From: Pavel A. on
Windbg shows the nearest symbol to the address -
which appears to be KiFastSystemCallRet

--pa

"rotor cli" <rotorcli(a)gmail.com> wrote in message
news:763d2d2e-d0b3-44c5-bcd0-84b55a1de85d(a)o35g2000vbi.googlegroups.com...
> On 21 Eyl�l, 21:55, "Pavel A." <pave...(a)12fastmail34.fm> wrote:
>> "rotor cli" <rotor...(a)gmail.com> wrote in message
>>
>> news:9f4448ea-245d-4319-bfcb-d3c63cf9368d(a)d34g2000vbm.googlegroups.com...
>>
>>
>>
>> > 1: kd> kL
>> > ChildEBP RetAddr
>> > a5a2ac64 80502d26 nt!KiSwapContext+0x2f
>> > a5a2ac70 804faf20 nt!KiSwapThread+0x8a
>> > a5a2ac98 805a4d6c nt!KeWaitForSingleObject+0x1c2
>> > a5a2ad48 8054086c nt!NtReplyWaitReceivePortEx+0x3dc
>> > a5a2ad48 7c91eb94 nt!KiFastCallEntry+0xfc
>> > 00a0fe18 7c91e399 ntdll!KiFastSystemCallRet
>> > 00a0fe1c 77e56703 ntdll!NtReplyWaitReceivePortEx+0xc
>> > 00a0ff80 77e56c22 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0xf4
>> > 00a0ff88 77e56a3b RPCRT4!RecvLotsaCallsWrapper+0xd
>> > 00a0ffa8 77e56c0a RPCRT4!BaseCachedThreadRoutine+0�79
>> > 00a0ffb4 7c80b683 RPCRT4!ThreadStartRoutine+0�1a
>> > 00a0ffec 00000000 kernel32!BaseThreadStart+0�37
>>
>> > In system calls, if (for example as above call stack)
>> > NtReplyWaitReceivePortEx calls ntdll!KiFastSystemCall (offset
>> > SharedUserData!SystemCallStub (7ffe0300)), then why can't we see it in
>> > the call stack chain?
>>
>> That's because what is pushed onto the stack is the return address
>> and not the call address. KiFastSystemCallRet apparently is the address
>> where these kernel calls return.
>>
>> --pa
>
> Yes I searched and found that:
> 0:001> u poi(0x7ffe0300)
> ntdll!KiFastSystemCall:
> 7c82ed50 8bd4 mov edx,esp
> 7c82ed52 0f34 sysenter
> ntdll!KiFastSystemCallRet:
> 7c82ed54 c3 ret
>
> This is intersting. So the last ret indicates calling ntdll!
> KiFastSystemCallRet. And windbg sees that and it doesn't show
> KiFastSystemCall. Right?
> I have never seen such a thing . Can you please give me some more
> information about how it is so? Is it related to sysenter?
>