumpbin (But I can't see their information) mean?

Share this post


Link to post
Share on other sites
Advertisement
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

We are the game development community.

Whether you are an indie, hobbyist, AAA developer, or just trying to learn, GameDev.net is the place for you to learn, share, and connect with the games industry. Learn more About Us or sign up!

Sign me up!