zoukankan      html  css  js  c++  java
  • X64 Calling Convention 的一个实验

    很久没更新blog了, 最近比较忙. 这篇文章转自我的onenote, 所以中英文都有, 记给自己, 也分享给大家. 没必要纠结语言, 能看懂就行了. 呵呵.

    以下结论非常重要, 摘自<<Advanced Windows Debugging>> Page 606.

    Rcx: contains the 1st parameter passed to the function.

    Rdx: contains the 2nd parameter passed to the function.

    R8: contains the 3rd parameter passed to the function.

    R9: contains the 4th parameter passed to the function.

    Rax: contains the result of the function call.

    Rsp: is not so volatile, it is often used for local variable addressing.

    Rbp: because the use change of Rsp, rbp becomes a general-purpose register in most functions.

    Function with more than 4 parameters use the stack for all parameters beyond the 4th one. Those parameters are stored in the stack from right to left, with the rightmost parameter being stored at the highest address in the stack.

    The calling convention requires that the caller allocates the stack for all parameters passed by registers as they were passed through the stack.

    The stack space allocated for the parameter passed by registers is neither used nor initialized by the caller but can be used by the called function as temporary storage.

    Those temporary storage locations are normally used to save the input parameters if any of the registers are needed for other purposes, such as calling another function.

    Experiment

    =======================

    Source Code

    clip_image001

    clip_image002

    clip_image003

    Detail Proof

    =====================

    CommandLine: "C:\Users\administrator.VSAT\Documents\Visual Studio 2010\Projects\test2\x64\Debug\test2.exe"

    Symbol search path is: C:\Users\administrator.VSAT\Documents\Visual Studio 2010\Projects\test2\x64\Debug

    Executable search path is:

    ModLoad: 00000001`3f240000 00000001`3f24e000 test2.exe

    ModLoad: 00000000`77c80000 00000000`77e2c000 ntdll.dll

    ModLoad: 00000000`77b60000 00000000`77c7f000 C:\Windows\system32\kernel32.dll

    ModLoad: 000007fe`fdf40000 000007fe`fdfac000 C:\Windows\system32\KERNELBASE.dll

    ModLoad: 00000000`0fd90000 00000000`0ff60000 C:\Windows\system32\MSVCR100D.dll

    (1404.1560): Break instruction exception - code 80000003 (first chance)

    *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -

    ntdll!CsrSetPriorityClass+0x40:

    00000000`77d30fe0 cc int 3

    0:000> lm

    start end module name

    00000000`0fd90000 00000000`0ff60000 MSVCR100D (deferred)

    00000000`77b60000 00000000`77c7f000 kernel32 (deferred)

    00000000`77c80000 00000000`77e2c000 ntdll (export symbols) C:\Windows\SYSTEM32\ntdll.dll

    00000001`3f240000 00000001`3f24e000 test2 (deferred)

    000007fe`fdf40000 000007fe`fdfac000 KERNELBASE (deferred)

    0:000> .reload

    Reloading current modules

    .....

    *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -

    0:000> lm

    start end module name

    00000000`0fd90000 00000000`0ff60000 MSVCR100D (deferred)

    00000000`77b60000 00000000`77c7f000 kernel32 (deferred)

    00000000`77c80000 00000000`77e2c000 ntdll (export symbols) C:\Windows\SYSTEM32\ntdll.dll

    00000001`3f240000 00000001`3f24e000 test2 (deferred)

    000007fe`fdf40000 000007fe`fdfac000 KERNELBASE (deferred)

    0:000> x test2!*called*

    *** WARNING: Unable to verify checksum for test2.exe

    00000001`3f242e90 test2!CalledFunction4 (int, int, int, int, int)

    00000001`3f242e50 test2!CalledFunction5 (int, int, int, int, int)

    0:000> lm

    start end module name

    00000000`0fd90000 00000000`0ff60000 MSVCR100D (deferred)

    00000000`77b60000 00000000`77c7f000 kernel32 (deferred)

    00000000`77c80000 00000000`77e2c000 ntdll (export symbols) C:\Windows\SYSTEM32\ntdll.dll

    00000001`3f240000 00000001`3f24e000 test2 C (private pdb symbols) c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\x64\debug\test2.pdb

    000007fe`fdf40000 000007fe`fdfac000 KERNELBASE (deferred)

    0:000> bp 00000001`3f242e90

    0:000> bp 00000001`3f242e50

    0:000> g

    Breakpoint 0 hit

    test2!CalledFunction4:

    00000001`3f242e90 44894c2420 mov dword ptr [rsp+20h],r9d ss:00000000`002dfc38=cccccccc

    0:000> uf

    Address expression missing from '<EOL>'

    0:000> uf .

    test2!CalledFunction4 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 13]:

    13 00000001`3f242e90 44894c2420 mov dword ptr [rsp+20h],r9d

    13 00000001`3f242e95 4489442418 mov dword ptr [rsp+18h],r8d

    13 00000001`3f242e9a 89542410 mov dword ptr [rsp+10h],edx

    13 00000001`3f242e9e 894c2408 mov dword ptr [rsp+8],ecx

    13 00000001`3f242ea2 57 push rdi

    13 00000001`3f242ea3 4883ec30 sub rsp,30h

    13 00000001`3f242ea7 488bfc mov rdi,rsp

    13 00000001`3f242eaa b90c000000 mov ecx,0Ch

    13 00000001`3f242eaf b8cccccccc mov eax,0CCCCCCCCh

    13 00000001`3f242eb4 f3ab rep stos dword ptr [rdi]

    13 00000001`3f242eb6 8b4c2440 mov ecx,dword ptr [rsp+40h]

    14 00000001`3f242eba 8b442460 mov eax,dword ptr [rsp+60h]

    14 00000001`3f242ebe 89442420 mov dword ptr [rsp+20h],eax

    14 00000001`3f242ec2 448b4c2458 mov r9d,dword ptr [rsp+58h]

    14 00000001`3f242ec7 448b442450 mov r8d,dword ptr [rsp+50h]

    14 00000001`3f242ecc 8b542448 mov edx,dword ptr [rsp+48h]

    14 00000001`3f242ed0 8b4c2440 mov ecx,dword ptr [rsp+40h]

    14 00000001`3f242ed4 e82ce1ffff call test2!ILT+0(?CalledFunction5YAHHHHHHZ) (00000001`3f241005)

    15 00000001`3f242ed9 b806000000 mov eax,6

    16 00000001`3f242ede 4883c430 add rsp,30h

    16 00000001`3f242ee2 5f pop rdi

    16 00000001`3f242ee3 c3 ret

    0:000> r

    rax=00000000cccccccc rbx=0000000000000000 rcx=0000000000000001

    rdx=0000000000000002 rsi=0000000000000000 rdi=00000000002dfc50

    rip=000000013f242e90 rsp=00000000002dfc18 rbp=0000000000000000

    r8=0000000000000003 r9=0000000000000004 r10=00000000000000bb

    r11=00000000002df588 r12=0000000000000000 r13=0000000000000000

    r14=0000000000000000 r15=0000000000000000

    iopl=0 nv up ei pl nz na pe nc

    cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202

    test2!CalledFunction4:

    00000001`3f242e90 44894c2420 mov dword ptr [rsp+20h],r9d ss:00000000`002dfc38=cccccccc

    0:000> bp 00000001`3f242ed4

    0:000> bl

    0 e 00000001`3f242e90 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 13] 0001 (0001) 0:**** test2!CalledFunction4

    1 e 00000001`3f242e50 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 8] 0001 (0001) 0:**** test2!CalledFunction5

    2 e 00000001`3f242ed4 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 14] 0001 (0001) 0:**** test2!CalledFunction4+0x44

    0:000> g

    Breakpoint 2 hit

    test2!CalledFunction4+0x44:

    00000001`3f242ed4 e82ce1ffff call test2!ILT+0(?CalledFunction5YAHHHHHHZ) (00000001`3f241005)

    0:000> r

    rax=0000000000000005 rbx=0000000000000000 rcx=0000000000000001

    rdx=0000000000000002 rsi=0000000000000000 rdi=00000000002dfc10

    rip=000000013f242ed4 rsp=00000000002dfbe0 rbp=0000000000000000

    r8=0000000000000003 r9=0000000000000004 r10=00000000000000bb

    r11=00000000002df588 r12=0000000000000000 r13=0000000000000000

    r14=0000000000000000 r15=0000000000000000

    iopl=0 nv up ei pl nz na pe nc

    cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202

    test2!CalledFunction4+0x44:

    00000001`3f242ed4 e82ce1ffff call test2!ILT+0(?CalledFunction5YAHHHHHHZ) (00000001`3f241005)

    0:000> g

    Breakpoint 1 hit

    test2!CalledFunction5:

    00000001`3f242e50 44894c2420 mov dword ptr [rsp+20h],r9d ss:00000000`002dfbf8=cccccccc

    0:000> r

    rax=0000000000000005 rbx=0000000000000000 rcx=0000000000000001

    rdx=0000000000000002 rsi=0000000000000000 rdi=00000000002dfc10

    rip=000000013f242e50 rsp=00000000002dfbd8 rbp=0000000000000000

    r8=0000000000000003 r9=0000000000000004 r10=00000000000000bb

    r11=00000000002df588 r12=0000000000000000 r13=0000000000000000

    r14=0000000000000000 r15=0000000000000000

    iopl=0 nv up ei pl nz na pe nc

    cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202

    test2!CalledFunction5:

    00000001`3f242e50 44894c2420 mov dword ptr [rsp+20h],r9d ss:00000000`002dfbf8=cccccccc

    0:000> uf .

    test2!CalledFunction5 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 8]:

    8 00000001`3f242e50 44894c2420 mov dword ptr [rsp+20h],r9d

    8 00000001`3f242e55 4489442418 mov dword ptr [rsp+18h],r8d

    8 00000001`3f242e5a 89542410 mov dword ptr [rsp+10h],edx

    8 00000001`3f242e5e 894c2408 mov dword ptr [rsp+8],ecx

    8 00000001`3f242e62 57 push rdi

    9 00000001`3f242e63 8b442418 mov eax,dword ptr [rsp+18h]

    9 00000001`3f242e67 8b4c2410 mov ecx,dword ptr [rsp+10h]

    9 00000001`3f242e6b 03c8 add ecx,eax

    9 00000001`3f242e6d 8bc1 mov eax,ecx

    9 00000001`3f242e6f 03442420 add eax,dword ptr [rsp+20h]

    9 00000001`3f242e73 03442428 add eax,dword ptr [rsp+28h]

    9 00000001`3f242e77 03442430 add eax,dword ptr [rsp+30h]

    10 00000001`3f242e7b 5f pop rdi

    10 00000001`3f242e7c c3 ret

    0:000> dq rsp

    00000000`002dfbd8 00000001`3f242ed9 cccccccc`cccccccc

    00000000`002dfbe8 cccccccc`cccccccc cccccccc`cccccccc

    00000000`002dfbf8 cccccccc`cccccccc cccccccc`00000005

    00000000`002dfc08 cccccccc`cccccccc 00000000`002dfc50

    00000000`002dfc18 00000001`3f242f34 cccccccc`00000001

    00000000`002dfc28 cccccccc`00000002 cccccccc`00000003

    00000000`002dfc38 cccccccc`00000004 cccccccc`00000005

    00000000`002dfc48 cccccccc`cccccccc 00000000`00000000

    让我们来看一下栈里为什么是这个样子的吧.

    clip_image004

    clip_image005

    0:000> bp 00000001`3f242e63

    0:000> g

    Breakpoint 3 hit

    test2!CalledFunction5+0x13:

    00000001`3f242e63 8b442418 mov eax,dword ptr [rsp+18h] ss:00000000`002dfbe8=00000002

    0:000> bl

    0 e 00000001`3f242e90 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 13] 0001 (0001) 0:**** test2!CalledFunction4

    1 e 00000001`3f242e50 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 8] 0001 (0001) 0:**** test2!CalledFunction5

    2 e 00000001`3f242ed4 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 14] 0001 (0001) 0:**** test2!CalledFunction4+0x44

    3 e 00000001`3f242e63 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 9] 0001 (0001) 0:**** test2!CalledFunction5+0x13

    0:000> r

    rax=0000000000000005 rbx=0000000000000000 rcx=0000000000000001

    rdx=0000000000000002 rsi=0000000000000000 rdi=00000000002dfc10

    rip=000000013f242e63 rsp=00000000002dfbd0 rbp=0000000000000000

    r8=0000000000000003 r9=0000000000000004 r10=00000000000000bb

    r11=00000000002df588 r12=0000000000000000 r13=0000000000000000

    r14=0000000000000000 r15=0000000000000000

    iopl=0 nv up ei pl nz na pe nc

    cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202

    test2!CalledFunction5+0x13:

    00000001`3f242e63 8b442418 mov eax,dword ptr [rsp+18h] ss:00000000`002dfbe8=00000002

  • 相关阅读:
    类似Sina新浪滑动门代码
    纯CSS无JS实现灰色下拉导航菜单代码
    滑动门与选项卡互转的实现方法代码
    一款横向、竖向两个选项卡Tab一起联动的导航代码
    C#Brush的使用(转载)
    泛型学习笔记(转载)
    Application之间共享MasterPage(转载)
    ReportView学习笔记一(转载)
    BackGroundWorker学习
    加下划线的TextBox
  • 原文地址:https://www.cnblogs.com/awpatp/p/2536810.html
Copyright © 2011-2022 走看看