Disassembly of RtlInitializeGenericTable. in .NET

Encoder QR Code ISO/IEC18004 in .NET Disassembly of RtlInitializeGenericTable.
Listing 5.1 Disassembly of RtlInitializeGenericTable.
Qr Codes scanner with .net
Using Barcode Control SDK for .net vs 2010 Control to generate, create, read, scan barcode image in .net vs 2010 applications.
Before attempting to determine what this function does and how it works let s start with the basics: what is the function s calling convention and how many parameters does it take The calling convention is the layout that is used for passing parameters into the function and for defining who is responsible for clearing the stack once the function completes. There are several standard calling conventions, but Windows tends to use stdcall by default. stdcall functions are responsible for clearing their own stack, and they take parameters from the stack in their original left-to-right order (meaning that the caller must push parameters onto the stack in the reverse order). Calling conventions are discussed in depth in Appendix C. In order to answer the questions about the function s calling convention, one basic step you can take is to find the RET instruction that terminates this function. In this particular function, you will quickly notice the RET 14 instruction at the end. This is a RET instruction with a numeric operand, and it provides two important pieces of information. The operand passed to RET tells the processor how many bytes of stack to unwind (in addition to the return value). The very fact that the function is unwinding its own stack tells you that this is not a cdecl function because cdecl functions always let the caller unwind the stack. So, which calling convention is this
Integrate qr-code in .net
using barcode generator for vs .net control to generate, create qr barcode image in vs .net applications.
Quick Response Code recognizer on .net
Using Barcode scanner for VS .NET Control to read, scan read, scan image in VS .NET applications.
Let s continue this process of elimination in order to determine the function s calling convention and observe that the function isn t taking any registers from the caller because every register that is accessed is initialized within the function itself. This shows that this isn t a _fastcall calling convention because _fastcall functions receive parameters through ECX and EDX, and yet these registers are initialized at the very beginning of this function. The other common calling conventions are stdcall and the C++ member function calling convention. You know that this is not a C++ member function because you have its name from the export directory, and you know that it is undecorated. C++ functions are always decorated with the name of their class and the exact type of each parameter they receive. It is easy to detect decorated C++ names because they usually include numerous nonalphanumeric characters and more than one name (class name and method name at the minimum). By process of elimination you ve established that the function is an stdcall, and you now know that the number 14 after the RET instruction tells you how many parameters it receives. In this case, OllyDbg outputs hexadecimal numbers, so 14 in hexadecimal equals 20 in decimal. Because you re working in a 32-bit environment parameters are aligned to 32 bits, which are equivalent to 4 bytes, so you can assume that the function receives five parameters. It is possible that one of these parameters would be larger than 4 bytes, in which case the function receives less than five parameters, but it can t possibly be more than five because parameters are 32-bit aligned. In looking at the function s prologue, you can see that it uses a standard EBP stack frame. The current value of EBP is saved on the stack, and EBP takes the value of ESP. This allows for convenient access to the parameters that were passed on the stack regardless of the current value of ESP while running the function (ESP constantly changes whenever the function pushes parameters into the stack while calling other functions). In this very popular layout, the first parameter is placed at [EBP + 8], the second at [ebp + c], and so on. If you re not sure why that is so please refer to Appendix C for a detailed explanation of stack frames. Typically, a function would also allocate room for local variables by subtracting ESP with the number of bytes needed for local variable storage, but this doesn t happen in this function, indicating that the function doesn t store any local variables in the stack. Let us go over the function from Listing 5.1 instruction by instruction and see what it does. As I mentioned earlier, you might want to do this using live analysis by stepping through this code in the debugger and actually seeing what happens during its execution using GenericTable.EXE. If you re feeling pretty comfortable with assembly language by now, you could probably just read through the code in Listing 5.1 without using GenericTable.EXE. Let s dig further into the function and determine how it works and what it does.
Barcode barcode library for .net
Using Barcode scanner for .net vs 2010 Control to read, scan read, scan image in .net vs 2010 applications.
Bar Code generator for .net
generate, create bar code none with .net projects
Asp.net Website qr code jis x 0510 implementin .net
generate, create qr bidimensional barcode none for .net projects
.net Framework bar code integratingin .net
using visual studio .net touse bar code with asp.net web,windows application
Bar Code integration on .net
generate, create barcode none on .net projects
Control upc a image in vb
generate, create upc code none in vb.net projects
Compose matrix barcode for .net
use web form 2d matrix barcode integration todisplay 2d barcode with .net
1d Barcode barcode library on excel
using office excel toconnect linear with asp.net web,windows application
Barcode Standards 128 barcode library on .net
Using Barcode scanner for VS .NET Control to read, scan read, scan image in VS .NET applications.