WIndows 64 stack frame structure

Source: Internet
Author: User

Small title

1.x64 under Disassembly

2. Debug the value of the register in the 64-bit 4 parameter

3. Debug 64-bit 5 parameters and multiple calls to the function stack when the stack area structure

Less than 4 parameters in 4.64-bit condition

1.x64 under Disassembly

The calling convention of the 64-bit function is all used fastcall, that is, the first 4 parameters are passed in sequence with RCX,RDX,R8,R9, and the extra parameters are from right to left.

x86 the stack frame is relatively clear, but the x64 bit under the stack frame data is very few. Then the structure of the familiar stack frame is adjusted.

int Add (int a,int b,int c,int d), int _tmain (int argc, _tchar* argv[]) {int a = 0; ADD (1,2,3,4); return 0;} int Add (int a,int b,int c,int d) {int xx = A+b+c+d;int yy = A+b-c-d;int zz =-a-b+c+d;return xx;}

Debug with Vs2010, 64-bit, open Register window, alt+8 disassembly

You can see that the 1,2,3,4 is placed in the register first, and then the call command is called, which can be decomposed into a reference to the next instruction, and then jmp to the function address

When the push command is executed, the RSP-8

000000013f931049  mov         r9d,4  000000013f93104f  mov         r8d,3  000000013f931055  mov         edx , 2  000000013f93105a  mov         ecx,1  000000013f93105f  call        Add (13f931005h)   //Command for push RIP    ; RSP-8                                                    //       jmp ADD

The disassembly code for the Add function is as follows:

You can see the first 4 sentences to assign the parameters passed in the register to rsp+8h,rsp+10h,rsp+18h,rsp+20h

If there are 4 extra parameters, the rest is placed in rsp+28h

Then save the front stack frame stack bottom, open up the stack area to save local variables, because is three variables 12 bytes, aligned memory is 16 bytes, sub rsp,10h

Initialize Stack area, rep stos directive

int Add (int a,int b,int c,int d) {000000013f251080 mov dword ptr [rsp+20h],r9d 000000013f251085 mov dwor D ptr [rsp+18h],r8d 000000013f25108a mov dword ptr [Rsp+10h],edx 000000013f25108e mov dword ptr [rsp+8 ],ECX 000000013f251092 Push RDI//save front stack rsp-8000000013f251093 sub rsp,10h//              Open Stack 16 bytes rsp-10h000000013f251097 mov rdi,rsp//new stack frame stack bottom RDI=RSP000000013F25109A mov ecx,4 Number of cycles 000000013f25109f mov eax,0cccccccch 000000013F2510A4 rep stos dword ptr [RDI]//rdi start assignment eax         The value of the Loop 4 times 000000013F2510A6 mov ecx,dword ptr [rsp+20h]//Here is the first parameter a int xx = A+B+C+D;000000013F2510AA mov Eax,dword ptr [b] 000000013f2510ae mov ecx,dword ptr [a] 000000013f2510b2 add Ecx,eax 000000013f2510b  4 mov eax,ecx 000000013f2510b6 add Eax,dword ptr [c] 000000013f2510ba add Eax,dword ptr [d]   000000013F2510BE mov      DWORD ptr [Rsp],eax//rsp save Xxint yy = A+B-C-D;000000013F2510C1 mov Eax,dword ptr [b] 000000013f2510c5 mov Ecx,dword ptr [a] 000000013f2510c9 add ecx,eax 000000013F2510CB mov eax,ecx 000000013f251 0CD Sub Eax,dword ptr [c] 000000013f2510d1 sub Eax,dword ptr [d] 000000013f2510d5 mov DWORD p         TR [Yy],eax//rsp+4 save Yyint zz =-A-B+C+D;000000013F2510D9 mov Eax,dword ptr [a] 000000013f2510dd neg  EAX 000000013f2510df Sub Eax,dword ptr [b] 000000013f2510e3 add Eax,dword ptr [C] 000000013f2510e7          Add Eax,dword ptr [d] 000000013F2510EB mov dword ptr [Zz],eax//rsp+8 save return XX;000000013F2510EF mov         Eax,dword PTR [RSP]//Save the return value in the EAX register}000000013F2510F2 add rsp,10h//restore open stack area 000000013f2510f6 pop                                        RDI//Restore the stack bottom of the pre-stack frame 000000013F2510F7 ret//pop rip pops the next command from the previously saved call to rip to continue execution  RSP-8 equals the value before calling call  

 

2. Debug the value of the register in the 64-bit 4 parameter

The following are the values of some registers in debugging

At this time the RSP and RDI are both the top and bottom of the _tmain function, alt+8 disassembly

At this point, the RSP passes the push rip in call minus 8,push EDI minus 8,sub rsp,10h altogether minus 20h

The RDI is assigned to RSP, which is the stack bottom of the current add

Rdi through the rep stos instruction to initialize the EAX median value to Rdi, 4*4 bytes, RDI after initialization plus 10h

At this point, we look at the memory situation as

The stack frame is as follows

3. Debug 64-bit 5 parameters and multiple calls to the function stack when the stack area structure

We're trying out the function call of the 5 parameter, and we know that the function will assign the value of the 4 registers to the area above the stack, to open up the 4*8=20h area, not to find the operation for the RSP when debugging

So guessing is the data that has opened up additional spatial storage parameters in the previous function.

int _tmain (int argc, _tchar* argv[]) {int a = 0; Sub (1,2,3,4,5); return 0;} int Add (int a,int b,int c,int d) {int xx = A+b+c+d;int yy = A+b-c-d;int zz =-a-b+c+d;return xx;} int Sub (int a,int b,int C , int d,int e) {int xx = A+b+e+d;int yy = A+b-c-d;int zz =-a-b+c+d; ADD (b,c,d,e); return xx;}

  

We use a sub () function of 5 arguments and call the Add function in the Sub function

Sub (1,2,3,4,5); 000000013F4F2EF9  mov         dword ptr [rsp+20h],5   //Current RSP + 20 is the location  after storing 4 parameters 000000013F4F2F01  mov         r9d,4  000000013f4f2f07  mov         r8d,3  000000013f4f2f0d  mov         edx,2  000000013f4f2f12  mov         ecx,1  000000013f4f2f17  call        Sub (13F4F100FH)  int Sub (int a,int b,int c,int d,int e) {000000013fc32fb0  mov         dword ptr [rsp+20h],r9d  //Current RSP is 8 before operation, So this position is the fifth parameter of the front one 000000013FC32FB5  mov         dword ptr [rsp+18h],r8d  000000013fc32fba  mov         DWORD ptr [Rsp+10h],edx  000000013fc32fbe  mov         dword ptr [rsp+8],ecx  000000013fc32fc2  push        rdi  000000013fc32fc3  Sub         rsp,30h     //This place is called by the Add function  to allocate additional 20h    Store 4 parameters 000000013fc32fc7  mov         rdi,rsp  000000013FC32FCA  mov         ecx,0ch  000000013FC32FCF  mov         eax,0cccccccch  000000013fc32fd4  Rep stos    dword ptr [RDI]  000000013fc32fd6  mov         ecx,dword ptr [rsp+40h]  

  

I called the above Add () function in the function, the result rsp-30 the stack space, this is in order to call add when the multi-open 4*8 Save 4 registers value in the stack.

Where local variables are stored in RSP + 20h, save Xx,yy,zz in sequence and 4 bytes useless

In the stack area of the Add function, we see the 20h address space in the sub's stack area, which stores the parameters passed to the register.

Less than 4 parameters in 4.64-bit condition

There is also the case of passing less than 4 parameters, which will also open up 4*8 areas

No passing parameters will also open up the 4*8 area.

WIndows 64 stack frame structure

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.