I have a memory dump of a program, and I am aware of the range of the stack memory. My question revolves around identifying the stack frame within this chunk of memory. In simpler terms, how can I pinpoint the portion of memory where the return address, which is pushed onto the stack after a 'call' instruction, is stored?
I came across an article,which recommends using Frame Pointer Unwinds. It explains that at the start of a stack frame, the return address is pushed, followed by the frame pointer. The frame pointer points to a memory address in the previous stack frame, which, in turn, contains the memory address of the even earlier one, and so on. By tracing these addresses, one can navigate through all the stack frames. However, despite analyzing my dump data, I have been unable to establish this chain of memory.
I'm seeking advice or techniques from anyone who might have a solution to this issue. Can anyone offer hints or methods to help me with this problem?
Note that I can not use CaptureStackBackTrace, I just can check the expected executable status of a memory page. I am working on window system x86-64.
I've been trying to read numerous online resources and analyzing data from memory dumps, but I don't know which approach to use to determine the stack frame