flat assembler
Message board for the users of flat assembler.

Index > Heap > MOV EDI, EDI on prologue of most APIs

Author
Thread Post new topic Reply to topic
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Someone knows why *lots* of API functions starts with a "mov edi, edi" before entering to the usual prologue?

Note that it is not padding since it gets executed when you call the function
Post 18 Jan 2007, 16:17
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Post 18 Jan 2007, 16:22
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
to make API hooks easier?
Post 18 Jan 2007, 16:28
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
No, to patch APIs without rebooting. That way MOV EDI, EDI is replaced by a two bytes JMP that jumps to a long jump and this long jump jumps to the patched function. This way ensures that you will not change any code while some thread is executing code in the middle of patching area.

I think it can be used for API hooking but, Does Windows support API hooking?
Post 18 Jan 2007, 17:13
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
that's what i meant with "API hooks"
Post 18 Jan 2007, 17:23
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak
yea, it has hooking.
Post 20 Jan 2007, 15:35
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.