Win32 API 日本語リファレンス
ホームSystem.Diagnostics.Debug › RtlLookupFunctionEntry

RtlLookupFunctionEntry

関数
指定アドレスに対応するx64関数テーブルエントリを検索する。
DLLKERNEL32.dll呼出規約winapi
📘 Microsoft Learn (日本語) · English

シグネチャ

// KERNEL32.dll
#include <windows.h>

IMAGE_RUNTIME_FUNCTION_ENTRY* RtlLookupFunctionEntry(
    ULONGLONG ControlPc,
    ULONGLONG* ImageBase,
    UNWIND_HISTORY_TABLE* HistoryTable   // optional
);

パラメーター

名前方向
ControlPcULONGLONGin
ImageBaseULONGLONG*out
HistoryTableUNWIND_HISTORY_TABLE*inoutoptional

戻り値の型: IMAGE_RUNTIME_FUNCTION_ENTRY*

各言語での呼び出し定義

// KERNEL32.dll
#include <windows.h>

IMAGE_RUNTIME_FUNCTION_ENTRY* RtlLookupFunctionEntry(
    ULONGLONG ControlPc,
    ULONGLONG* ImageBase,
    UNWIND_HISTORY_TABLE* HistoryTable   // optional
);
[DllImport("KERNEL32.dll", ExactSpelling = true)]
static extern IntPtr RtlLookupFunctionEntry(
    ulong ControlPc,   // ULONGLONG
    out ulong ImageBase,   // ULONGLONG* out
    IntPtr HistoryTable   // UNWIND_HISTORY_TABLE* optional, in/out
);
<DllImport("KERNEL32.dll", ExactSpelling:=True)>
Public Shared Function RtlLookupFunctionEntry(
    ControlPc As ULong,   ' ULONGLONG
    <Out> ByRef ImageBase As ULong,   ' ULONGLONG* out
    HistoryTable As IntPtr   ' UNWIND_HISTORY_TABLE* optional, in/out
) As IntPtr
End Function
' ControlPc : ULONGLONG
' ImageBase : ULONGLONG* out
' HistoryTable : UNWIND_HISTORY_TABLE* optional, in/out
Declare PtrSafe Function RtlLookupFunctionEntry Lib "kernel32" ( _
    ByVal ControlPc As LongLong, _
    ByRef ImageBase As LongLong, _
    ByVal HistoryTable As LongPtr) As LongPtr
' VBA7前提(PtrSafe)。32bit Office では LongPtr→Long。Integer=16bit / Long=32bit / LongLong=64bit。
import ctypes
from ctypes import wintypes

RtlLookupFunctionEntry = ctypes.windll.kernel32.RtlLookupFunctionEntry
RtlLookupFunctionEntry.restype = ctypes.c_void_p
RtlLookupFunctionEntry.argtypes = [
    ctypes.c_ulonglong,  # ControlPc : ULONGLONG
    ctypes.POINTER(ctypes.c_ulonglong),  # ImageBase : ULONGLONG* out
    ctypes.c_void_p,  # HistoryTable : UNWIND_HISTORY_TABLE* optional, in/out
]
require 'fiddle'
require 'fiddle/import'

lib = Fiddle.dlopen('KERNEL32.dll')
RtlLookupFunctionEntry = Fiddle::Function.new(
  lib['RtlLookupFunctionEntry'],
  [
    -Fiddle::TYPE_LONG_LONG,  # ControlPc : ULONGLONG
    Fiddle::TYPE_VOIDP,  # ImageBase : ULONGLONG* out
    Fiddle::TYPE_VOIDP,  # HistoryTable : UNWIND_HISTORY_TABLE* optional, in/out
  ],
  Fiddle::TYPE_VOIDP)
#[link(name = "kernel32")]
extern "system" {
    fn RtlLookupFunctionEntry(
        ControlPc: u64,  // ULONGLONG
        ImageBase: *mut u64,  // ULONGLONG* out
        HistoryTable: *mut UNWIND_HISTORY_TABLE  // UNWIND_HISTORY_TABLE* optional, in/out
    ) -> *mut IMAGE_RUNTIME_FUNCTION_ENTRY;
}
// crates: windows-sys provides ready-made bindings for this API.
$sig = @"
[DllImport("KERNEL32.dll")]
public static extern IntPtr RtlLookupFunctionEntry(ulong ControlPc, out ulong ImageBase, IntPtr HistoryTable);
"@
$api = Add-Type -MemberDefinition $sig -Name 'KERNEL32_RtlLookupFunctionEntry' -Namespace Win32 -PassThru
# $api::RtlLookupFunctionEntry(ControlPc, ImageBase, HistoryTable)
#uselib "KERNEL32.dll"
#func global RtlLookupFunctionEntry "RtlLookupFunctionEntry" sptr, sptr, sptr
; RtlLookupFunctionEntry ControlPc, varptr(ImageBase), varptr(HistoryTable)   ; 戻り値は stat
; ControlPc : ULONGLONG -> "sptr"
; ImageBase : ULONGLONG* out -> "sptr"
; HistoryTable : UNWIND_HISTORY_TABLE* optional, in/out -> "sptr"
; ※HSP3.7は int64 引数(64bit値渡し)に非対応です。
; ※HSP3.7は #func のため戻り値はシステム変数 stat に格納されます。
出力引数: 
#uselib "KERNEL32.dll"
#cfunc global RtlLookupFunctionEntry "RtlLookupFunctionEntry" int64, var, var
; res = RtlLookupFunctionEntry(ControlPc, ImageBase, HistoryTable)
; ControlPc : ULONGLONG -> "int64"
; ImageBase : ULONGLONG* out -> "var"
; HistoryTable : UNWIND_HISTORY_TABLE* optional, in/out -> "var"
; ※出力/バッファ引数は var 方式(変数を直接渡す)。varptr 方式にも切替可。
; ※int64 引数の DLL 値渡しは x64 ランタイム(hsp3_64)のみ対応(x86 は未対応)。
出力引数: 
; IMAGE_RUNTIME_FUNCTION_ENTRY* RtlLookupFunctionEntry(ULONGLONG ControlPc, ULONGLONG* ImageBase, UNWIND_HISTORY_TABLE* HistoryTable)
#uselib "KERNEL32.dll"
#cfunc global RtlLookupFunctionEntry "RtlLookupFunctionEntry" int64, var, var
; res = RtlLookupFunctionEntry(ControlPc, ImageBase, HistoryTable)
; ControlPc : ULONGLONG -> "int64"
; ImageBase : ULONGLONG* out -> "var"
; HistoryTable : UNWIND_HISTORY_TABLE* optional, in/out -> "var"
; ※出力/バッファ引数は var 方式(変数を直接渡す)。varptr 方式にも切替可。
import (
	"golang.org/x/sys/windows"
	"unsafe"
)

var (
	kernel32 = windows.NewLazySystemDLL("KERNEL32.dll")
	procRtlLookupFunctionEntry = kernel32.NewProc("RtlLookupFunctionEntry")
)

// ControlPc (ULONGLONG), ImageBase (ULONGLONG* out), HistoryTable (UNWIND_HISTORY_TABLE* optional, in/out)
r1, _, err := procRtlLookupFunctionEntry.Call(
	uintptr(ControlPc),
	uintptr(ImageBase),
	uintptr(HistoryTable),
)
_ = err  // syscall.Errno (valid when the call sets last-error)
_ = r1   // IMAGE_RUNTIME_FUNCTION_ENTRY*
function RtlLookupFunctionEntry(
  ControlPc: UInt64;   // ULONGLONG
  ImageBase: Pointer;   // ULONGLONG* out
  HistoryTable: Pointer   // UNWIND_HISTORY_TABLE* optional, in/out
): Pointer; stdcall;
  external 'KERNEL32.dll' name 'RtlLookupFunctionEntry';
result := DllCall("KERNEL32\RtlLookupFunctionEntry"
    , "Int64", ControlPc   ; ULONGLONG
    , "Ptr", ImageBase   ; ULONGLONG* out
    , "Ptr", HistoryTable   ; UNWIND_HISTORY_TABLE* optional, in/out
    , "Ptr")   ; return: IMAGE_RUNTIME_FUNCTION_ENTRY*
●RtlLookupFunctionEntry(ControlPc, ImageBase, HistoryTable) = DLL("KERNEL32.dll", "void* RtlLookupFunctionEntry(qword, void*, void*)")
# 呼び出し: RtlLookupFunctionEntry(ControlPc, ImageBase, HistoryTable)
# ControlPc : ULONGLONG -> "qword"
# ImageBase : ULONGLONG* out -> "void*"
# HistoryTable : UNWIND_HISTORY_TABLE* optional, in/out -> "void*"
# なでしこ1は32bit・ANSI(Shift_JIS)。文字列=char*(ANSI)、ポインタ/ハンドル=void*(4byte)。