Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Crash Dump Analysis: Jakub Jermář Martin Děcký

    Hochgeladen von

    achilles7
    11 Ansichten57 Seiten
    The document provides an overview of the AMD64 (x86-64) architecture. It describes key differences from IA-32 including being a 64-bit architecture with 16 registers. It outlines the AMD64 ABI for calling conventions and register usage. Finally, it demonstrates a code example and stack layout during function calls to illustrate ABI concepts in practice.

    Originalbeschreibung:

    Originaltitel

    03-amd64-1

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    The document provides an overview of the AMD64 (x86-64) architecture. It describes key differences from IA-32 including being a 64-bit architecture with 16 registers. It outlines the AMD64 ABI for calling conventions and register usage. Finally, it demonstrates a code example and stack layout during function calls to illustrate ABI concepts in practice.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    11 Ansichten57 Seiten

    Crash Dump Analysis: Jakub Jermář Martin Děcký

    Hochgeladen von

    achilles7
    The document provides an overview of the AMD64 (x86-64) architecture. It describes key differences from IA-32 including being a 64-bit architecture with 16 registers. It outlines the AMD64 ABI for calling conventions and register usage. Finally, it demonstrates a code example and stack layout during function calls to illustrate ABI concepts in practice.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 57

    Crash Dump Analysis

    AMD64
    Jakub Jerm
    Martin Dck

    AMD64Overview

    NaturalextensionofIA32
    OriginallycreatedbyAMD(thusAMD64)

    LateralsoadoptedbyIntel(asIA32e,IA64t,Intel64)

    Vendorneutralnamesx8664,x64

    ManypropertiesofIA32applyalsotoAMD64

    Keydifferences

    64bitarchitecture

    16GPRs(14practicallyusable)

    Segmentationalmosteliminated
    (excepttworemainingsimplifiedsegments)

    CrashDumpAnalysisMFFUKAMD64

    AMD64Manuals

    AMD64ArchitectureProgrammer'sManual
    Volume1:ApplicationProgramming
    Volume2:SystemProgramming
    Volume3:GeneralPurposeandSystem
    Instructions

    SoftwareOptimizationGuideforAMD64
    Processors
    www.amd.com/usen/Processors/TechnicalResources/0,,30_182_739_7044,00.html

    CrashDumpAnalysisMFFUKAMD64

    AMD64Manuals(2)

    Intel64andIA32ArchitecturesSoftware
    Developer'sManual
    Volume1:BasicArchitecture
    Volume2A+2B:InstructionSetReference
    Volume3A+3B:SystemProgrammingGuide

    Intel64andIA32ArchitecturesOptimization
    ReferenceManual
    http://www.intel.com/products/processor/manuals

    CrashDumpAnalysisMFFUKAMD64

    AMD64ABI

    SystemVApplicationBinaryInterface,AMD64
    ArchitectureProcessorSupplement
    Thisistheauthoritativesourceofinformation

    AtleastforsystemsusingGNUGCCtoolchain
    (GNU/Linux,*BSD,mostUnixes,etc.)

    Wewilluseandpresentasimplifiedviewwhichis
    sufficientforsimpleintegercases
    www.x8664.org/documentation/abi.pdf

    CrashDumpAnalysisMFFUKAMD64

    AMD64Registers
    AH AL
    AX
    EAX
    RAX

    BH BL
    BX
    EBX
    RBX

    CH CL
    CX
    ECX
    RCX

    DH DL
    DX
    EDX
    RDX

    DIL
    DI

    SIL
    SI

    EDI

    ESI

    RDI

    RSI
    BPL
    BP

    SPL
    SP

    EBP
    RBP
    CrashDumpAnalysisMFFUKAMD64

    ESP
    RSP
    6

    AMD64Registers(2)
    R8B
    R8W

    R9B
    R9W

    R8D

    R9D

    R8

    R9
    R10B

    R11B

    R10W
    R10D
    R10

    R11W
    R11D
    R11

    R12B

    R13B

    R12W
    R12D
    R12

    R13W
    R13D
    R13
    R15B

    R14B

    R15W
    R15D

    R14W
    R14D
    R14
    CrashDumpAnalysisMFFUKAMD64

    R15
    7

    AMD64Registers(3)

    FLAGS
    EFLAGS

    IP
    EIP

    RFLAGS
    CS

    DS

    CrashDumpAnalysisMFFUKAMD64

    RIP
    ES

    SS

    FS

    GS

    ABIinaNutshell

    Firstsixintegerargumentspassedinregisters
    RDI,RSI,RDX,RCX,R8,R9

    More/complexargumentspassedonstack
    Inreverseorder(thelastargumentispushedfirst)

    Returnvalue
    ForsimpleintegertypesinRAX

    Otherwiseonthestack

    Implicitstack(RSP)andframe(RBP)pointer

    CrashDumpAnalysisMFFUKAMD64

    ABIinaNutshell(2)

    Volatile(scratch,callersaved)registers
    RAX,RCX,RDX,RDI,RSI,R8,R9,R10,R11

    Nonvolatile(preserved,calleesaved)registers
    RBX,RBP,RSP,R12,R13,R14,R15

    Stackalignedon8Bboundary,butnot16B
    alignedonfunction'sentrypoint
    Thuseachstackframeis16Baligned

    SupportforeasyspillingofFPUandSSEregisters

    SomeGCCbuildsignorethisrule

    CrashDumpAnalysisMFFUKAMD64

    10

    ABIinaNutshell(3)

    128BredzoneatRSP128
    Optimization

    Functionsdonotneedtoallocatestackspace

    Signalandinterrupthandlersshouldavoidthisarea
    Sometimestheredzoneisdisabled
    gcc -mno-red-zone

    CrashDumpAnalysisMFFUKAMD64

    11

    AMD64Instructions

    Sameinstructionshavethesamesyntaxasin
    IA32
    Notabledifferences
    Newregisters
    Newoperandsizeq(quad,64bits)
    EffectiveaddresscanuseRIP

    Example:cmpq+0x305f9e(%rip),%r13

    CrashDumpAnalysisMFFUKAMD64

    12

    FunctionPrologue
    pushq%rbp
    movq%rsp,%rbp
    subq$imm,%rsp
    movq%rdi,8(%rbp)#savethefirstargumentonstack
    pushq%r12#savethepreservedregister
    ...

    CrashDumpAnalysisMFFUKAMD64

    13

    FunctionPrologue(2)

    Somecompilersgeneratecodewhichsaves
    argumentspassedinregistersalsointothe
    stackframe
    Goodfordebugging
    Badforperformance
    gcc -msave-args
    suncc -Wu,-save_args

    CrashDumpAnalysisMFFUKAMD64

    14

    FunctionEpilogue

    popq%r13

    movq8(rsp),%r12

    popq%r13

    movq%rbp,%rsp

    movq8(rsp),%r12

    popq%rbp

    leave

    ret

    ret

    CrashDumpAnalysisMFFUKAMD64

    15

    StackandCodeExample

    Rememberthefoo(),bar()andfoobar()
    frompreviousslides?
    Compileusinggcc -O1 -m64
    Disassembleandsinglestepmain()andfoo()
    Observethestack

    CrashDumpAnalysisMFFUKAMD64

    16

    StackandCodeExample(2)
    foo:
    pushq %rbp
    foo+1: movq %rsp,%rbp
    foo+4: movl $0x0,%eax
    foo+9: call +0x2 <bar>
    foo+0xe: leave
    foo+0xf: ret

    main:
    pushq %rbp
    main+1: movq %rsp,%rbp
    main+4: call -0x2c <foo>
    main+9: leave
    main+0xa: ret
    CrashDumpAnalysisMFFUKAMD64

    17

    StackandCodeExample(2)

    Initialstate
    Noinstructionsexecuted
    Inheritedstackpointer
    frommain()'scaller

    main:
    pushq %rbp
    main+1: movq %rsp,%rbp
    main+4: call -0x2c <foo>
    main+9: leave
    main+0xa: ret
    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbf8: _start+0x6c

    18

    StackandCodeExample(2)

    Savepreviousframe
    pointeronthestack

    main:
    pushq %rbp
    main+1: movq %rsp,%rbp
    main+4: call -0x2c <foo>
    main+9: leave
    main+0xa: ret
    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbf0: 0xfffffd7fffdffc00
    0xfffffd7fffdffbf8: _start+0x6c

    19

    StackandCodeExample(2)

    Establishanew,fixed
    framepointerinRBP
    Itpointstowherewe
    savedthepreviousone

    main:
    pushq %rbp
    main+1: movq %rsp,%rbp
    main+4: call -0x2c <foo>
    main+9: leave
    main+0xa: ret
    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbf0: 0xfffffd7fffdffc00
    0xfffffd7fffdffbf8: _start+0x6c

    20

    StackandCodeExample(2)

    Callfoo()
    Theargumentispassed
    inRDI

    main:
    pushq %rbp
    main+1: movq %rsp,%rbp
    main+4: call -0x2c <foo>
    main+9: leave
    main+0xa: ret
    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbe8: main+9
    0xfffffd7fffdffbf0: 0xfffffd7fffdffc00
    0xfffffd7fffdffbf8: _start+0x6c

    21

    StackandCodeExample(2)
    foo:
    pushq %rbp
    foo+1: movq %rsp,%rbp
    foo+4: movl $0x0,%eax
    foo+9: call +0x2 <bar>
    foo+0xe: leave
    foo+0xf: ret

    Savethepreviousframe
    pointertothestack

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0xfffffd7fffdffbf0
    main+9
    0xfffffd7fffdffc00
    _start+0x6c

    22

    StackandCodeExample(2)
    foo:
    pushq %rbp
    foo+1: movq %rsp,%rbp
    foo+4: movl $0x0,%eax
    foo+9: call +0x2 <bar>
    foo+0xe: leave
    foo+0xf: ret

    Establishanewframe
    pointerinRBP
    Itpointstotheaddress
    wherethepreviousoneis
    stored

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0xfffffd7fffdffbf0
    main+9
    0xfffffd7fffdffc00
    _start+0x6c

    23

    StackandCodeExample(2)
    foo:
    pushq %rbp
    foo+1: movq %rsp,%rbp
    foo+4: movl $0x0,%eax
    foo+9: call +0x2 <bar>
    foo+0xe: leave
    foo+0xf: ret

    ZeroEAXandsignextend
    totheupperpartofRAX
    ClearsthewholeRAX
    Notneeded

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0xfffffd7fffdffbf0
    main+9
    0xfffffd7fffdffc00
    _start+0x6c

    24

    StackandCodeExample(2)
    foo:
    pushq %rbp
    foo+1: movq %rsp,%rbp
    foo+4: movl $0x0,%eax
    foo+9: call +0x2 <bar>
    foo+0xe: leave
    foo+0xf: ret

    Callbar()
    Theargumentisstillin
    RDI

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    foo+0xe
    0xfffffd7fffdffbf0
    main+9
    0xfffffd7fffdffc00
    _start+0x6c

    25

    StackandCodeExample(2)
    foo:
    pushq %rbp
    foo+1: movq %rsp,%rbp
    foo+4: movl $0x0,%eax
    foo+9: call +0x2 <bar>
    foo+0xe: leave
    foo+0xf: ret

    Stepthroughandreturn
    frombar()
    bar()'sreturnvalueisin
    RAX

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0xfffffd7fffdffbf0
    main+9
    0xfffffd7fffdffc00
    _start+0x6c

    26

    StackandCodeExample(2)
    foo:
    pushq %rbp
    foo+1: movq %rsp,%rbp
    foo+4: movl $0x0,%eax
    foo+9: call +0x2 <bar>
    foo+0xe: leave
    foo+0xf: ret

    Destroyfoo()'sstack
    frame

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbe8: main+9
    0xfffffd7fffdffbf0: 0xfffffd7fffdffc00
    0xfffffd7fffdffbf8: _start+0x6c

    27

    StackandCodeExample(2)
    foo:
    pushq %rbp
    foo+1: movq %rsp,%rbp
    foo+4: movl $0x0,%eax
    foo+9: call +0x2 <bar>
    foo+0xe: leave
    foo+0xf: ret

    Returnbacktomain()
    Returnvalueisagainin
    RAX

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbf0: 0xfffffd7fffdffc00
    0xfffffd7fffdffbf8: _start+0x6c

    28

    StackandCodeExample(2)

    Destroymain()'sstack
    frame

    main:
    pushq %rbp
    main+1: movq %rsp,%rbp
    main+4: call -0x2c <foo>
    main+9: leave
    main+0xa: ret
    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbf8: _start+0x6c

    29

    StackandCodeExample(2)

    Returnfrommain()

    main:
    pushq %rbp
    main+1: movq %rsp,%rbp
    main+4: call -0x2c <foo>
    main+9: leave
    main+0xa: ret
    CrashDumpAnalysisMFFUKAMD64

    30

    StackandCodeExample(2)

    Returnfrommain()

    M
    O
    D
    .
    .
    E
    .
    .
    R
    z
    z
    O
    z
    B z
    Z
    main:
    pushq %rbp
    main+1: movq %rsp,%rbp
    main+4: call -0x2c <foo>
    main+9: leave
    main+0xa: ret
    CrashDumpAnalysisMFFUKAMD64

    31

    StackandCodeExample(3)

    Let'strythesameexamplewithdifferent
    compileroptions
    Compileusinggcc -O0 -m64 -msave-args
    Disassembleandsinglestepmain()andfoo()
    Observethestack

    CrashDumpAnalysisMFFUKAMD64

    32

    StackandCodeExample(4)

    main:
    pushq %rbp
    main+1:
    movq %rsp,%rbp
    main+4:
    movq %rsi,-0x10(%rbp)
    main+8:
    movq %rdi,-0x8(%rbp)
    main+0xc: subq $0x20,%rsp
    main+0x10: movl %edi,-0x14(%rbp)
    main+0x13: movq %rsi,-0x20(%rbp)
    main+0x17: movl -0x14(%rbp),%edi
    main+0x1a: call -0x6b <foo>
    main+0x1f: leave
    main+0x20: ret
    CrashDumpAnalysisMFFUKAMD64

    foo:
    pushq %rbp
    foo+1:
    movq %rsp,%rbp
    foo+4:
    movq %rdi,-0x8(%rbp)
    foo+8:
    subq $0x20,%rsp
    foo+0xc: movl %edi,-0x14(%rbp)
    foo+0xf: movl -0x14(%rbp),%edi
    foo+0x12: movl $0x0,%eax
    foo+0x17: call +0x2 <bar>
    foo+0x1c: leave
    foo+0x1d: ret

    33

    StackandCodeExample(4)

    Initialstate
    Noinstructionsexecuted

    main:
    pushq %rbp
    main+1:
    movq %rsp,%rbp
    main+4:
    movq %rsi,-0x10(%rbp)
    main+8:
    movq %rdi,-0x8(%rbp)
    main+0xc: subq $0x20,%rsp
    main+0x10: movl %edi,-0x14(%rbp)
    main+0x13: movq %rsi,-0x20(%rbp)
    main+0x17: movl -0x14(%rbp),%edi
    main+0x1a: call -0x6b <foo>
    main+0x1f: leave
    main+0x20: ret
    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbf8: _start+0x6c

    34

    StackandCodeExample(4)

    Savepreviousframe
    pointeronthestack

    main:
    pushq %rbp
    main+1:
    movq %rsp,%rbp
    main+4:
    movq %rsi,-0x10(%rbp)
    main+8:
    movq %rdi,-0x8(%rbp)
    main+0xc: subq $0x20,%rsp
    main+0x10: movl %edi,-0x14(%rbp)
    main+0x13: movq %rsi,-0x20(%rbp)
    main+0x17: movl -0x14(%rbp),%edi
    main+0x1a: call -0x6b <foo>
    main+0x1f: leave
    main+0x20: ret
    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbf0: 0xfffffd7fffdffc00
    0xfffffd7fffdffbf8: _start+0x6c

    35

    StackandCodeExample(4)

    Establishanew,fixed
    framepointerinRBP

    main:
    pushq %rbp
    main+1:
    movq %rsp,%rbp
    main+4:
    movq %rsi,-0x10(%rbp)
    main+8:
    movq %rdi,-0x8(%rbp)
    main+0xc: subq $0x20,%rsp
    main+0x10: movl %edi,-0x14(%rbp)
    main+0x13: movq %rsi,-0x20(%rbp)
    main+0x17: movl -0x14(%rbp),%edi
    main+0x1a: call -0x6b <foo>
    main+0x1f: leave
    main+0x20: ret
    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbf0: 0xfffffd7fffdffc00
    0xfffffd7fffdffbf8: _start+0x6c

    36

    StackandCodeExample(4)

    Savethesecond
    argumenttothestack
    Usingtheredzone

    main:
    pushq %rbp
    main+1:
    movq %rsp,%rbp
    main+4:
    movq %rsi,-0x10(%rbp)
    main+8:
    movq %rdi,-0x8(%rbp)
    main+0xc: subq $0x20,%rsp
    main+0x10: movl %edi,-0x14(%rbp)
    main+0x13: movq %rsi,-0x20(%rbp)
    main+0x17: movl -0x14(%rbp),%edi
    main+0x1a: call -0x6b <foo>
    main+0x1f: leave
    main+0x20: ret
    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbf0: 0xfffffd7fffdffc00
    0xfffffd7fffdffbf8: _start+0x6c

    37

    StackandCodeExample(4)

    Savethefirstargument
    tothestack
    Usingtheredzone

    main:
    pushq %rbp
    main+1:
    movq %rsp,%rbp
    main+4:
    movq %rsi,-0x10(%rbp)
    main+8:
    movq %rdi,-0x8(%rbp)
    main+0xc: subq $0x20,%rsp
    main+0x10: movl %edi,-0x14(%rbp)
    main+0x13: movq %rsi,-0x20(%rbp)
    main+0x17: movl -0x14(%rbp),%edi
    main+0x1a: call -0x6b <foo>
    main+0x1f: leave
    main+0x20: ret
    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbf0: 0xfffffd7fffdffc00
    0xfffffd7fffdffbf8: _start+0x6c

    38

    StackandCodeExample(4)

    Allocatespaceonthe
    stack

    Wecanseethearguments

    main:
    pushq %rbp
    main+1:
    movq %rsp,%rbp
    main+4:
    movq %rsi,-0x10(%rbp)
    main+8:
    movq %rdi,-0x8(%rbp)
    main+0xc: subq $0x20,%rsp
    main+0x10: movl %edi,-0x14(%rbp)
    main+0x13: movq %rsi,-0x20(%rbp)
    main+0x17: movl -0x14(%rbp),%edi
    main+0x1a: call -0x6b <foo>
    main+0x1f: leave
    main+0x20: ret
    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbd0:
    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0xfffffd7fffdffc00
    _start+0x63
    0xfffffd7fffdffc18
    1
    0xfffffd7fffdffc00
    _start+0x6c

    39

    StackandCodeExample(4)

    Saveawaythefirst
    argumentoncemore

    main:
    pushq %rbp
    main+1:
    movq %rsp,%rbp
    main+4:
    movq %rsi,-0x10(%rbp)
    main+8:
    movq %rdi,-0x8(%rbp)
    main+0xc: subq $0x20,%rsp
    main+0x10: movl %edi,-0x14(%rbp)
    main+0x13: movq %rsi,-0x20(%rbp)
    main+0x17: movl -0x14(%rbp),%edi
    main+0x1a: call -0x6b <foo>
    main+0x1f: leave
    main+0x20: ret
    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbd0:
    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0xfffffd7fffdffc00
    0x100400eb3
    0xfffffd7fffdffc18
    1
    0xfffffd7fffdffc00
    _start+0x6c

    40

    StackandCodeExample(4)

    Saveawaythesecond
    argumentoncemore

    main:
    pushq %rbp
    main+1:
    movq %rsp,%rbp
    main+4:
    movq %rsi,-0x10(%rbp)
    main+8:
    movq %rdi,-0x8(%rbp)
    main+0xc: subq $0x20,%rsp
    main+0x10: movl %edi,-0x14(%rbp)
    main+0x13: movq %rsi,-0x20(%rbp)
    main+0x17: movl -0x14(%rbp),%edi
    main+0x1a: call -0x6b <foo>
    main+0x1f: leave
    main+0x20: ret
    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbd0:
    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0xfffffd7fffdffc18
    0x100400eb3
    0xfffffd7fffdffc18
    1
    0xfffffd7fffdffc00
    _start+0x6c

    41

    StackandCodeExample(4)

    Justforsure,readthe
    firstargumentbackto
    EDI

    main:
    pushq %rbp
    main+1:
    movq %rsp,%rbp
    main+4:
    movq %rsi,-0x10(%rbp)
    main+8:
    movq %rdi,-0x8(%rbp)
    main+0xc: subq $0x20,%rsp
    main+0x10: movl %edi,-0x14(%rbp)
    main+0x13: movq %rsi,-0x20(%rbp)
    main+0x17: movl -0x14(%rbp),%edi
    main+0x1a: call -0x6b <foo>
    main+0x1f: leave
    main+0x20: ret
    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbd0:
    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0xfffffd7fffdffc18
    0x100400eb3
    0xfffffd7fffdffc18
    1
    0xfffffd7fffdffc00
    _start+0x6c

    42

    StackandCodeExample(4)

    Callfoo()
    Theargumentispassed
    inRDI

    main:
    pushq %rbp
    main+1:
    movq %rsp,%rbp
    main+4:
    movq %rsi,-0x10(%rbp)
    main+8:
    movq %rdi,-0x8(%rbp)
    main+0xc: subq $0x20,%rsp
    main+0x10: movl %edi,-0x14(%rbp)
    main+0x13: movq %rsi,-0x20(%rbp)
    main+0x17: movl -0x14(%rbp),%edi
    main+0x1a: call -0x6b <foo>
    main+0x1f: leave
    main+0x20: ret
    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbc8:
    0xfffffd7fffdffbd0:
    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    main+0x1f
    0xfffffd7fffdffc18
    0x100400eb3
    0xfffffd7fffdffc18
    1
    0xfffffd7fffdffc00
    _start+0x6c

    43

    StackandCodeExample(4)
    foo:
    pushq %rbp
    foo+1:
    movq %rsp,%rbp
    foo+4:
    movq %rdi,-0x8(%rbp)
    foo+8:
    subq $0x20,%rsp
    foo+0xc: movl %edi,-0x14(%rbp)
    foo+0xf: movl -0x14(%rbp),%edi
    foo+0x12: movl $0x0,%eax
    foo+0x17: call +0x2 <bar>
    foo+0x1c: leave
    foo+0x1d: ret

    Savethepreviousframe
    pointertothestack

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbc0:
    0xfffffd7fffdffbc8:
    0xfffffd7fffdffbd0:
    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0xfffffd7fffdffbf0
    main+0x1f
    0xfffffd7fffdffc18
    0x100400eb3
    0xfffffd7fffdffc18
    1
    0xfffffd7fffdffc00
    _start+0x6c

    44

    StackandCodeExample(4)
    foo:
    pushq %rbp
    foo+1:
    movq %rsp,%rbp
    foo+4:
    movq %rdi,-0x8(%rbp)
    foo+8:
    subq $0x20,%rsp
    foo+0xc: movl %edi,-0x14(%rbp)
    foo+0xf: movl -0x14(%rbp),%edi
    foo+0x12: movl $0x0,%eax
    foo+0x17: call +0x2 <bar>
    foo+0x1c: leave
    foo+0x1d: ret

    Establishanewframe
    pointerinRBP
    Itpointstotheaddress
    wherethepreviousoneis
    stored

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbc0:
    0xfffffd7fffdffbc8:
    0xfffffd7fffdffbd0:
    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0xfffffd7fffdffbf0
    main+0x1f
    0xfffffd7fffdffc18
    0x100400eb3
    0xfffffd7fffdffc18
    1
    0xfffffd7fffdffc00
    _start+0x6c

    45

    StackandCodeExample(4)
    foo:
    pushq %rbp
    foo+1:
    movq %rsp,%rbp
    foo+4:
    movq %rdi,-0x8(%rbp)
    foo+8:
    subq $0x20,%rsp
    foo+0xc: movl %edi,-0x14(%rbp)
    foo+0xf: movl -0x14(%rbp),%edi
    foo+0x12: movl $0x0,%eax
    foo+0x17: call +0x2 <bar>
    foo+0x1c: leave
    foo+0x1d: ret

    Savetheargumentonthe
    stack
    Usingtheredzone

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbc0:
    0xfffffd7fffdffbc8:
    0xfffffd7fffdffbd0:
    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0xfffffd7fffdffbf0
    main+0x1f
    0xfffffd7fffdffc18
    0x100400eb3
    0xfffffd7fffdffc18
    1
    0xfffffd7fffdffc00
    _start+0x6c

    46

    StackandCodeExample(4)
    foo:
    pushq %rbp
    foo+1:
    movq %rsp,%rbp
    foo+4:
    movq %rdi,-0x8(%rbp)
    foo+8:
    subq $0x20,%rsp
    foo+0xc: movl %edi,-0x14(%rbp)
    foo+0xf: movl -0x14(%rbp),%edi
    foo+0x12: movl $0x0,%eax
    foo+0x17: call +0x2 <bar>
    foo+0x1c: leave
    foo+0x1d: ret

    Allocatestackspace
    Wecanseetheargument

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffba0:
    0xfffffd7fffdffba8:
    0xfffffd7fffdffbb0:
    0xfffffd7fffdffbb8:
    0xfffffd7fffdffbc0:
    0xfffffd7fffdffbc8:
    0xfffffd7fffdffbd0:
    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0
    0
    0
    1
    0xfffffd7fffdffbf0
    main+0x1f
    0xfffffd7fffdffc18
    0x100400eb3
    0xfffffd7fffdffc18
    1
    0xfffffd7fffdffc00
    _start+0x6c

    47

    StackandCodeExample(4)
    foo:
    pushq %rbp
    foo+1:
    movq %rsp,%rbp
    foo+4:
    movq %rdi,-0x8(%rbp)
    foo+8:
    subq $0x20,%rsp
    foo+0xc: movl %edi,-0x14(%rbp)
    foo+0xf: movl -0x14(%rbp),%edi
    foo+0x12: movl $0x0,%eax
    foo+0x17: call +0x2 <bar>
    foo+0x1c: leave
    foo+0x1d: ret

    Saveawaythefirst
    argumentonceagain

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffba0:
    0xfffffd7fffdffba8:
    0xfffffd7fffdffbb0:
    0xfffffd7fffdffbb8:
    0xfffffd7fffdffbc0:
    0xfffffd7fffdffbc8:
    0xfffffd7fffdffbd0:
    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0
    0x100000000
    0
    1
    0xfffffd7fffdffbf0
    main+0x1f
    0xfffffd7fffdffc18
    0x100400eb3
    0xfffffd7fffdffc18
    1
    0xfffffd7fffdffc00
    _start+0x6c

    48

    StackandCodeExample(4)
    foo:
    pushq %rbp
    foo+1:
    movq %rsp,%rbp
    foo+4:
    movq %rdi,-0x8(%rbp)
    foo+8:
    subq $0x20,%rsp
    foo+0xc: movl %edi,-0x14(%rbp)
    foo+0xf: movl -0x14(%rbp),%edi
    foo+0x12: movl $0x0,%eax
    foo+0x17: call +0x2 <bar>
    foo+0x1c: leave
    foo+0x1d: ret

    Justforsure,readthe
    firstargumentbackto
    EDI

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffba0:
    0xfffffd7fffdffba8:
    0xfffffd7fffdffbb0:
    0xfffffd7fffdffbb8:
    0xfffffd7fffdffbc0:
    0xfffffd7fffdffbc8:
    0xfffffd7fffdffbd0:
    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0
    0x100000000
    0
    1
    0xfffffd7fffdffbf0
    main+0x1f
    0xfffffd7fffdffc18
    0x100400eb3
    0xfffffd7fffdffc18
    1
    0xfffffd7fffdffc00
    _start+0x6c

    49

    StackandCodeExample(4)
    foo:
    pushq %rbp
    foo+1:
    movq %rsp,%rbp
    foo+4:
    movq %rdi,-0x8(%rbp)
    foo+8:
    subq $0x20,%rsp
    foo+0xc: movl %edi,-0x14(%rbp)
    foo+0xf: movl -0x14(%rbp),%edi
    foo+0x12: movl $0x0,%eax
    foo+0x17: call +0x2 <bar>
    foo+0x1c: leave
    foo+0x1d: ret

    ZeroEAXandsignextend
    totheupperpartofRAX
    ClearsthewholeRAX
    Notneeded

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffba0:
    0xfffffd7fffdffba8:
    0xfffffd7fffdffbb0:
    0xfffffd7fffdffbb8:
    0xfffffd7fffdffbc0:
    0xfffffd7fffdffbc8:
    0xfffffd7fffdffbd0:
    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0
    0x100000000
    0
    1
    0xfffffd7fffdffbf0
    main+0x1f
    0xfffffd7fffdffc18
    0x100400eb3
    0xfffffd7fffdffc18
    1
    0xfffffd7fffdffc00
    _start+0x6c

    50

    StackandCodeExample(4)
    foo:
    pushq %rbp
    foo+1:
    movq %rsp,%rbp
    foo+4:
    movq %rdi,-0x8(%rbp)
    foo+8:
    subq $0x20,%rsp
    foo+0xc: movl %edi,-0x14(%rbp)
    foo+0xf: movl -0x14(%rbp),%edi
    foo+0x12: movl $0x0,%eax
    foo+0x17: call +0x2 <bar>
    foo+0x1c: leave
    foo+0x1d: ret

    Callbar()
    Theargumentisstillin
    RDI

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffb98:
    0xfffffd7fffdffba0:
    0xfffffd7fffdffba8:
    0xfffffd7fffdffbb0:
    0xfffffd7fffdffbb8:
    0xfffffd7fffdffbc0:
    0xfffffd7fffdffbc8:
    0xfffffd7fffdffbd0:
    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    foo+0x1c
    0
    0x100000000
    0
    1
    0xfffffd7fffdffbf0
    main+0x1f
    0xfffffd7fffdffc18
    0x100400eb3
    0xfffffd7fffdffc18
    1
    0xfffffd7fffdffc00
    _start+0x6c

    51

    StackandCodeExample(4)
    foo:
    pushq %rbp
    foo+1:
    movq %rsp,%rbp
    foo+4:
    movq %rdi,-0x8(%rbp)
    foo+8:
    subq $0x20,%rsp
    foo+0xc: movl %edi,-0x14(%rbp)
    foo+0xf: movl -0x14(%rbp),%edi
    foo+0x12: movl $0x0,%eax
    foo+0x17: call +0x2 <bar>
    foo+0x1c: leave
    foo+0x1d: ret

    Stepthroughandreturn
    frombar()
    bar()'sreturnvalueisin
    RAX

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffba0:
    0xfffffd7fffdffba8:
    0xfffffd7fffdffbb0:
    0xfffffd7fffdffbb8:
    0xfffffd7fffdffbc0:
    0xfffffd7fffdffbc8:
    0xfffffd7fffdffbd0:
    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0
    0x100000000
    0
    1
    0xfffffd7fffdffbf0
    main+0x1f
    0xfffffd7fffdffc18
    0x100400eb3
    0xfffffd7fffdffc18
    1
    0xfffffd7fffdffc00
    _start+0x6c

    52

    StackandCodeExample(4)
    foo:
    pushq %rbp
    foo+1:
    movq %rsp,%rbp
    foo+4:
    movq %rdi,-0x8(%rbp)
    foo+8:
    subq $0x20,%rsp
    foo+0xc: movl %edi,-0x14(%rbp)
    foo+0xf: movl -0x14(%rbp),%edi
    foo+0x12: movl $0x0,%eax
    foo+0x17: call +0x2 <bar>
    foo+0x1c: leave
    foo+0x1d: ret

    Destroyfoo()'sstack
    frame

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbc8:
    0xfffffd7fffdffbd0:
    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    main+0x1f
    0xfffffd7fffdffc18
    0x100400eb3
    0xfffffd7fffdffc18
    1
    0xfffffd7fffdffc00
    _start+0x6c

    53

    StackandCodeExample(4)
    foo:
    pushq %rbp
    foo+1:
    movq %rsp,%rbp
    foo+4:
    movq %rdi,-0x8(%rbp)
    foo+8:
    subq $0x20,%rsp
    foo+0xc: movl %edi,-0x14(%rbp)
    foo+0xf: movl -0x14(%rbp),%edi
    foo+0x12: movl $0x0,%eax
    foo+0x17: call +0x2 <bar>
    foo+0x1c: leave
    foo+0x1d: ret

    Returnbacktomain()
    Returnvalueisagainin
    RAX

    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbd0:
    0xfffffd7fffdffbd8:
    0xfffffd7fffdffbe0:
    0xfffffd7fffdffbe8:
    0xfffffd7fffdffbf0:
    0xfffffd7fffdffbf8:

    0xfffffd7fffdffc18
    0x100400eb3
    0xfffffd7fffdffc18
    1
    0xfffffd7fffdffc00
    _start+0x6c

    54

    StackandCodeExample(4)

    Destroymain()'sstack
    frame

    main:
    pushq %rbp
    main+1:
    movq %rsp,%rbp
    main+4:
    movq %rsi,-0x10(%rbp)
    main+8:
    movq %rdi,-0x8(%rbp)
    main+0xc: subq $0x20,%rsp
    main+0x10: movl %edi,-0x14(%rbp)
    main+0x13: movq %rsi,-0x20(%rbp)
    main+0x17: movl -0x14(%rbp),%edi
    main+0x1a: call -0x6b <foo>
    main+0x1f: leave
    main+0x20: ret
    CrashDumpAnalysisMFFUKAMD64

    0xfffffd7fffdffbf8: _start+0x6c

    55

    StackandCodeExample(4)

    Returnfrommain()

    main:
    pushq %rbp
    main+1:
    movq %rsp,%rbp
    main+4:
    movq %rsi,-0x10(%rbp)
    main+8:
    movq %rdi,-0x8(%rbp)
    main+0xc: subq $0x20,%rsp
    main+0x10: movl %edi,-0x14(%rbp)
    main+0x13: movq %rsi,-0x20(%rbp)
    main+0x17: movl -0x14(%rbp),%edi
    main+0x1a: call -0x6b <foo>
    main+0x1f: leave
    main+0x20: ret
    CrashDumpAnalysisMFFUKAMD64

    56

    AMD64ABICheatSheet
    RAX
    RBX
    RCX
    RDX
    RSI
    RDI
    RBP
    RSP
    R8
    R9
    R10
    R11
    R12
    R13
    R14
    R15

    returnvalue
    4th argument
    3rd argument
    2nd argument
    1stargument
    framepointer
    stackpointer
    5th argument
    6th argument

    nonvolatileregisters
    volatileregisters

    CrashDumpAnalysisMFFUKAMD64

    57

    Das könnte Ihnen auch gefallen