所以我在下面尝试了 rtllookupfunctionentry 并展开。这会导致堆栈损坏。所以任何人都有这个工作
GetThreadContext(hThread, &context))
FunctionID Id = 0;
ip=(LPCBYTE)context.Rip;
HRESULT funcResult = info2->GetFunctionFromIP(iPointer, &id);
ULONG64 base = NULL;
PRUNTIME_FUNCTION func;
func= RtlLookupFunctionEntry(context.Rip,
&base, &unwindtbl);
if (!func)
{
// leaf
context.Rip = (ULONG64)(*(PULONG64)context.Rsp);
context.Rsp += 8;
}
else
{
ef = 0;
hd = NULL;
RtlVirtualUnwind(0, base, context.Rip, func,
&context, &hd,&ef,NULL);