[RTL/x64] Improve RtlWalkFrameChain to handle user mode

tkreuzer · Dec 27, 2024 · 9802803 · 9802803
1 parent 1ea3af8
commit 9802803
Showing 1 changed file with 16 additions and 4 deletions.
diff --git a/sdk/lib/rtl/amd64/unwind.c b/sdk/lib/rtl/amd64/unwind.c
@@ -943,6 +943,7 @@ RtlWalkFrameChain(OUT PVOID *Callers,
     PVOID HandlerData;
     ULONG i, FramesToSkip;
     PRUNTIME_FUNCTION FunctionEntry;
+    MODE CurrentMode = RtlpGetMode();
 
     DPRINT("Enter RtlWalkFrameChain\n");
 
@@ -990,15 +991,26 @@ RtlWalkFrameChain(OUT PVOID *Callers,
             }
 
             /* Check if we are in kernel mode */
-            if (RtlpGetMode() == KernelMode)
+            if (CurrentMode == KernelMode)
             {
                 /* Check if we left the kernel range */
-                if (!(Flags & 1) && (Context.Rip < 0xFFFF800000000000ULL))
+                if (Context.Rip < 0xFFFF800000000000ULL)
                 {
-                    break;
+                    /* Bail out, unless user mode was requested */
+                    if ((Flags & 1) == 0)
+                    {
+                        break;
+                    }
+
+                    /* We are in user mode now, get UM stack bounds */
+                    CurrentMode = UserMode;
+                    StackLow = (ULONG64)NtCurrentTeb()->NtTib.StackLimit;
+                    StackHigh = (ULONG64)NtCurrentTeb()->NtTib.StackBase;
                 }
             }
-            else
+
+            /* Check (again) if we are in user mode now */
+            if (CurrentMode == UserMode)
             {
                 /* Check if we left the user range */
                 if ((Context.Rip < 0x10000) ||