← Docs
RECIPE

Recipe: Incident call tree writer

Build a structured call tree from raw stack traces captured during security incidents. Normalize addresses, resolve symbols, and emit a JSON artifact ready for diffing against known-good baselines.

Ingredients

  • Raw minidump or .txt stack trace
  • PE/PDB symbol cache (local or SMB share)
  • addr2line or dbghelp.dll binding
  • Baseline call tree JSON for comparison

Steps

  1. Parse the trace: extract module base, offset, and thread ID per frame.
  2. Normalize addresses by subtracting the module load base from each offset.
  3. Resolve symbols using the symbol cache; fall back to <unknown> with a hex offset.
  4. Build a tree keyed by thread ID, with ordered frame arrays under each thread.
  5. Serialize to JSON and write to incidents/<id>/call_tree.json.

Output schema

{
  "incident_id": "string",
  "threads": {
    "0": [
      { "module": "ntdll.dll", "symbol": "NtWaitForSingleObject", "offset": "0x10" }
    ]
  }
}
← Back to docs