在玩了更多并阅读了文档之后,需要为您调用的任何函数保留 32 个字节。如果你的函数和示例一样简单,并且不调用其他函数,则不必保留此空间。但是,您调用的任何函数都可能使用这 32 个字节,因此如果您不保留它们,该函数可能
此外,如果它遵循 ABI,您的函数可能依赖于调用您的函数的堆栈中有 32 个字节可用。通常这 32 字节区域用于保存将在您的函数中更改的寄存器,以便您可以在返回之前恢复它们的值。我认为是出于性能目的,选择 32 字节就足够了,因此大多数叶函数(不调用其他函数的函数)不需要保留任何堆栈空间,并且在堆栈上有临时空间来保存寄存器并在返回之前恢复它们。举个例子:
调用函数:
CallingFunction:
push rbp
mov rbp, rsp
sub rsp, 40 // $20 bytes we want to use at [rbp+30],
// plus $20 bytes for calling other functions
// according to windows ABI spec
mov rcx, [rsi+10] // parameter 1 (xmm0 if non-int)
mov rdx, 10 // parameter 2 (xmm1 if non-int)
movss xmm2, [rsi+28] // parameter 3 (r8 if int)
mov r9, [rsi+64] // parameter 4 (xmm3 if non-int)
call MyFunction
// ... do other stuff
add rsp, 40 // free space we reserved
pop rbp
xor rax,rax
ret
被调用函数
CalledFunction:
push rbp // standard
mov rbp, rsp // standard
// should do 'sub rsp, 20' here if calling any functions
// to give them a free scratch area
// [rbp] is saved rbp
// [rbp+8] is return address
// [rbp+10] to [rbp+2f] are the 0x20 bytes we can
// safely modify in this function, this could
// be pushed higher if the function had more than 4
// parameters and some had to be passed on the stack
// or if returning a structure or something that needs
// more space. In these cases the CALLER would have
// allocated more space for us
// the main reason for the 0x20 is so that we can save
// registers we want to modify without having to allocate
// stack space ourselves
mov [rbp+10], rsi // save rsi in space allocated by caller
mov [rbp+18], rdi // save rdi in space allocated by caller
mov rsi, [rcx+20]
mov rdi, [rsi+48]
add rdi, [rsi+28]
mov rax, rdi
mov rdi, [rbp+18] // restore changed register
mov rsi, [rbp+10] // restore changed register
pop rbp
ret
原始答案
我只是遇到了这个不知道的情况,似乎是这样。例如,GetAsyncKeyState 中的前两条指令会覆盖 0x20 字节区域中返回地址上方的堆栈,您应该为被调用者保留用于参数的区域:
user32.GetAsyncKeyState - mov [rsp+08],rbx
user32.GetAsyncKeyState+5- mov [rsp+10],rsi
user32.GetAsyncKeyState+A- push rdi
user32.GetAsyncKeyState+B- sub rsp,20