WinDbg not showing entire call stack?

4
votes

I am trying to debug a very old game called "Ballmaster" (whose source code I do not possess) using WinDbg. I attached WinDbg to the game when a dialog is shown so that the call stack of the UI thread does not change.

Here is a list of the running threads:

Thread View

When I click on the Ballmaster thread, the following call stack is presented:

ntdll!NtDelayExecution + 0xc
KERNELBASE!SleepEx + 0x99
KERNELBASE!Sleep + 0xf
USER31!HookedCreateWindowExA + 0x41
DlgBox!Ordinal49 + 0x35dd
DlgBox!Ordinal49 + 0x4d58
uxtheme!ThemePreDefDlgProc + 0x83
USER32!UserCallDlgProcCheckWow + 0x2a8
USER32!DefDlgProcWorker + 0xc7
USER32!DefDlgProcA + 0x25
USER32!_InternalCallWinProc + 0x2b
USER32!UserCallWinProcCheckWow + 0x2d3
USER32!SendMessageWorker + 0x26c
USER32!InternalCreateDialog + 0xb07
USER32!CreateDialogIndirectParamAorW + 0x35
USER32!CreateDialogIndirectParamA + 0x1b
DlgBox!Ordinal49 + 0x52bf

Ballmaster is the main UI thread, and it is freezed at dialog creation. However, the bottom-most function that is recorded in the call stack is DlgBox!Ordinal49, which is found in DlgBox.dll, which is loaded by the executable.

Obviously that is not the complete call stack, as due to the fact that that is the main thread, the main() method in the executable could not have exited/returned as otherwise the process would close.

Then why does the call stack end with a function in a DLL instead of a function in the main executable? How do I view the full call stack?

!address DlgBox!Ordinal49+0x52bf presents the following:

Usage:                  Image
Base Address:           028e1000
End Address:            028f2000
Region Size:            00011000 (  68.000 kB)
State:                  00001000          MEM_COMMIT
Protect:                00000020          PAGE_EXECUTE_READ
Type:                   01000000          MEM_IMAGE
Allocation Base:        028e0000
Allocation Protect:     00000080          PAGE_EXECUTE_WRITECOPY
Image Path:             C:\Users\mathu\Desktop\Games\Ballmaster\CrtC0B.tmp\DlgBox.DLL
Module Name:            DlgBox
Loaded Image Name:      C:\Users\mathu\Desktop\Games\Ballmaster\CrtC0B.tmp\DlgBox.DLL
Mapped Image Name:      
More info:              lmv m DlgBox
More info:              !lmi DlgBox
More info:              ln 0x28e52bf
More info:              !dh 0x28e0000
1
windowsdebuggingwindbgcallstack
but if pdb files (with frame information) not available for all modules in stack - in x86 impossible always get full stack trace. debugger assume that function used ebp frame (push ebp;mov ebp,esp at begin) and walk by this ebp chain. but if some function not used this frame - here stack trace can stop. - RbMm
Ah, so is there a way to try out different frame types? - MathuSum Mut

1 Answers

3
votes

.kframes <FrameCountDefault>:

The .kframes command sets the default length of a stack trace display.

[...]

If you never issue the .kframes command, the default count is 20 (0x14).

If you use the k command, you can also specify a length, e.g. k Lfff