Thursday, January 1, 2015

Practical Reverse Engineering p. 35 #1

Question number 1 on page 35 of Practical Reverse Engineering is as follows:

Repeat the walk-through by yourself. Draw the stack layout, including parameters and local variables.

The function in question is DllMain, which is a WINAPI (stdcall) convention. The stack pointer with regards to function entry looks like the following:

0x0 &return
+0x4 hModule
+0x8 dwReason
+0xc lpReserved

The function's instructions immediately modify the stack:

push ebp
mov ebp, esp
sub esp, 130h
push edi
sidt fword ptr [ebp-8]
mov eax, [ebp-6]

So the stack for local variables becomes:

-0x138 saved EDI
-0x134 reserved
-0xc struct IDT
-0x4 saved EBP
0x0 &return

The reserved bytes are for a PROCESSENTRY32 struct, which is defined on MSDN as follows:

typedef struct tagPROCESSENTRY32 {
  DWORD     dwSize;
  DWORD     cntUsage;
  DWORD     th32ProcessID;
  ULONG_PTR th32DefaultHeapID;
  DWORD     th32ModuleID;
  DWORD     cntThreads;
  DWORD     th32ParentProcessID;
  LONG      pcPriClassBase;
  DWORD     dwFlags;
  TCHAR     szExeFile[MAX_PATH];
} PROCESSENTRY32, *PPROCESSENTRY32;

So a more accurate and complete stack layout showing the local variables and parameters may be:

-0x138 saved EDI
-0x134 PROCESSENTRY32.dwSize
-0x130 PROCESSENTRY32.cntUsage
-0x12c PROCESSENTRY32.th32ProcessID
-0x128 PROCESSENTRY32.th32DefaultHeapID
-0x124 PROCESSENTRY32.th32ModuleID
-0x120 PROCESSENTRY32.cntThreads
-0x11c PROCESSENTRY32.th32ParentProcessID
-0x118 PROCESSENTRY32.pcPriClassBase
-0x114 PROCESSENTRY32.dwFlags
-0x10 PROCESSENTRY32.szExeFile[0x104]
-0xc IDT.limit
-0xa IDT.base
-0x4 saved EBP
0x0 &return
+0x4 hModule
+0x8 dwReason
+0xc lpReserved

No comments :

Post a Comment