« Microsoft DLL Help Database
What was this process doing? »

What does this function do?

Often I’m asked about what a particular function that we see on a stack trace does. Over the time I found the following function name and purpose mining techniques and resources useful:

  • - We might need to strip or replace prefixes and suffixes like

NtUserGetMessage

GetMessageW

ZwReadFile <-> NtReadFile

  • - Search in MSDN, Platform SDK and WDK (formerly DDK) help
  • - Various blogs like this excellent summary:

A catalog of NTDLL kernel mode to user mode callbacks

  • - Reverse engineering and logical deduction:

 What is KiFastSystemCallRet?

  • - Various books like this:

Windows NT/2000 Native API Reference

Buy from Amazon

  • - Win32 API emulators like WINE
  • - and finally Windows source code if you are a Microsoft source code licensee or a participant in Windows Academic Program.
  • - Sometimes Internet search finds the description of the whole stack trace collection from the class of common processes like this one:

Production Debugging for .NET Framework Applications 

- Dmitry Vostokov @ DumpAnalysis.org -

This entry was posted on Saturday, April 19th, 2008 at 5:53 pm and is filed under Books, Crash Dump Analysis, Debugging, Stack Trace Collection, Tools. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.