Functions of mov EDI and EDI at the beginning of the Function

When debugging the code of the function from the system database, the system function always starts with an mov EDI and EDI command. Next, the code for setting up the local stack of the function is standard. Disassemble the system DLL, such as NTDLL. dll. You can find that this is true for each of its export functions, and the mov EDI at the beginning of each export function followed by five NOP commands on the EDI. For example, view the code around textouta in windbg:
0: 000> U TextOutA-0x0a L 10
GDI32! Ntgditransparentblt + 0xa:
77efc43f ff12 call dword ptr [edX]
77efc441 c22c00 RET 2ch
77efc444 90 NOP
77efc445 90 NOP
77efc446 90 NOP
77efc447 90 NOP
77efc448 90 nop
GDI32! TextOutA:
77efc449 8bff mov edi, edi
77efc44b 55 push ebp
77efc44c 8bec mov ebp, esp
Obviously, if the two-byte mov edi and EDI commands do nothing, there are two problems: first, why don't we start with the function body and start with a command that does nothing? Second, even if we need to empty two bytes at the beginning of the function, why not use the two NOP commands instead of using the MOV command? After reading some materials online, I got the answer:
The answer to the first question is to implement the hot-patching technology, that is, to modify the behavior of a function at runtime. The modification process is as follows: Change mov edi and EDI to a short jump command (a short jump command is exactly two bytes), and change mov edi, change the five NOP in EDI to a long jump command (one long jump command happens to be five bytes), and the short jump command jumps to the long jump command, the long jump command jumps to the modified function body.
The answer to the second question is to improve efficiency. It takes less time to execute an MOV command than to execute two NOP commands.

The following information is found on the Internet:
Http://blogs.msdn.com/ishai/archive/2004/06/24/165143.aspx
In this log, the author points out that this is a technology that implements hot-patching and hot-fix, and explains why the detours technology is not used to implement hot-patching. In addition, the author mentioned how to use this technology to implement hot-patching, but it is just a single sentence.

Http://msmvps.com/blogs/kernelmustard/archive/2005/04/25/44413.aspx
In this article, the author explains in detail the efficiency and other aspects why hot-patching is used and why (short jump is extended jump instead of one-time long jump ).

Http://xelf.info/knowledge/MemoryCopy.cpp
The specific memcpy C language source code is provided here. If you select the source code for installing CRT when installing VC6, memcmp is available in the SRC/INTEL/directory of the VC installation directory. asm and other files, they are the source code of the corresponding CRT function, these source code also has a detailed comment.

In addition, EDI commands are confused in their own logs, but you only need to look at strcmp. the source code in asm can understand that the mov edi and EDI are completely aimed at four-byte memory alignment. Align 4 is written in the source code. At runtime, if a byte is required, a NOP command will be filled. If two bytes are required to be filled, a mov edi will be filled, the reason why EDI commands do not use two NOP commands is for efficiency consideration.