C + + function call process in-depth analysis < go >

Transfer from http://blog.csdn.net/dongtingzhizi/article/details/6680050

In-depth analysis of C + + function call process

Brother

Weibo:-bing son of the dongting

0. Introduction

　　The process of a function call is actually a process of interruption, so how does a function call be implemented in C + +? How to implement parameters in the stack, function jump, protection site, reply to the scene? In this paper, the procedure of function call is analyzed and explained in detail, and it is demonstrated in VC 6.0 environment. If the analysis is not in place or where there is a mistake, please make a comment, please contact the author.

First, the three commonly used registers to do a description, the EIP is the instruction pointer, that is, the address of the next command to be executed, EBP is a base point pointer, commonly used to refer to the stack, esp as a stack pointer, commonly used to point to the top of the stack.

Look at the following simple program and view and analyze the assembly code in VC 6.0.

Figure 1

1. Function calls

Assembly code for G_func function call 2:

Figure 2

The first is three push instructions, respectively, three parameters are pressed into the stack, you can find that the parameters of the stacking sequence is from right to left. At this point we can check the data in the stack to verify it. As shown in 3, from the real-time Register table on the right we can see the ESP (stack top pointer) value of 0X0012FEF0, and then found in the memory table from the memory address 0X0012FEF0, we can see in memory in order to store the 0x00000001 (that is, parameter 1), 0x00000002 (that is, Parameter 2), 0x00000003 (that is, Parameter 3), that is, the stack at the top of the store is three parameter values, indicating the success of the stack.

Figure 3

Then you can see that the call command jumps to address 0x00401005, so what's at that address? We continue to follow, in Figure 4 we see here is a jump instruction, jump to 0x00401030. We look at the address 0x00401030, in Figure 5 you can see that this is the real g_func function, 0x00401030 is the starting address of the function, so that the G_func function to achieve the jump.

Figure 4

Figure 5

2. Save the scene

At this point we look at the data in the stack, 6, at this time the ESP (stack top) value is 0X0012FEEC, in the memory table we can see that the top of the stack is 0x00401093, the following is the front of the stack parameters of the first-in-one, that is, after executing the call command, The system pushes a data (0x00401093) into the stack by default, so what is it? We can see that the address of an instruction following the 3,call instruction is 0x00401093, which is actually the address of the instruction that needs to be executed after the function call ends, and the function will jump to that address when it returns. This is what we often call the "protection scene" before the function is interrupted. This process is implicitly done by the compiler, in fact, the EIP (instruction pointer) stack, that is, implicitly execute a push EIP instruction, when the interrupt function returns and then pop the value from the stack to the EIP, the program continues to execute down.

Figure 6

Keep looking down, the first instruction after entering the G_FUNC function is the push EBP, which is going to the EBP into the stack. Because each function has its own stack area, the stack base address is not the same. Now that we have entered an interrupt function, the EBP register is also required during the function execution, and what about the EBP value of the main function before entering the function? In order not to be overwritten, it is pressed into the stack to be saved.

Next mov ebp, ESP takes the top address of the stack at this time as the stack base of the function, determines the stack area of the G_func function (EBP is the bottom of the stack, ESP is the top of the stack).

The next instruction is sub ESP, 48h, which literally means moving the top pointer upward by 48h Byte. Then why do you move it? What is this middle memory area for? This area is space spaced, separating the stack area of two functions by a distance, as shown in 7. The interval size is fixed at 40h, or 64Byte, and then the area of memory that stores local variables is reserved. The G_func function has two local variables x and y, so the length of the ESP to be moved is 40h+8=48h.

Figure 7

The next few lines of instruction (below) are to assign a value of 0CCCCCCCCh to the memory area of the 48h that was just left out.

00401039 Lea edi,[ebp-48h]

0040103C mov ecx,12h

00401041 mov eax,0cccccccch

00401046 Rep stos dword ptr [edi].

The next three stack instructions, respectively, Ebx,esi,edi into the stack, which is also part of the "protection scene", these are part of the main function to perform some data. The Ebx,esi,edi is the base register, the source variable address register, and the destination variable address register.

3. Executing sub-functions

Keep looking down, then the assignment of the X and y of the local variable, and see how the assembly instruction calculates the memory address of X and Y. 8, is calculated based on the EBP, respectively [ebp-4] and [ebp-8]. We look at the memory table to see that the corresponding memory area has been deposited in 0x11111111 and 0x22222222.

Figure 8

At this point we should be very clear about what is stored in the entire memory area (9).

Figure 9

4. Recovery site

Now that the code for the Child function section has been executed, continue looking down and the compiler will do some post-processing work (10). The first is a three-stack instruction that reads the values of Edi,esi and ebx from the top of the stack, respectively. From the memory data distribution in Figure 9 we can tell that the data at the top of the stack is indeed Edi,esi and ebx, which restores the Edi,esi and EBX values before the call, which is part of "recovery site".

Figure 10

The fourth instruction is MOV esp, EBP is about to assign the value of EBP to esp. So what does that mean? Looking at the memory data distribution in Figure 9, we can understand that this statement is to let ESP point to the memory unit that EBP refers to, that is, to let esp skip an area, it is clear that the skip is exactly the interval area and the local data region, because the function has exited, both areas are useless. This statement is actually the opposite of the statement sub ESP, 48h that creates the interval area when the function is entered.

Further down is the pop ebp, we can see from the memory data distribution in Figure 9 that the top of the stack is indeed the pre-EBP value of the store, so it restores the EBP value before the call, which is part of the "recovery site". After the instruction is executed, the memory data is distributed in 11.

Figure 11

And then down is a ret instruction, that is, the return instruction, what will he do with it? Note the ESP value and the EIP value (12) before the RET instruction is executed, the value of the 0X00401093,EIP that the ESP points to the top of the stack is 0x0040105c (the address of the RET Directive).

Figure 12

After executing the RET instruction we will look at the ESP and EIP values (13), when ESP is 0012FEF0, which moves down 4Byte. Obviously, the compiler implicitly executes a pop instruction here. Take a look at the value of the EIP, become 0x00401093, how this value is so familiar with it! It is actually the 4Byte data at the top of the stack, so the implied instructions here should be the pop EIP. And this value is the address of the next instruction of call, which is referred to earlier, and is pressed ahead of the calling command. As can be seen from Figure 13, it is because the value of the EIP becomes 0x00401093, so the program jumps to an instruction behind the call instruction and goes back to where it was before the break, which is called a recovery breakpoint.

Figure 13

It's not completely over yet, and there's the last instruction add ESP, 0Ch. This is quite simple, as you can see from figure 13 that the data at the top of the stack is now three-in-one, which is the three arguments that were pressed before the function call. This is the function has been executed, obviously these three parameters are useless. So add ESP, 0Ch is the top of the stack to move the pointer down the 12Byte position. Why is 12Byte, very simple, because into the stack is 3 int data. This way, because all the data that the function call adds to the stack is cleared, the stack top pointer (ESP) really returns to the position before the function call, and the value of all registers is restored before the function call.

End!

C + + function call process in-depth analysis < go >