windows64-bitwindbg
In Windbg what command will display all function names or addresses that call a specific function?
I need to obtain the addresses (absolute) of all functions that call the below function. Can this be done in Windbg ?
The function that I would like to find all callers of is KeBugCheckEx
lkd> uf nt!KeBugCheckEx
Solution
That cannot be a realistic requirement
KeBugCheckEx is an exported Function as such it can be called by AnyOne who wants to call it
dumpbin /exports c:\Windows\System32\ntoskrnl.exe | findstr "KeBugCheckEx"
1114 442 003F8FA0 KeBugCheckEx
over and above as commented by Raymond chen indirect calls are not resolvable statically
still if you want to go ahead try this
this may scrap around 50% hopefully :)
0: kd> lm m nt
start end module name
fffff800`73800000 fffff800`74846000 nt (pdb symbols) f:\symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb
0: kd> .hh
0: kd> # KeBugCheckEx fffff800`73800000 L?(fffff800`74846000-fffff800`73800000)
*** WARNING: Unable to verify timestamp for volmgrx.sys
nt!ExAcquireFastMutexUnsafe+0x12f:
fffff800`73a0971f e87cf81e00 call nt!KeBugCheckEx (fffff800`73bf8fa0)
nt!MiIdentifyPfn+0xd1b:
fffff800`73a0d94b e850b61e00 call nt!KeBugCheckEx (fffff800`73bf8fa0)
nt!ExAcquireFastMutex+0x14a:
fffff800`73a0dbaa e8f1b31e00 call nt!KeBugCheckEx (fffff800`73bf8fa0)
nt!ExAcquireCacheAwarePushLockSharedEx+0x14a:
fffff800`73a0df1a e881b01e00 call nt!KeBugCheckEx (fffff800`73bf8fa0)
nt!ExAcquirePushLockExclusiveEx+0x146:
fffff800`73a0e4b6 e8e5aa1e00 call nt!KeBugCheckEx (fffff800`73bf8fa0)
nt!ExAcquirePushLockSharedEx+0x13d:
fffff800`73a0e66d e82ea91e00 call nt!KeBugCheckEx (fffff800`73bf8fa0)
nt!ExReleaseResourceLite+0x18d:
fffff800`73a0ef7d e81ea01e00 call nt!KeBugCheckEx (fffff800`73bf8fa0)
nt!ExAcquireResourceExclusiveLite+0x2eb:
:>python -c print(len((open('callkebug.txt','r')).readlines())) 3224
