Hello,
if a win32 process starts, there is the stack top stored at FS:[4], but esp is well below that value. What's stored in this area, or more exactly: what is the meaning of the 2 dwords at the very top?
example:
fs:[4] = 630000h
esp = 62FECCh on entry
what are the values at 62FFF8h and 62FFFCh used for?
Regards
Japheth
P.S.: since I know that the Holy Inquisition is very much alive in this board, I will answer 2 questions in advance:
1. I'm not doing something malicious
2. I will not provide further evidence that I'm one of the "good guys".
Such things are highly dependent on the exact version (and sometimes build) of windows, so you can't usually assume anything about what it represents.
The first thing on the stack is usually the return address to the process scheduler - which 'called' your process -- just in case you happen to ret instead of calling ExitProcess. Though it's undocumented and therefore could be changed.
Wow,
I think we have made the big time at llast.
Quote
P.S.: since I know that the Holy Inquisition is very much alive in this board, I will answer 2 questions in advance:
1. I'm not doing something malicious
2. I will not provide further evidence that I'm one of the "good guys".
Does this mean we should be oiling up the wrack and heating up the irons?
There is a solution, if you are willing to put up your name and complete address and accept full responsibility for anythig that any kids wants to post, we may be able to come to some sort of deal so that instead of someone landing on my doorstep in the middle of the night, you can have Angela Merkel's New World order secret police landing on your doorstep instead.
In the mean time the local Inquisition will ensure that postings remain legal. :bg
> Such things are highly dependent on the exact version (and sometimes build) of windows,
> so you can't usually assume anything about what it represents.
Sure, "usually", but the top 2 dwords are NOT dependent and there is - serious - software which modifies these values.
http://www.google.com/search?hl=en&q=62FFF8
Judging from the (very bad) translation to English, the InsidePro page has something to do with the detection of "malware", and the author is Chris Kasperski. Unfortunately, the comments for the addresses around 62FFF8, and the text in the vicinity, did not translate.
FWIW, the usual stacks in exes that I've seen are around 0012xxxx and an address like 0063xxxx sounds like a code/data section - buffer overrun.
Michael, the 62FFF8h/62FFFCh values were just examples (630000h-x*4), nothing suited for Google search.
The addresses also don't indicate a buffer overrun, it just happens that the stack is allocated differently on the various windows versions.
It is for my Vista Ultimate:
mov eax, fs:[4]
eax= 130000h
12FFF4 00401000h ; lpStartAddress -> see MSDN -> CreateThread
12FFF8 7FFDA000h ; lpParameter [in] -> A pointer to a variable to be passed to the thread
; see MSDN -> CreateThread
12FFFC 00000000 ; bottom of the stack – but I'm not sure
Regards,
Lingo
Under Windows 2000 SP4.
FS:[4] 00130000
FS:[8] 0012E000
ADDR TIB 7FFDE000
[TIB+4] 00130000
[TIB+8] 0012E000
ESP 0012FFC0
[TOS] 000000C8
[TOS-4] 00000000
[TOS-8] 00401000
[TOS-12] 00000000
[TOS-16] 00000000
[TOS-20] 00000000
[TOS-24] 7C572B18
[TOS-28] 7C5C2160
[TOS-32] FFFFFFFF
[TOS-36] 00000000
[TOS-40] 0012FFC8
[TOS-44] 00000000
[TOS-48] 7FFDF000
[TOS-52] 00000000
[TOS-56] 00000000
[TOS-60] 7C5989D5
[TOS-64] 00403370
Under Windows 98 FE I had skip the value stored at TOS to avoid a page fault.
FS:[4] 00640000
FS:[8] 0063D000
ADDR TIB 81953124
[TIB+4] 00640000
[TIB+8] 0063D000
ESP 0063FE38
[TOS-4] 00000000
[TOS-8] BFF89DAC
[TOS-12] 8353AFEC
[TOS-16] 3D974136
[TOS-20] 00000000
[TOS-24] 8195C638
[TOS-28] FFFFFFFF
[TOS-32] 00000000
[TOS-36] 00640000
[TOS-40] 0063E000
[TOS-44] 0000F263
[TOS-48] 0002FFFF
[TOS-52] 00000000
[TOS-56] 000011A2
[TOS-60] 00000000
[TOS-64] 00000000
[attachment deleted by admin]
It seems the contents on the stack on program entry differ significantly between NT and 9x platforms.
I still wonder why a dll - in win9x - want to modify the TOS-8 value. Will have to make some tests.