What does kb show for 64 bit processes?

Question

I have recently made a mistake analyzing a callstack, because I didn\'t expect the application to be 64 bit. I have used the WinDbg command kb to show the calls

Answer 1

kb does list the stack back trace along with the three parameters, however it's the parameter passing mechanism (calling convention) which doesn't make the arguments displayed trustworthy. You must read more @ http://www.codemachine.com/article_x64deepdive.html

dv , and all other variants dv /v etc may all show garbage values. only in case of __this call we can use rcx as a this pointer but we must disassemble and ensure the pointer was not backed up somewhere else and then reused. Dis-assembly is the way to go unless we have homed parameters.