/*! RtlLookupFunctionEntry
* \brief Locates the RUNTIME_FUNCTION entry corresponding to a code address.
* \ref http://msdn.microsoft.com/en-us/library/ms680597(VS.85).aspx
* \todo Implement HistoryTable
*/
PRUNTIME_FUNCTION
NTAPI
RtlLookupFunctionEntry(
IN DWORD64 ControlPc,
OUT PDWORD64 ImageBase,
OUT PUNWIND_HISTORY_TABLE HistoryTable)
{
PRUNTIME_FUNCTION FunctionTable, FunctionEntry;
ULONG TableLength;
ULONG IndexLo, IndexHi, IndexMid;
/* Find the corresponding table */
FunctionTable = RtlLookupFunctionTable(ControlPc, ImageBase, &TableLength);
/* Fail, if no table is found */
if (!FunctionTable)
{
return NULL;
}
/* Use relative virtual address */
ControlPc -= *ImageBase;
/* Do a binary search */
IndexLo = 0;
IndexHi = TableLength;
while (IndexHi > IndexLo)
{
IndexMid = (IndexLo + IndexHi) / 2;
FunctionEntry = &FunctionTable[IndexMid];
if (ControlPc < FunctionEntry->BeginAddress)
{
/* Continue search in lower half */
IndexHi = IndexMid;
}
else if (ControlPc >= FunctionEntry->EndAddress)
{
/* Continue search in upper half */
IndexLo = IndexMid + 1;
}
else
{
/* ControlPc is within limits, return entry */
return FunctionEntry;
}
}
/* Nothing found, return NULL */
return NULL;
}
BOOLEAN
RtlIsValidHandler (
IN PEXCEPTION_ROUTINE Handler
)
{
PULONG FunctionTable;
ULONG FunctionTableLength;
PVOID Base;
FunctionTable = RtlLookupFunctionTable(Handler, &Base, &FunctionTableLength);
if (FunctionTable && FunctionTableLength) {
PEXCEPTION_ROUTINE FunctionEntry;
LONG High, Middle, Low;
if ((FunctionTable == LongToPtr(-1)) && (FunctionTableLength == (ULONG)-1)) {
// Address is in an image that shouldn't have any handlers (like a resource only dll).
RtlInvalidHandlerDetected((PVOID)((ULONG)Handler+(ULONG)Base), LongToPtr(-1), -1);
return FALSE;
}
// Bias the handler value down by the image base and see if the result
// is in the table
(ULONG)Handler -= (ULONG)Base;
Low = 0;
High = FunctionTableLength;
while (High >= Low) {
Middle = (Low + High) >> 1;
FunctionEntry = (PEXCEPTION_ROUTINE)FunctionTable[Middle];
if (Handler < FunctionEntry) {
High = Middle - 1;
} else if (Handler > FunctionEntry) {
Low = Middle + 1;
} else {
// found it
return TRUE;
}
}
// Didn't find it
RtlInvalidHandlerDetected((PVOID)((ULONG)Handler+(ULONG)Base), FunctionTable, FunctionTableLength);
return FALSE;
}
PRUNTIME_FUNCTION
RtlpLookupFunctionEntryForStackWalks (
IN ULONG64 ControlPc,
OUT PULONG64 ImageBase
)
/*++
Routine Description:
This function searches the currently active function tables for an entry
that corresponds to the specified control PC. This function does not
consider the runtime function table.
Arguments:
ControlPc - Supplies the address of an instruction within the specified
function.
ImageBase - Supplies the address of a variable that receives the image base
if a function table entry contains the specified control PC.
Return Value:
If there is no entry in the function table for the specified PC, then
NULL is returned. Otherwise, the address of the function table entry
that corresponds to the specified PC is returned.
--*/
{
ULONG64 BaseAddress;
ULONG64 BeginAddress;
ULONG64 EndAddress;
PRUNTIME_FUNCTION FunctionEntry;
PRUNTIME_FUNCTION FunctionTable;
LONG High;
ULONG Index;
LONG Low;
LONG Middle;
ULONG RelativePc;
ULONG SizeOfTable;
//
// Attempt to find an image that contains the specified control PC. If
// an image is found, then search its function table for a function table
// entry that contains the specified control PC.
// If an image is not found then do not search the dynamic function table.
// The dynamic function table has the same lock as the loader lock,
// and searching that table could deadlock a caller of RtlpWalkFrameChain
//
//
// attempt to find a matching entry in the loaded module list.
//
FunctionTable = RtlLookupFunctionTable((PVOID)ControlPc,
(PVOID *)ImageBase,
&SizeOfTable);
//
// If a function table is located, then search for a function table
// entry that contains the specified control PC.
//
if (FunctionTable != NULL) {
Low = 0;
High = (SizeOfTable / sizeof(RUNTIME_FUNCTION)) - 1;
RelativePc = (ULONG)(ControlPc - *ImageBase);
while (High >= Low) {
//
// Compute next probe index and test entry. If the specified
// control PC is greater than of equal to the beginning address
// and less than the ending address of the function table entry,
// then return the address of the function table entry. Otherwise,
// continue the search.
//
Middle = (Low + High) >> 1;
FunctionEntry = &FunctionTable[Middle];
if (RelativePc < FunctionEntry->BeginAddress) {
High = Middle - 1;
} else if (RelativePc >= FunctionEntry->EndAddress) {
Low = Middle + 1;
} else {
break;
}
}
if (High < Low) {
FunctionEntry = NULL;
}
} else {
