News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

What's onto the stack at Win32 program entry?

Started by japheth, July 24, 2007, 07:01:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

japheth

July 24, 2007, 07:01:36 PM

Hello,

if a win32 process starts, there is the stack top stored at FS:[4], but esp is well below that value. What's stored in this area, or more exactly: what is the meaning of the 2 dwords at the very top?

example:

fs:[4] = 630000h
esp = 62FECCh on entry
what are the values at 62FFF8h and 62FFFCh used for?

Regards

Japheth





P.S.: since I know that the Holy Inquisition is very much alive in this board, I will answer 2 questions in advance:

1. I'm not doing something malicious
2. I will not provide further evidence that I'm one of the "good guys".




Tedd

#1
July 24, 2007, 09:53:39 PM
Such things are highly dependent on the exact version (and sometimes build) of windows, so you can't usually assume anything about what it represents.
The first thing on the stack is usually the return address to the process scheduler - which 'called' your process -- just in case you happen to ret instead of calling ExitProcess. Though it's undocumented and therefore could be changed.
No snowflake in an avalanche feels responsible.

hutch--

#2
July 25, 2007, 12:50:32 AM
Wow,

I think we have made the big time at llast.

Quote
P.S.: since I know that the Holy Inquisition is very much alive in this board, I will answer 2 questions in advance:

1. I'm not doing something malicious
2. I will not provide further evidence that I'm one of the "good guys".

Does this mean we should be oiling up the wrack and heating up the irons?

There is a solution, if you are willing to put up your name and complete address and accept full responsibility for anythig that any kids wants to post, we may be able to come to some sort of deal so that instead of someone landing on my doorstep in the middle of the night, you can have Angela Merkel's New World order secret police landing on your doorstep instead.

In the mean time the local Inquisition will ensure that postings remain legal.  :bg
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

japheth

#3
July 25, 2007, 02:47:34 AM
> Such things are highly dependent on the exact version (and sometimes build) of windows,
> so you can't usually assume anything about what it represents.

Sure, "usually", but the top 2 dwords are NOT dependent and there is - serious - software which modifies these values.

MichaelW

#4
July 25, 2007, 06:58:36 AM
http://www.google.com/search?hl=en&q=62FFF8

Judging from the (very bad) translation to English, the InsidePro page has something to do with the detection of "malware", and the author is Chris Kasperski. Unfortunately, the comments for the addresses around 62FFF8, and the text in the vicinity, did not translate.
eschew obfuscation

sinsi

#5
July 25, 2007, 07:19:38 AM
FWIW, the usual stacks in exes that I've seen are around 0012xxxx and an address like 0063xxxx sounds like a code/data section - buffer overrun.
Light travels faster than sound, that's why some people seem bright until you hear them.

japheth

#6
July 25, 2007, 09:11:07 AM

Michael, the 62FFF8h/62FFFCh values were just examples (630000h-x*4), nothing suited for Google search.

The addresses also don't indicate a buffer overrun, it just happens that the stack is allocated differently on the various windows versions.



lingo

#7
July 25, 2007, 02:38:45 PM
It is for my Vista Ultimate:
mov eax, fs:[4]
eax= 130000h

12FFF4  00401000h    ;  lpStartAddress   -> see MSDN -> CreateThread    
12FFF8  7FFDA000h    ;  lpParameter [in] -> A pointer to a variable to be passed to the thread
                                 ;                                 see MSDN -> CreateThread    
12FFFC  00000000      ;  bottom of the stack – but I'm not sure
                                

Regards,
Lingo

MichaelW

#8
July 26, 2007, 04:12:12 AM
Under Windows 2000 SP4.
Code Select

FS:[4]          00130000
FS:[8]          0012E000
ADDR TIB        7FFDE000
[TIB+4]         00130000
[TIB+8]         0012E000
ESP             0012FFC0
[TOS]           000000C8
[TOS-4]         00000000
[TOS-8]         00401000
[TOS-12]        00000000
[TOS-16]        00000000
[TOS-20]        00000000
[TOS-24]        7C572B18
[TOS-28]        7C5C2160
[TOS-32]        FFFFFFFF
[TOS-36]        00000000
[TOS-40]        0012FFC8
[TOS-44]        00000000
[TOS-48]        7FFDF000
[TOS-52]        00000000
[TOS-56]        00000000
[TOS-60]        7C5989D5
[TOS-64]        00403370

Under Windows 98 FE I had skip the value stored at TOS to avoid a page fault.
Code Select

FS:[4]          00640000
FS:[8]          0063D000
ADDR TIB        81953124
[TIB+4]         00640000
[TIB+8]         0063D000
ESP             0063FE38
[TOS-4]         00000000
[TOS-8]         BFF89DAC
[TOS-12]        8353AFEC
[TOS-16]        3D974136
[TOS-20]        00000000
[TOS-24]        8195C638
[TOS-28]        FFFFFFFF
[TOS-32]        00000000
[TOS-36]        00640000
[TOS-40]        0063E000
[TOS-44]        0000F263
[TOS-48]        0002FFFF
[TOS-52]        00000000
[TOS-56]        000011A2
[TOS-60]        00000000
[TOS-64]        00000000



[attachment deleted by admin]
eschew obfuscation

japheth

#9
July 26, 2007, 06:26:06 AM

It seems the contents on the stack on program entry differ significantly between NT and 9x platforms.

I still wonder why a dll - in win9x - want to modify the TOS-8 value. Will have to make some tests.
Print
Go Up Pages1
User actions