解读《x64 deep dive》 1

最近再看x64调试方面的东西，看了一篇文章，相信大多数玩过x64调试的人都看过《x64 deep dive》。

http://www.codemachine.com/article_x64deepdive.html

阅读的时候，有一些不解及对不解的调试，特记录下来

Exception Handling

This section discusses the underlying mechanism and data structures that X64 functions use for exception handling and also how the debugger leverages these structures to walk the call stack. It also points to some of the unique aspects of X64 call stacks.

RUNTIME_FUNCTION

X64 executable files use a file format that is a variant of the PE file format, used for X86, called PE32+. Such files have an extra section called ".pdata" or Exception Directory that contains information used for handling exceptions. This "Exception Directory" contains a RUNTIME_FUNCTION structure for every non-leaf function in the executable. Non-leaf functions are those that call other functions. Each RUNTIME_FUNCTION structure contains the offset of the first and the last instruction in the function (i.e. the function extents) and a pointer to the unwind information structure that describes how the function's call stack is to be unwound in the event of an exception. Figure 4 shows RUNTIME_FUNCTION structure for a module containing offsets to the beginning and the end of the functions in that module.

意思是说在PE32+中的包含叫做pdata或者exception directory的段，为每一个非叶子节点函数包含了一个叫做RUNTIME_FUNCTION的结构体，结构体包含了函数第一个及最后一个指令相对模块基址的偏移量一个以及一个指向展开信息结构体用于描述异常发生时函数调用栈如何展开。

调试器还用来使用这些信息遍历调用栈信息。

 

里面说每一个非叶子节点函数会有相对应的信息，并且我也看了调试器如何利用这些信息遍历调用栈。但这时我有一个疑问，若当前最内层函数为叶子节点函数，那么如何从当前的Child-SP遍历调用栈呢？因为按照上面叶子节点函数没有相关信息啊！于是我写了个测试程序

int add(int i,int j)
{
	return i + j;
}


int wrapper(int a, int b)
{
	return add(a,b);
}


int _tmain(int argc, _TCHAR* argv[])
{
	int sum = wrapper(4,0);
	return 0;
}

在调试器中调用命名.fnent x64Demo!add发现add函数的确没有相关信息。于是我反汇编add函数，发现add函数里Child-SP指针没有变化，即没有分配栈空间，回头看看add函数的，也的确应该如此

00000001`3f7a1000 89542410        mov     dword ptr [rsp+10h],edx
00000001`3f7a1004 894c2408        mov     dword ptr [rsp+8],ecx
00000001`3f7a1008 8b442410        mov     eax,dword ptr [rsp+10h]
00000001`3f7a100c 8b4c2408        mov     ecx,dword ptr [rsp+8]
00000001`3f7a1010 03c8            add     ecx,eax
00000001`3f7a1012 8bc1            mov     eax,ecx
00000001`3f7a1014 c3              ret
00000001`3f7a1015 cc              int     3

OK，叶子节点函数没有分配栈空间，调试器这种情况能算对Child-SP的值，于是我又想，假如叶子节点函数分配栈空间呢？于是我改造了add函数

int add(int i,int j)
{
	int arr[5];
	return i + j;
}

再次调试后发现再调用命令.fnent x64Demo!add，已得出信息，说明若叶子节点存在保存非易失寄存器、压栈寄存器或分配栈空间操作，叶子节点也是有RUNTIME_FUNCTION信息的。