libdrakvuf: check return context error for Windows

[skvl]

It have been noticed that some return hooks not triggered. E.g. for apimon and procmon plug-ins there was a lack of return callbacks for CreateWindowExW and NtCreateUserProcess in some cases.

After digging into the error I have found that on return hook setup (e.g. in procmon.cpp:create_user_process_hook) and on return hook hit (in procmon.cpp:process_creation_return_hook) the RSP is the same.

Target RSP is special for return hooks and injection return hooks. On function call (for x86_64 architecture) the stack looks like this:

     ...
     +0x10 | home space 2 |
     +0x8  | home space 1 |
     +0x0  | ret addr     | <- RSP
     -0x8  | FRAME START  | <- Called function frame

After hitting the "ret addr" the stack should point to "RSP+0x8". Though in some cases one could see that at the time current RSP equals saved RSP.

I could suggest that there is some trick in Intel VMX part. I mean that it is possible that VM-exit event occur on RIP update but before RSP increase.

Though in Intel SDM volume 2 there is a logical representation of RET. And as far as I understand the RIP := Pop(); means that CPU first pops the value (thus increase the RSP) and then updates the RIP. May be I look into this in too formal fashion?