« previous next »
Pages: [1]

Author Topic: Shadow Space  (Read 15127 times)

Offline Geckoo

  • Jr. Member
  • *
  • Posts: 2
Shadow Space
« on: June 19, 2021, 06:00:49 AM »
Hello everyone. I am searching for a clear explanation about the Shadow Space on Win64, Intel architecture and I cannot understand everything after reading a few papers about it. At start (as a prologue) we set a memory allocation, usually 32bits+8+8 (sub RSP, xxx). At the end of our program, we release this memory allocation (add RSP, xxx). However I don't understand why we have to allocate memory for each function. In a large code without any memory allocation for functions (except prologue, of course), all works as expected, but I know it could be better. I do a stupid test - during the process I copy some registers on stack, I ruin these registers so as to lose all function arguments (xor), then again I move/copy all variables from the stack to my registers and it works as expected. Sometimes I copy registers on the stack without any allocation and where it is not really logical (mov [rsp+0x100] for a simple HelloWorld) and it works. Why do we have to use the stack if we can do without it? Thank you for your help ++
« Last Edit: June 19, 2021, 06:02:55 AM by Geckoo »
Logged

Offline Geckoo

  • Jr. Member
  • *
  • Posts: 2
Re: Shadow Space
« Reply #1 on: June 19, 2021, 03:05:11 PM »
Maybe I found the answer. It seems to me that the first Shadow Space is allowed exclusivelly for the Windows ABI. And there is a second memory allocation for my functions. This is the same memory space, but I open it, I close it, I open it again, I close again, etc - and according my functions. Right ?
« Last Edit: June 19, 2021, 05:43:52 PM by Geckoo »
Logged

Offline ig

  • Jr. Member
  • *
  • Posts: 12
Re: Shadow Space
« Reply #2 on: June 22, 2021, 11:49:49 AM »
The Shadow space is part of the calling convention - i.e. the standard describing how common functions communicate with each other.

If the whole program (well, not necessarily the whole program, let's say the piece of code where you're calling a function, i.e. both the caller and the called function) is under your control, written by you, then you can use whatever custom calling convention you want (pass arguments in arbitrary registers, get the result in something else than rax... whatever you want) and you don't have to create the Shadow space.

If, however, your code calls an "external" function (such as a Windows API function, or some code that was compiled by a C++ compiler... something out of the assembly), then you must create the Shadow space because the called function may be using it - and if you don't create it, it may overwrite unrelated parts of the stack and the program may crash after the execution returns from that function.
Logged

Offline GavinHamilton

  • New Member
  • Posts: 1
Re: Shadow Space
« Reply #3 on: July 12, 2021, 10:31:40 AM »
Thx for your replay. That information was very helpful!!
« Last Edit: July 13, 2021, 05:08:34 PM by GavinHamilton »
Logged
Pages: [1]
« previous next »