x86 Architecture

Program Memory

Anatomy of program memory in Windows

The Stack

A thread requires a short-term data area for functions, local variables, and program control information, which is known as the stack. To facilitate the independent execution of multiple threads, each thread in a running application has its own stack

Stack memory is “viewed” by the CPU using a Last-In, First-Out (LIFO) structure. This essentially means that while accessing the stack, items put (“pushed”) on the top of the stack are removed (“popped”) first. The x86 architecture implements dedicated PUSH and POP assembly instructions to add or remove data to the stack respectively.

Calling Conventions

Calling conventions describe how functions receive their parameters from their caller and how they return the result. The x86 architecture allows for the use of multiple calling conventions. The difference in their implementation consists of several factors such as how the parameters and return value are passed (placed in CPU registers, pushed on the stack, or both), in which order they are passed, how the stack is prepared and cleaned up before and after the call, and what CPU registers the called function must preserve for the caller.

Generally speaking, the compiler determines which calling convention is used for all functions in a program, however, in some cases, it is possible for the programmer to specify a specific calling convention on a per-function basis.

Function Return Mechanics

When code within a thread calls a function, it must know which address to return to once the function completes. This “return address” (along with the function’s parameters and local variables) is stored on the stack. This collection of data is associated with one function call and is stored in a section of the stack memory known as a stack frame.

Return address on the stack.

CPU Registers

x86 CPU Registers
16-bit and 8-bit sub registers

General Purpose Registers

  • EAX (accumulator): Arithmetical and logical instructions

  • EBX (base): Base pointer for memory addresses

  • ECX (counter): Loop, shift, and rotation counter

  • EDX (data): I/O port addressing, multiplication, and division

  • ESI (source index): Pointer addressing of data and source in string copy operations

  • EDI (destination index): Pointer addressing of data and destination in string copy operations

ESP - The Stack Pointer

EBP - The Base Pointer

EIP - The Instruction Pointer

PreviousWindows Exploit DeveplomentNextUsing Mona.py

Last updated