关于调用栈一个函数ObpPushStackInfo

kd> !obtrace 0xfa96f700(对象地址)
Object: fa96f700        Image: cmd.exe
Sequence  (+/-)  Stack
--------  -----  ---------------------------------------------------
2421d    +1  nt!ObCreateObject+180
nt!NtCreateEvent+92
nt!KiFastCallEntry+104
nt!ZwCreateEvent+11
win32k!UserThreadCallout+6f
win32k!W32pThreadCallout+38
nt!PsConvertToGuiThread+174
nt!KiBBTUnexpectedRange+c
2421e    -1  nt!ObfDereferenceObject+19
nt!NtCreateEvent+d4
nt!KiFastCallEntry+104
nt!ZwCreateEvent+11
win32k!UserThreadCallout+6f
win32k!W32pThreadCallout+38
nt!PsConvertToGuiThread+174
nt!KiBBTUnexpectedRange+c

.......(还有)

!obtrace这个命令cmd,exe调用栈上的信息。sequence指操作的先后顺序。+表示 (a reference operation)—不知道怎么翻译好。-表示 (a dereferenc operation)。—（前面的来自 ddk)

USHOR
4000
T
RtlCaptureStackBackTrace(   //捕捉栈回溯信息
__in ULONG  FramesToSkip,//要跳过几个(栈)结构
__in ULONG  FramesToCapture,//要捕捉几个结构
__out_ecount(FramesToCapture) PVOID  *BackTrace,//用来保存信息的数组
__out_opt PULONG  BackTraceHash
);
VOID ObpPushStackInfo(IN PVOID Object, UNKNOWN1,UNKNOWN2,ULONG Tag)
{
PVOID BackTrace[15];
memset(BackTrace,0,15*sizeof(PVOID));
if(KeAreInterruptsEnabled())  //je ox7d
{
if(KeGetCurrentIrql()<=DISPATCH_LEVEL)  //0X2b    ja 0x7d
{
if(RtlCaptureStackBackTrace(1,10h,BackTrace,0)>=1) //0x35  jb 0x7d
{
InterlockedIncr(&ObpStackSequence);  //0x4a
if(TRUE==MmCanThreadFault())   //jne 0x78 先'暂停'线程，然后'push'相关信息，不然会有新的调用信息产生使获取的数据不准确
{
ObpPushRefDerefInfo(Object,UNKNOW1,UNKNOW2,2,BackTrace,Tag); //0x71 jmp 7d
}
else
{
ObpDeferPushRefDerefInfo(Object,UNKNOWN1,UNKNOW2,2,BackTrace,Tag);
}
}
}
}
return ; //0x7d
}
BOOLEAN MmCanThreadFault()
{ //KeGetCurrentThread()   0X284  在Ethread结构里,它的第一个成员是Kthread
if((KeGetCurrentIrql()<=DISPATCH_LEVEL)&&!(Ethread->SameThreadPassiveFlags&4)
&&(KeGetCurrentThread()!=MiWorkingSetThread)&&!(Ethread->SameThreadApcFlags&(0f01f8h)
&&!(Ethread->SameThreadApcFlags&(0ffc0h))
{
return TRUE;
}
else
{
return FALSE;
}
}