On Fri Jul 4 19:30:36 2025 +0000, Yuxuan Shui wrote:
Do you mean `RtlVirtualUnwind` or `RtlUnwindEx`? I was using the latter. I don't know how to inspect the registers when `RtlVirtualUnwind` is unwinding a frame.
There is a difference between unwind per se and executing exception handler: no problem to do the unwind (let's use "unwind" strictly as establishing target frame context, and if you are going to jump there, it is not unwind, it is executing handler or sort of long jump). But to do the actual jump correctly it would need to pop kernel side frame somehow, apparently that is not possible to do on Windows as well if your results were about executing handler.
The easiest is probably to look at RtlWalkFrameChain() Wine implementation. RtlVirtualUnwind2() doesn't jump anywhere there, and while it is not used RtlWalkFrameChain the effect of unwinding is that the context passed to RtlVirtualUnwind should get all the non-volatile registers to the values corresponding to destrination frame / ip.