x64 dll stack access out of range?

Question

l'v build a x64 dll with vs2017

the source code there

#include "stdafx.h"
#include <exception>  

#define _API_STDCALL extern "C" _declspec(dllexport)

#pragma pack (push)
#pragma pack (1)

typedef struct logRecdItem
{
    DWORD LSN;
    WORD dbId;
} *PlogRecdItem;
#pragma pack (pop)

INT64 CdbId = 0;

_API_STDCALL PVOID domyWork_2(UINT_PTR Xdes, UINT_PTR rawData) {

    WORD dbid = *(WORD*)(Xdes + 0x460);
    if (dbid > 0 && dbid < 64 && (((INT64)1 << (dbid - 1)) & CdbId))
    {           
        DWORD lsn = *(DWORD*)(Xdes + 0x32c);
        PlogRecdItem LR = (PlogRecdItem)malloc(sizeof(logRecdItem));
        //PlogRecdItem LR = new logRecdItem;
        LR->LSN = lsn;
        LR->dbId = dbid;
        return LR;
    }
    else
        return NULL;

}

when i disassembly the dll i found a very interesting thing.

000007FEFAD01000 | 40 57               | push rdi                       
000007FEFAD01002 | 48 83 EC 20         | sub rsp,20                     
000007FEFAD01006 | 0F B7 B9 60 04 00 00| movzx edi,word ptr ds:[rcx+460]
000007FEFAD0100D | 8D 47 FF            | lea eax,qword ptr ds:[rdi-1]   
000007FEFAD01010 | 66 83 F8 3E         | cmp ax,3E                      
000007FEFAD01014 | 77 3C               | ja dll1.7FEFAD01052            
000007FEFAD01016 | 0F B7 C7            | movzx eax,di                   
000007FEFAD01019 | FF C8               | dec eax                        
000007FEFAD0101B | 0F B6 D0            | movzx edx,al                   
000007FEFAD0101E | 48 8B 05 1B 20 00 00| mov rax,qword ptr ds:[<CdbId>] 
000007FEFAD01025 | 48 0F A3 D0         | bt rax,rdx                     
000007FEFAD01029 | 73 27               | jae dll1.7FEFAD01052           
000007FEFAD0102B | 48 89 5C 24 30      | mov qword ptr ss:[rsp+30],rbx  
000007FEFAD01030 | 8B 99 2C 03 00 00   | mov ebx,dword ptr ds:[rcx+32C] 
000007FEFAD01036 | B9 06 00 00 00      | mov ecx,6                      
000007FEFAD0103B | FF 15 47 10 00 00   | call qword ptr ds:[<&malloc>]  
000007FEFAD01041 | 89 18               | mov dword ptr ds:[rax],ebx     
000007FEFAD01043 | 48 8B 5C 24 30      | mov rbx,qword ptr ss:[rsp+30]  
000007FEFAD01048 | 66 89 78 04         | mov word ptr ds:[rax+4],di     
000007FEFAD0104C | 48 83 C4 20         | add rsp,20                     
000007FEFAD01050 | 5F                  | pop rdi                        
000007FEFAD01051 | C3                  | ret

in line "000007FEFAD01002" it alloc 20 byte on stack.

but "000007FEFAD0102B" it write to [rsp+30]

Why!??

according to my understanding the [rsp+30] belong to parent function

why is it accessed here?

Tried compiling with the mixed source and assembly flag? That will show you what part of the source code turned into that instruction. — Ben Voigt, May 10 '18 at 03:18

score 0 · Answer 1 · answered May 10 '18 at 03:19

0

The memory at [rsp+30] is reserved for saving the parameters that were passed in by register. In this case, the rbx register holds the value for rawData. This is saved, the register used, then the value restored to rbx before the function returns.

answered May 10 '18 at 03:19

1201ProgramAlarm

32,384
7
42
56

x64 dll stack access out of range?

1 Answers1