XP系统程序中开头的MOV EDI,EDI指令的解释:
在VS .NET 2003的VC7\INCLUDE目录中的listing.inc文件中定义了1到7个字节的无破坏性NOP操作的宏
MOV EDI,EDI 就是两个字节的NOP
在程序中与NOP指令的意义相同。
为什么要用MOV EDI,EDI 而不用两个NOP?
我的理解是:
用两个NOP指令耗费的CPU时钟周期要比用MOV EDI,EDI指令要长,为了提高效率,就采用了MOV EDI,EDI
listing.inc文件的内容
;; LISTING.INC
;;
;; This file contains assembler macros and is included by the files created
;; with the -FA compiler switch to be assembled by MASM (Microsoft Macro
;; Assembler).
;;
;; Copyright (c) 1993, Microsoft Corporation. All rights reserved.
;; non destructive nops
npad macro size
if size eq 1
nop
else
if size eq 2
mov edi, edi
else
if size eq 3
; lea ecx, [ecx+00]
DB 8DH, 49H, 00H
else
if size eq 4
; lea esp, [esp+00]
DB 8DH, 64H, 24H, 00H
else
if size eq 5
add eax, DWORD PTR 0
else
if size eq 6
; lea ebx, [ebx+00000000]
DB 8DH, 9BH, 00H, 00H, 00H, 00H
else
if size eq 7
; lea esp, [esp+00000000]
DB 8DH, 0A4H, 24H, 00H, 00H, 00H, 00H
else
%out error: unsupported npad size
.err
endif
endif
endif
endif
endif
endif
endif
endm
;; destructive nops
dpad macro size, reg
if size eq 1
inc reg
else
%out error: unsupported dpad size
.err
endif
endm
在VS .NET 2003的VC7\INCLUDE目录中的listing.inc文件中定义了1到7个字节的无破坏性NOP操作的宏
MOV EDI,EDI 就是两个字节的NOP
在程序中与NOP指令的意义相同。
为什么要用MOV EDI,EDI 而不用两个NOP?
我的理解是:
用两个NOP指令耗费的CPU时钟周期要比用MOV EDI,EDI指令要长,为了提高效率,就采用了MOV EDI,EDI
listing.inc文件的内容
;; LISTING.INC
;;
;; This file contains assembler macros and is included by the files created
;; with the -FA compiler switch to be assembled by MASM (Microsoft Macro
;; Assembler).
;;
;; Copyright (c) 1993, Microsoft Corporation. All rights reserved.
;; non destructive nops
npad macro size
if size eq 1
nop
else
if size eq 2
mov edi, edi
else
if size eq 3
; lea ecx, [ecx+00]
DB 8DH, 49H, 00H
else
if size eq 4
; lea esp, [esp+00]
DB 8DH, 64H, 24H, 00H
else
if size eq 5
add eax, DWORD PTR 0
else
if size eq 6
; lea ebx, [ebx+00000000]
DB 8DH, 9BH, 00H, 00H, 00H, 00H
else
if size eq 7
; lea esp, [esp+00000000]
DB 8DH, 0A4H, 24H, 00H, 00H, 00H, 00H
else
%out error: unsupported npad size
.err
endif
endif
endif
endif
endif
endif
endif
endm
;; destructive nops
dpad macro size, reg
if size eq 1
inc reg
else
%out error: unsupported dpad size
.err
endif
endm
Ishai的解释~
The PUSH EBP and MOV EBP, ESP instructions are standard frame establishment, but what is the purpose of the MOV EDI,EDI instruction? Seems like a 2-byte NOP instruction.
MOV EDI,EDI is indeed a 2-byte no-op that is there to enable hot-patching. It enables the application of a hot-fix to a function without a need for a reboot, or even a restart of a running application. Instead, at runtime, the 2-byte NOP is replaced by a short jump to a long jump instruction that jumps to the hot-fix function. A 2-byte instruction is required so that when patching the instruction pointer will not point in a middle of an instruction.
Detours change a binary file offline. Hot patching is done on a running executable and they want to guarantee that the instruction pointer does not point in the middle of the patched area.
Using the Detours method on a live process would require suspending threads and making sure no thread instruction pointer is pointing at the second, third, forth, or fifth byte of a function that is being Detoured and handling the case that it does.
A Detour will also put limitation on the code generation (i.e. never jump to instructions in bytes 2-5).
Seems to be possible but more complicated than placing a gap between functions and ensuring a 2-byte first instruction.
Using the Detours method on a live process would require suspending threads and making sure no thread instruction pointer is pointing at the second, third, forth, or fifth byte of a function that is being Detoured and handling the case that it does.
A Detour will also put limitation on the code generation (i.e. never jump to instructions in bytes 2-5).
Seems to be possible but more complicated than placing a gap between functions and ensuring a 2-byte first instruction.
个人认同Ishai的说法~方便热补丁~~
7992
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
