Shadow space example

by

The shadow space must be provided directly previous to the call. Imagine the shadow space as a relic from the old stdcall/cdecl convention: For WriteFile you needed five pushes. The shadow space stands for the last four pushes (the first four arguments). Now you need four registers, the shadow space (just the space, contents don’t matter) and one value on the stack after the shadow space (which is in fact the first push). Currently the return address to the caller (start) is in the space that WriteFile will use as shadow space -> crash.

You can create a new shadow space for the WinAPI functions (GetStdHandle and WriteConsoleA) inside the function write:

write:
    push rbp
    mov rbp, rsp
    sub rsp, (16 + 32)      ; 5th argument of WriteConsoleA (8) + Shadow space (32)
                            ; plus another 8 to make it a multiple of 16 (to keep stack aligned after one push aligned it after function entry)

    mov [rbp+16],rcx        ; <-- use our Shadow space, provided by `start`
    mov [rbp+24],rdx        ; <-- and again, to save our incoming args

    mov rcx, -11            ; Get handle to StdOut
    call GetStdHandle

    mov rcx,rax             ; hConsoleOutput
    mov rdx, [rbp+16]       ; lpBuffer        ; reloaded saved copy of register arg
    mov r8, [rbp+24]        ; nNumberOfCharsToWrite
    mov r9,empty            ; lpNumberOfCharsWritten
    mov qword [rsp+32],0    ; lpReserved - 5th argument directly behind the shadow space
    call WriteConsoleA

    leave
    ret

More Related Contents:

  1. Why does Windows64 use a different calling convention from all other OSes on x86-64?
  2. What is the ‘shadow space’ in x64 assembly?
  3. Hello world using nasm in windows assembly
  4. Why does the x86-64 / AMD64 System V ABI mandate a 16 byte stack alignment?
  5. glibc scanf Segmentation faults when called from a function that doesn’t align RSP
  6. Can’t call C standard library function on 64-bit Linux from assembly (yasm) code
  7. Why does GCC allocate more space than necessary on the stack, beyond what’s needed for alignment?
  8. Why is there no “sub rsp” instruction in this function prologue and why are function parameters stored at negative rbp offsets?
  9. Linux default behavior of executable .data section changed between 5.4 and 5.9?
  10. Windows system calls [duplicate]
  11. Why NASM on Linux changes registers in x86_64 assembly
  12. Compiling assembly in Visual Studio
  13. System Calls in windows & Native API?
  14. How to push a 64bit int in NASM?
  15. Is it valid to write below ESP?
  16. Successive sys_write syscalls not working as expected, NASM bug on OS X?
  17. Segmentation fault when using DB (define byte) inside a function
  18. Can I add 64bit constants to 64bit registers?
  19. Which versions of Windows support/require which CPU multimedia extensions? (How to check if SSE or AVX are fully usable?)
  20. Number of executed Instructions different for Hello World program Nasm Assembly and C
  21. Segmentation fault on printf – NASM 64bit Linux
  22. Is x86 32-bit assembly code valid x86 64-bit assembly code?
  23. Why use RIP-relative addressing in NASM?
  24. x64 nasm: pushing memory addresses onto the stack & call function
  25. Writing a putchar in Assembly for x86_64 with 64 bit Linux?
  26. nasm idiv a negative value
  27. Where is “START” searching for executables?
  28. Why does this MOVSS instruction use RIP-relative addressing? [duplicate]
  29. How to send double quote in -d parameter for curl.exe?
  30. PostgreSQL database service

Leave a Comment