Поделиться через


StackBase and StackLimit offsets

To save a symbol lookup in a debugger extension, here are the hardcodes to use for StackBase and StackLimit.

User Mode 32bit

0:000> dt nt!_TEB.Stack*

ntdll!_TEB

+0x000 NtTib :

  +0x004 StackBase : Ptr Void

  +0x008 StackLimit : Ptr Void

User Mode 64bit

0:000> dt nt!_TEB NtTib.Stack*

ntdll!_TEB

+0x000 NtTib :

  +0x008 StackBase : Ptr64 Void

  +0x010 StackLimit : Ptr64 Void

Kernel Mode 32bit

0:000> dt nt!_KTHREAD Stack*

ntdll!_KTHREAD

+0x01c StackLimit : Ptr Void (NT v5.0 - Windows 2000)

+0x01c StackLimit : Ptr Void (NT v5.1 - Windows XP SP3)

+0x01c StackLimit : Ptr Void (NT v5.2 - Windows 2003 SP2)

+0x02c StackLimit : Ptr Void (NT v6.0 - Windows Vista/2008)

+0x02c StackLimit : Ptr Void (NT v6.1 - Windows 7/2008R2)

+0x15c StackBase : Ptr Void (NT v5.0 - Windows 2000)

+0x15c StackBase : Ptr Void (NT v5.1 - Windows XP SP3)

+0x158 StackBase : Ptr Void (NT v5.2 - Windows 2003 SP2)

+0x174 StackBase : Ptr Void (NT v6.0 - Windows Vista/2008)

+0x194 StackBase : Ptr Void (NT v6.1 - Windows 7/2008R2)

Kernel Mode 64bit

0:000> dt nt!_KTHREAD Stack*

ntdll!_KTHREAD

+0x??? StackLimit : Ptr64 Void(NT v5.1 - Windows XP SP3)

+0x??? StackLimit : Ptr64 Void(NT v5.2 - Windows 2003 SP2)

+0x030 StackLimit : Ptr64 Void(NT v6.0 - Windows Vista/2008)

+0x030 StackLimit : Ptr64 Void(NT v6.1 - Windows 7/2008R2)

+0x??? StackBase : Ptr64 Void(NT v5.1 - Windows XP SP3)

+0x??? StackBase : Ptr64 Void(NT v5.2 - Windows 2003 SP2)

+0x250 StackBase : Ptr64 Void(NT v6.0 - Windows Vista/2008)

+0x278 StackBase : Ptr64 Void(NT v6.1 - Windows 7/2008R2)