How to read the function parameters from call stack frames programmatically in Windows?

Question

I was trying to walk through the call stack frames and extract some information from them. I am able to extract the file names, line numbers, and function names by using StackWalk64 , SymGetSymFromAddr64 , and SymGetLineFromAddr64 APIs from WinDBG.

However, the DWORD64 Params[4] in STACKFRAME64 , which is a return value from StackWalk64 , only supports reading back four 64 bits function parameters from a frame. Even worse, on 32-bit system, only the lower 32 bits of Params[4] are used, so a single parameter with more than 32 bits needs two or more elements.

typedef struct _tagSTACKFRAME64 {
  ADDRESS64 AddrPC;
  ADDRESS64 AddrReturn;
  ADDRESS64 AddrFrame;
  ADDRESS64 AddrStack;
  ADDRESS64 AddrBStore;
  PVOID     FuncTableEntry;
  DWORD64   Params[4];
  BOOL      Far;
  BOOL      Virtual;
  DWORD64   Reserved[3];
  KDHELP64  KdHelp;
} STACKFRAME64, *LPSTACKFRAME64;

I couldn't find any API to read ALL the parameters from a stack frame without limitation.

I was thinking to use ebp / rbp to extract the values from the stack (x86/x64) and the registers (x64). But still, only the "possible" values of the parameters can be obtained if I do this.

Is there any API I could use to get the accurate values? It would be even better if I can get the type and name of the parameters.

Answer 1

There is no API for it. Why should there be any, modern OSes are not interested in some folks playing with this stuff. As said earlier, the compiler is free to make optimizations so you can't have any deterministic tool to do it. But, there are heuristics! You can know how much parameters are in function if you parse assembly before the call or ret after the call, you always have return address which you can check if it is in CS.

Above all - you should read about term 'stack unwinding'.