Jump to content

  • Log In with Google      Sign In   
  • Create Account


Finding the epilogue of a x64 function


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
4 replies to this topic

#1 Idov   Members   -  Reputation: 196

Like
0Likes
Like

Posted 17 April 2013 - 12:03 PM


Hi!
I want to unwind a x64 callstack, so I'm trying to follow the "UNWIND procedure" I found here:
http://msdn.microsoft.com/en-us/library/8ydc79k6.aspx

I understand that if the RIP is in the epilog, we need to compute the offset of the RSP considering the operations still needed to be done, but it's unclear to me how to find out if the RIP is in the epilog or not (in section 3.a)?
what is the RIP code stream? How do I get it? and how do I match it to a trailing portion of a legitimate epilog?

are there any links or examples I can use?
thanks! :)



Sponsor:

#2 ApochPiQ   Moderators   -  Reputation: 14281

Like
1Likes
Like

Posted 17 April 2013 - 12:50 PM

The code you want to examine is from the RIP (into the calling function) until the corresponding exit from the calling function. Epilog code should be fairly easy to recognize assuming the code follows the standard x64 calling conventions; I'd suggest disassembling some programs and looking at the epilogs to get a sense of what the patterns look like in production code.

#3 Idov   Members   -  Reputation: 196

Like
0Likes
Like

Posted 17 April 2013 - 01:30 PM

ok, so if I understand correctly I need to:
1. read the memory of the target process from the RIP  until RIP + size of prolog (because the size of the epilog has to be the same)
2. check if the RIP points at a POP instruction,  "mov esp,ebp" or a RET instruction, since these can only appear in the epilog.
3. If we found out that we're in the epilog, we check our offset to the end of it (and then we also know the offset from the begging of the epilog) and then we can know which instructions have been executed and which did not.

Am I right? :)



#4 ApochPiQ   Moderators   -  Reputation: 14281

Like
1Likes
Like

Posted 17 April 2013 - 01:32 PM

That's the right concept, yep! The details may vary a bit between x86/32 and x86/64 so be sure to verify your epilog signature against conforming x86/64 code.

#5 Idov   Members   -  Reputation: 196

Like
0Likes
Like

Posted 18 April 2013 - 12:57 PM

ok, thanks! :)






Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS