1

I compile the following program with Visual C++ 10:

include <Windows.h>
int _tmain(int /*argc*/, _TCHAR* /*argv*/[])
{
    Sleep( 0 );
    return 0;
}

and look into disassembly. There're lots of C++ runtime functions in the program image. Some functions are located densely - ret of some function is followed by the first instruction of the next function. For example,

` __declspec(noreturn) void __cdecl __report_gsfailure(ULONGLONG StackCookie)`

ends at address 004013B7 (there's a ret instruction) and address 004013B8 contains some other function for which the debugger can't find the source. Meanwhile

BOOL __cdecl _ValidateImageBase(PBYTE pImageBase)

ends at address 00401554 but the next function

PIMAGE_SECTION_HEADER __cdecl _FindPESection( PBYTE pImageBase, DWORD_PTR rva )

starts at address 00401560 and there're multiple int 3 instructions between the latter two addresses.

Why the difference? Why some functions are put densely and others are separated with unreachable code?

BenMorel
  • 34,448
  • 50
  • 182
  • 322
sharptooth
  • 167,383
  • 100
  • 513
  • 979
  • Given your two examples: both functions begin at a multiple of `8`, and the one that ends at `7` just happens not to need any padding. If you can find another example that contradicts the hypothesis that functions are 8-aligned, please add it. – Steve Jessop Sep 30 '11 at 15:13
  • @Steve Jessop: Okay, but there 11 bytes of padding, not 3. – sharptooth Sep 30 '11 at 15:14
  • Oops, no, I'm stupid. It's `54` in the second case, not `58`. – Steve Jessop Sep 30 '11 at 15:15

2 Answers2

1

I reproduced this behavior. You can notice as well that these functions start with a mov edi,edi intruction.

The int 3 instructions, along with the mov edi,edi instruction at the beginning of the function allows hotpatching. When a function needs to be hotpatched, the mov edi,edi is replaced by a short jump instruction that jumps before the entry point of the function and the int 3 instructions are replaced by a long jump to the patched function.

Refer to Anyone knows what "mov edi,edi " does?

Don't know why __report_gsfailure is only preceeded by 2 int 3 even if it starts with a mov edi,edi instruction...

Community
  • 1
  • 1
Thierry Franzetti
  • 1,763
  • 12
  • 12
  • I thought about it, but turns out there're functions that start with `mov edi, edi` and at the same time there's no padding in front of them. – sharptooth Sep 30 '11 at 15:39
1

Raymond Chen tells all you need to know about this: Why do Windows functions all begin with a pointless MOV EDI, EDI instruction?

Ben Voigt
  • 277,958
  • 43
  • 419
  • 720
  • Turns out there're functions that start with mov edi, edi and at the same time there's no padding in front of them. – sharptooth Oct 03 '11 at 05:46
  • It's worth pointing out that if you have a question related to Windows, chances are that Raymond Chen has already posted the answer, so you should be sure to check out his excellent blog, [The Old New Thing](http://blogs.msdn.com/b/oldnewthing/), before asking. – Nik Bougalis Jan 30 '14 at 09:59