Analysis of Stack Changes in Win32 Program Function Call
In a classic assembly language tutorial, the use of stacks when the function call is a problem that is highlighted. Nowadays, with the increasingly improved senior language, there are not many procedures for simply use assembly development. However, the understanding of the stack trend when the function calls still helps us to implement the execution process of the program, so there is a clear idea in the process of programming and debugging.
One. Call agreement
In WIN32, there are two main consequences of the calls of functions.
1. __stdcall: The function called __stdcall mode has the following characteristics:
? Parameter is hit by right to left
? When the call returns, the stack is adjusted by the modified function.
2. __cdecl: __ CDECL Conventions The default call agreement for the C / C function. It has the following characteristics:
? Parameter is hit by right to left
? When the call returns, the stack is adjusted by the caller.
two. Win32 function calling process
1. Pressing parameters: The parameters given by the caller will be pressed into the stack according to the above call mode.
2. Press the breakpoint: When the program executes the CALL instruction, the address of the current statement is pressed into the stack as a breakpoint address.
3. Jump: The value of the EIP is reset to the starting address of the modulated function.
4. MOV EBP, ESP: Here the EBP is used to find the arguments in which the caller pressed in the stack, while as a backup of the caller stack pointer. You should also perform one: PUSH EBP saves the original value in the EBP.
5. Sub ESP, N: Here N is a total byte number of local variables within the function plus an integer, typically 40. Thereafter, the ESP is the stack pointer to the modulated function.
6. Initialize the N-byte space between the ESP ~ ESP-N: This is initialized to the initialization of memory space used to local variables in the stack, generally all set to 0xcc. (This step is only available in DEBUG - Darkay Li Comments)
7. Sequential execution function: The stack of the function is located after all local variables of the memory space, and there is a 40-byte isolation belt between the two.
8. Returns: To ensure the normal return of the call, the function should be guaranteed to use the stack in the function, so that the value of the ESP will return to the status before performing the first statement at the time of returning. Note White Point is that every Push has a corresponding POP.
The process of calling the returns is as follows: MOV ESP, EBP
After the execution, the ESP returns to the caller of the caller, and the value of the original EBP is still pressed, and the parameters when the invoked time is stored.
Then pop up the value of the EBP and the breakpoint address. If it is __cdecl convention, then directly return the caller, the caller will be responsible for adjusting the stack, discarding the parameters previously pressing; if it is __stdcall agreement, this work is executed by the modified function. (How is the difference in how to embody?
9. The program samples, for example:
......
0040B8E8 PUSH 1; press parameters
0040B8EA CALL 00401028; Call function
......
00401028 JMP 0040B
7C
0; jump to function entry
......
0040B
7C
0 Push EBP; save EBP
0040B
7C
1 MOV EBP, ESP
0040B
7C
3 SUB ESP, 44H; Set the stack pointer of the function, there are 4 bytes of local variables in this function (int Para; int Localpara) 0040B
7C
6 push ebx; universal register, in addition, when calculating the memory address, often use as a base register
0040B
7C
7 push esi;???
0040B
7C
8 push edi;???
0040B
7C
9 Lea EDI, [EBP-44H]
0040B7cc MOV ECX, 11h
0040b7d1 MOV Eax, 0cccccccch
0040B7D6 Rep Stos DWORD PTR [EDI]; Initializing Local Variable Space
0040B7D8 MOV EAX, DWORD PTR [EBP 8]
0040B7DB MOV DWORD PTR [EBP-4], EAX
......
0040B7DE POP EDI; pop-up data
0040B7DF POP ESI;???
0040B7E0 POP EBX;???
0040B7E1 MOV ESP, EBP; Recovery caller's stack
0040B7E3 POP EBP; pop-up original EBP value
0040B7E4 RET 4; return and adjust the stack upward 4 bytes.
Here is the __stdcall agreement, so adjust the stack by the function caller.
The corresponding C code is as follows:
Void __stdcall fun (int);
Int main (void)
{
......
Fun (1);
......
Return 0;
}
Void __stdcall fun (int Para)
{
INT localpara = para;
......
}
