Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Windows 32-Bit on Windows 64-Bit
Дальше: Conclusion

shows the 32-bit and 64-bit versions of the same function call.

Table 21-1. 32-bit and 64-bit Function Calls with Two Parameters

32-bit assembly listing

64-bit assembly listing

004114F2  mov     eax, [ebp+var_8] 004114F5  push    eax 004114F6  mov     ecx, [ebp+var_14] 004114F9  push    ecx 004114FA  call    sub_411186
0000000140001148 mov     rdx, [rsp+38h+var_18] 000000014000114D  mov     ecx, [rsp+38h+var_10] 0000000140001151  call    sub_14000100A

In the 32-bit assembly shown on the left, there are two parameters to the function sub_411186. We have no information about the types or purposes of the parameters, other than that they are both 32 bits.

In the 64-bit assembly shown on the right, we also see two parameters, but now we have additional information. The first mov instruction at moves the value into RDX, which tells us that this is a 64-bit value—probably a pointer. The second parameter is being moved into ECX, which tells us that it is a 32-bit value, because ECX is the 32-bit version of the RCX register. This can’t be a pointer, because pointers are 64 bits. We still don’t know whether this parameter is an integer, handle, or something else, but when you’re starting to understand a function, these little clues can be crucial to determining what a function does.

Назад: Windows 32-Bit on Windows 64-Bit
Дальше: Conclusion

sss
sss

© RuTLib.com 2015-2018