很久没更新blog了, 最近比较忙. 这篇文章转自我的onenote, 所以中英文都有, 记给自己, 也分享给大家. 没必要纠结语言, 能看懂就行了. 呵呵.

 

以下结论非常重要, 摘自<<Advanced Windows Debugging>> Page 606.

Rcx: contains the 1st parameter passed to the function.

Rdx: contains the 2nd parameter passed to the function.

R8: contains the 3rd parameter passed to the function.

R9: contains the 4th parameter passed to the function.

Rax: contains the result of the function call.

Rsp: is not so volatile, it is often used for local variable addressing.

Rbp: because the use change of Rsp, rbp becomes a general-purpose register in most functions.

Function with more than 4 parameters use the stack for all parameters beyond the 4th one. Those parameters are stored in the stack from right to left, with the rightmost parameter being stored at the highest address in the stack.

The calling convention requires that the caller allocates the stack for all parameters passed by registers as they were passed through the stack.

The stack space allocated for the parameter passed by registers is neither used nor initialized by the caller but can be used by the called function as temporary storage.

Those temporary storage locations are normally used to save the input parameters if any of the registers are needed for other purposes, such as calling another function.

 

Experiment

=======================

Source Code

X64 Calling Convention 的一个实验_f5

X64 Calling Convention 的一个实验_f5_02

X64 Calling Convention 的一个实验_f5_03

Detail Proof

=====================

CommandLine: "C:\Users\administrator.VSAT\Documents\Visual Studio 2010\Projects\test2\x64\Debug\test2.exe"

Symbol search path is: C:\Users\administrator.VSAT\Documents\Visual Studio 2010\Projects\test2\x64\Debug

Executable search path is:

ModLoad: 00000001`3f240000 00000001`3f24e000 test2.exe

ModLoad: 00000000`77c80000 00000000`77e2c000 ntdll.dll

ModLoad: 00000000`77b60000 00000000`77c7f000 C:\Windows\system32\kernel32.dll

ModLoad: 000007fe`fdf40000 000007fe`fdfac000 C:\Windows\system32\KERNELBASE.dll

ModLoad: 00000000`0fd90000 00000000`0ff60000 C:\Windows\system32\MSVCR100D.dll

(1404.1560): Break instruction exception - code 80000003 (first chance)

*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -

ntdll!CsrSetPriorityClass+0x40:

00000000`77d30fe0 cc int 3

0:000> lm

start end module name

00000000`0fd90000 00000000`0ff60000 MSVCR100D (deferred)

00000000`77b60000 00000000`77c7f000 kernel32 (deferred)

00000000`77c80000 00000000`77e2c000 ntdll (export symbols) C:\Windows\SYSTEM32\ntdll.dll

00000001`3f240000 00000001`3f24e000 test2 (deferred)

000007fe`fdf40000 000007fe`fdfac000 KERNELBASE (deferred)

0:000> .reload

Reloading current modules

.....

*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -

0:000> lm

start end module name

00000000`0fd90000 00000000`0ff60000 MSVCR100D (deferred)

00000000`77b60000 00000000`77c7f000 kernel32 (deferred)

00000000`77c80000 00000000`77e2c000 ntdll (export symbols) C:\Windows\SYSTEM32\ntdll.dll

00000001`3f240000 00000001`3f24e000 test2 (deferred)

000007fe`fdf40000 000007fe`fdfac000 KERNELBASE (deferred)

0:000> x test2!*called*

*** WARNING: Unable to verify checksum for test2.exe

00000001`3f242e90 test2!CalledFunction4 (int, int, int, int, int)

00000001`3f242e50 test2!CalledFunction5 (int, int, int, int, int)

0:000> lm

start end module name

00000000`0fd90000 00000000`0ff60000 MSVCR100D (deferred)

00000000`77b60000 00000000`77c7f000 kernel32 (deferred)

00000000`77c80000 00000000`77e2c000 ntdll (export symbols) C:\Windows\SYSTEM32\ntdll.dll

00000001`3f240000 00000001`3f24e000 test2 C (private pdb symbols) c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\x64\debug\test2.pdb

000007fe`fdf40000 000007fe`fdfac000 KERNELBASE (deferred)

0:000> bp 00000001`3f242e90

0:000> bp 00000001`3f242e50

0:000> g

Breakpoint 0 hit

test2!CalledFunction4:

00000001`3f242e90 44894c2420 mov dword ptr [rsp+20h],r9d ss:00000000`002dfc38=cccccccc

0:000> uf

Address expression missing from '<EOL>'

0:000> uf .

test2!CalledFunction4 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 13]:

13 00000001`3f242e90 44894c2420 mov dword ptr [rsp+20h],r9d

13 00000001`3f242e95 4489442418 mov dword ptr [rsp+18h],r8d

13 00000001`3f242e9a 89542410 mov dword ptr [rsp+10h],edx

13 00000001`3f242e9e 894c2408 mov dword ptr [rsp+8],ecx

13 00000001`3f242ea2 57 push rdi

13 00000001`3f242ea3 4883ec30 sub rsp,30h

13 00000001`3f242ea7 488bfc mov rdi,rsp

13 00000001`3f242eaa b90c000000 mov ecx,0Ch

13 00000001`3f242eaf b8cccccccc mov eax,0CCCCCCCCh

13 00000001`3f242eb4 f3ab rep stos dword ptr [rdi]

13 00000001`3f242eb6 8b4c2440 mov ecx,dword ptr [rsp+40h]

14 00000001`3f242eba 8b442460 mov eax,dword ptr [rsp+60h]

14 00000001`3f242ebe 89442420 mov dword ptr [rsp+20h],eax

14 00000001`3f242ec2 448b4c2458 mov r9d,dword ptr [rsp+58h]

14 00000001`3f242ec7 448b442450 mov r8d,dword ptr [rsp+50h]

14 00000001`3f242ecc 8b542448 mov edx,dword ptr [rsp+48h]

14 00000001`3f242ed0 8b4c2440 mov ecx,dword ptr [rsp+40h]

14 00000001`3f242ed4 e82ce1ffff call test2!ILT+0(?CalledFunction5YAHHHHHHZ) (00000001`3f241005)

15 00000001`3f242ed9 b806000000 mov eax,6

16 00000001`3f242ede 4883c430 add rsp,30h

16 00000001`3f242ee2 5f pop rdi

16 00000001`3f242ee3 c3 ret

0:000> r

rax=00000000cccccccc rbx=0000000000000000 rcx=0000000000000001

rdx=0000000000000002 rsi=0000000000000000 rdi=00000000002dfc50

rip=000000013f242e90 rsp=00000000002dfc18 rbp=0000000000000000

r8=0000000000000003 r9=0000000000000004 r10=00000000000000bb

r11=00000000002df588 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0 nv up ei pl nz na pe nc

cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202

test2!CalledFunction4:

00000001`3f242e90 44894c2420 mov dword ptr [rsp+20h],r9d ss:00000000`002dfc38=cccccccc

0:000> bp 00000001`3f242ed4

0:000> bl

0 e 00000001`3f242e90 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 13] 0001 (0001) 0:**** test2!CalledFunction4

1 e 00000001`3f242e50 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 8] 0001 (0001) 0:**** test2!CalledFunction5

2 e 00000001`3f242ed4 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 14] 0001 (0001) 0:**** test2!CalledFunction4+0x44

0:000> g

Breakpoint 2 hit

test2!CalledFunction4+0x44:

00000001`3f242ed4 e82ce1ffff call test2!ILT+0(?CalledFunction5YAHHHHHHZ) (00000001`3f241005)

0:000> r

rax=0000000000000005 rbx=0000000000000000 rcx=0000000000000001

rdx=0000000000000002 rsi=0000000000000000 rdi=00000000002dfc10

rip=000000013f242ed4 rsp=00000000002dfbe0 rbp=0000000000000000

r8=0000000000000003 r9=0000000000000004 r10=00000000000000bb

r11=00000000002df588 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0 nv up ei pl nz na pe nc

cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202

test2!CalledFunction4+0x44:

00000001`3f242ed4 e82ce1ffff call test2!ILT+0(?CalledFunction5YAHHHHHHZ) (00000001`3f241005)

0:000> g

Breakpoint 1 hit

test2!CalledFunction5:

00000001`3f242e50 44894c2420 mov dword ptr [rsp+20h],r9d ss:00000000`002dfbf8=cccccccc

0:000> r

rax=0000000000000005 rbx=0000000000000000 rcx=0000000000000001

rdx=0000000000000002 rsi=0000000000000000 rdi=00000000002dfc10

rip=000000013f242e50 rsp=00000000002dfbd8 rbp=0000000000000000

r8=0000000000000003 r9=0000000000000004 r10=00000000000000bb

r11=00000000002df588 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0 nv up ei pl nz na pe nc

cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202

test2!CalledFunction5:

00000001`3f242e50 44894c2420 mov dword ptr [rsp+20h],r9d ss:00000000`002dfbf8=cccccccc

0:000> uf .

test2!CalledFunction5 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 8]:

8 00000001`3f242e50 44894c2420 mov dword ptr [rsp+20h],r9d

8 00000001`3f242e55 4489442418 mov dword ptr [rsp+18h],r8d

8 00000001`3f242e5a 89542410 mov dword ptr [rsp+10h],edx

8 00000001`3f242e5e 894c2408 mov dword ptr [rsp+8],ecx

8 00000001`3f242e62 57 push rdi

9 00000001`3f242e63 8b442418 mov eax,dword ptr [rsp+18h]

9 00000001`3f242e67 8b4c2410 mov ecx,dword ptr [rsp+10h]

9 00000001`3f242e6b 03c8 add ecx,eax

9 00000001`3f242e6d 8bc1 mov eax,ecx

9 00000001`3f242e6f 03442420 add eax,dword ptr [rsp+20h]

9 00000001`3f242e73 03442428 add eax,dword ptr [rsp+28h]

9 00000001`3f242e77 03442430 add eax,dword ptr [rsp+30h]

10 00000001`3f242e7b 5f pop rdi

10 00000001`3f242e7c c3 ret

0:000> dq rsp

00000000`002dfbd8 00000001`3f242ed9 cccccccc`cccccccc

00000000`002dfbe8 cccccccc`cccccccc cccccccc`cccccccc

00000000`002dfbf8 cccccccc`cccccccc cccccccc`00000005

00000000`002dfc08 cccccccc`cccccccc 00000000`002dfc50

00000000`002dfc18 00000001`3f242f34 cccccccc`00000001

00000000`002dfc28 cccccccc`00000002 cccccccc`00000003

00000000`002dfc38 cccccccc`00000004 cccccccc`00000005

00000000`002dfc48 cccccccc`cccccccc 00000000`00000000

让我们来看一下栈里为什么是这个样子的吧.

X64 Calling Convention 的一个实验_f5_04

X64 Calling Convention 的一个实验_3c_05

0:000> bp 00000001`3f242e63

0:000> g

Breakpoint 3 hit

test2!CalledFunction5+0x13:

00000001`3f242e63 8b442418 mov eax,dword ptr [rsp+18h] ss:00000000`002dfbe8=00000002

0:000> bl

0 e 00000001`3f242e90 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 13] 0001 (0001) 0:**** test2!CalledFunction4

1 e 00000001`3f242e50 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 8] 0001 (0001) 0:**** test2!CalledFunction5

2 e 00000001`3f242ed4 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 14] 0001 (0001) 0:**** test2!CalledFunction4+0x44

3 e 00000001`3f242e63 [c:\users\administrator.vsat\documents\visual studio 2010\projects\test2\test2\test2.cpp @ 9] 0001 (0001) 0:**** test2!CalledFunction5+0x13

0:000> r

rax=0000000000000005 rbx=0000000000000000 rcx=0000000000000001

rdx=0000000000000002 rsi=0000000000000000 rdi=00000000002dfc10

rip=000000013f242e63 rsp=00000000002dfbd0 rbp=0000000000000000

r8=0000000000000003 r9=0000000000000004 r10=00000000000000bb

r11=00000000002df588 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0 nv up ei pl nz na pe nc

cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202

test2!CalledFunction5+0x13:

00000001`3f242e63 8b442418 mov eax,dword ptr [rsp+18h] ss:00000000`002dfbe8=00000002