It is NOT safe to walk stack through RspBase

The clock interrupt sometimes happens when you execute a long piece of code.
It will dispatch DPCs which may cause the kernel thread stack being swaped to a new one.
This happens frequently when you enable more than one kernel ETW event.

![111](https://user-images.githubusercontent.com/12287588/77139182-fd513480-6aaf-11ea-9f77-984b3faf0180.png)
![222](https://user-images.githubusercontent.com/12287588/77139184-ff1af800-6aaf-11ea-881c-f35955fdbb31.png)
As the screenshot read,
If you walk stack from &retaddr (ffffec80'a19fe3c0) to RspBase (ffffec80'9e630010) you will hit invalid memory at ffffec80'9e63fb0 or ffffec80'a19fdf40 depending on which direction you stack-walk from.
According to RtlWalkFrameChain from wrk1.2, we should call IoGetStackLimit to get correct thread stack limit to stack-walk without invalid memory access.

SAD NEWS: The GetCpuClock hook has been patched by M1CR0$0FT since 18950, the GetCpuClock 
 value other than [0, 1, 2, 3] would cause KERNEL_SECURITY_CHECK_FAILURE BugCheck now.

![333](https://user-images.githubusercontent.com/12287588/77139579-7f8e2880-6ab1-11ea-9d78-e949e754c91d.png)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

It is NOT safe to walk stack through RspBase #18

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

It is NOT safe to walk stack through RspBase #18

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions