What does this function do?

Often I’m asked about what a particular function that we see on a stack trace does. Over the time I found the following function name and purpose mining techniques and resources useful:

  • - We might need to strip or replace prefixes and suffixes like

NtUserGetMessage

GetMessageW

ZwReadFile <-> NtReadFile

  • - Search in MSDN, Platform SDK and WDK (formerly DDK) help
  • - Various blogs like this excellent summary:

A catalog of NTDLL kernel mode to user mode callbacks

  • - Reverse engineering and logical deduction:

 What is KiFastSystemCallRet?

  • - Various books like this:

Windows NT/2000 Native API Reference

Buy from Amazon

  • - Win32 API emulators like WINE
  • - and finally Windows source code if you are a Microsoft source code licensee or a participant in Windows Academic Program.
  • - Sometimes Internet search finds the description of the whole stack trace collection from the class of common processes like this one:

Production Debugging for .NET Framework Applications 

- Dmitry Vostokov @ DumpAnalysis.org -

Leave a Reply

You must be logged in to post a comment.