Repeat the walk-through by yourself. Draw the stack layout, including parameters and local variables.
The function in question is DllMain, which is a WINAPI (stdcall) convention. The stack pointer with regards to function entry looks like the following:
| 0x0 | &return |
| +0x4 | hModule |
| +0x8 | dwReason |
| +0xc | lpReserved |
The function's instructions immediately modify the stack:
push ebp mov ebp, esp sub esp, 130h push edi sidt fword ptr [ebp-8] mov eax, [ebp-6]
So the stack for local variables becomes:
| -0x138 | saved EDI |
| -0x134 | reserved |
| -0xc | struct IDT |
| -0x4 | saved EBP |
| 0x0 | &return |
The reserved bytes are for a PROCESSENTRY32 struct, which is defined on MSDN as follows:
typedef struct tagPROCESSENTRY32 {
DWORD dwSize;
DWORD cntUsage;
DWORD th32ProcessID;
ULONG_PTR th32DefaultHeapID;
DWORD th32ModuleID;
DWORD cntThreads;
DWORD th32ParentProcessID;
LONG pcPriClassBase;
DWORD dwFlags;
TCHAR szExeFile[MAX_PATH];
} PROCESSENTRY32, *PPROCESSENTRY32;
So a more accurate and complete stack layout showing the local variables and parameters may be:
| -0x138 | saved EDI |
| -0x134 | PROCESSENTRY32.dwSize |
| -0x130 | PROCESSENTRY32.cntUsage |
| -0x12c | PROCESSENTRY32.th32ProcessID |
| -0x128 | PROCESSENTRY32.th32DefaultHeapID |
| -0x124 | PROCESSENTRY32.th32ModuleID |
| -0x120 | PROCESSENTRY32.cntThreads |
| -0x11c | PROCESSENTRY32.th32ParentProcessID |
| -0x118 | PROCESSENTRY32.pcPriClassBase |
| -0x114 | PROCESSENTRY32.dwFlags |
| -0x10 | PROCESSENTRY32.szExeFile[0x104] |
| -0xc | IDT.limit |
| -0xa | IDT.base |
| -0x4 | saved EBP |
| 0x0 | &return |
| +0x4 | hModule |
| +0x8 | dwReason |
| +0xc | lpReserved |
No comments :
Post a Comment