When function have no prologue, except naked func-s? And how detect function begin, except call instruction?

Question

When function have no prologue, except naked func-s? And how detect function begin, except call instruction?

I have some questions about prologue and call instruction.

1) Do I understand correctly that:

Call instruction always use to call a function, although the function call is not always implemented by using the call (it may be realized by using push+jmp)

Most functions have a prologue, and it often looks like this:

push ebp
mov ebp, esp
sub esp, xx

And prologue for optimizing compilers:

sub esp, xxx

Also I know about naked functions, which havent prologue and epilogue. Does it exists another situations that function havent prologue? Or all that samples of disassembly code is calls of naked functions?

call from :   0x77b6f6f0 ntdll.dll!RtlImageDirectoryEntryToData+0x236 ??:0
        to :   0x77b62869 ntdll.dll!RtlEnterCriticalSection+0xb559 ??:0

  0x77b6f6f0 call   $0x77b62869 %esp -> %esp 0xfffffffc(%esp)[4byte]
  0x77b62869 mov    0xfffffff0(%ebp)[4byte] -> %ecx
  0x77b6286c mov    %ecx -> %fs:0x00[4byte]
  0x77b62873 pop    %esp (%esp)[4byte] -> %ecx %esp
  0x77b62874 pop    %esp (%esp)[4byte] -> %edi %esp
  0x77b62875 pop    %esp (%esp)[4byte] -> %edi %esp
  0x77b62876 pop    %esp (%esp)[4byte] -> %esi %esp
  0x77b62877 pop    %esp (%esp)[4byte] -> %ebx %esp
  0x77b62878 mov    %ebp -> %esp
--------------------------------------------------------------------
call from :   0x77b74d5e ntdll.dll!RtlGetCurrentTransaction+0x63a ??:0
        to :   0x77b6f5cf ntdll.dll!RtlImageDirectoryEntryToData+0x115 ??:0

  0x77b74d5e  call   $0x77b6f5cf %esp -> %esp 0xfffffffc(%esp)[4byte]
  0x77b6f5cf  push   $0x0000005c %esp -> %esp 0xfffffffc(%esp)[4byte]
  0x77b6f5d1  push   $0x77b608e8 %esp -> %esp 0xfffffffc(%esp)[4byte]
  0x77b6f5d6  call   $0x77b62824 %esp -> %esp 0xfffffffc(%esp)[4byte]
  0x77b6f5db  xor    %edi %edi -> %edi
  0x77b6f5dd  mov    %edi -> 0xffffffdc(%ebp)[4byte]
  0x77b6f5e0  mov    0x08(%ebp)[4byte] -> %eax
  0x77b6f5e3  mov    0x18(%eax)[4byte] -> %edx
  0x77b6f5e6  mov    %edx -> 0xffffffd8(%ebp)[4byte]

call from :   0x77b6f85f ntdll.dll!LdrGetProcedureAddressEx+0x162 ??:0
        to :   0x77b66f58 ntdll.dll!RtlRunOnceBeginInitialize+0xf9 ??:0 

  0x77b6f85f  call   $0x77b66f58 %esp -> %esp 0xfffffffc(%esp)[4byte]
  0x77b66f58  mov    0xffffffe4(%ebp)[4byte] -> %ecx
  0x77b66f5b  xor    %ebp %ecx -> %ecx
  0x77b66f5d  call   $0x77b62f0c %esp -> %esp 0xfffffffc(%esp)[4byte]
  0x77b66f62  jmp    $0x77b62869
  0x77b66f67  nop

2) After the call instruction, when calling someth system functions (such as memcpy), the command jmp ds:address goes that redirects to the func in system library which copying memory. What does this mean, why does not the redirection immediately to the address of the func in the library, if it is loaded to the prog and the address is known?

3) And how I can detect that call - is function call? For example, when I using indirect call I need to make sure, that I am jump to begin of the func. But func haven`t prologue. Can you advise any information resources about that?

c

assembly

asked on Stack Overflow Aug 31, 2017 by

Laoa Maoe

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0