Why does the compiler generate a MOV EDI, EDI instruction at the beginning of functions?

Sense out of Nonsene : Acceptably Unique

Sense out of Nonsene : Acceptably Unique — Mon, 25 May 2009 22:52:53 GMT

PingBack from http://bradykelly.net/?p=25

You Won’t Learn This in School: Disabling Kernel Functions in Your Process | Chad Austin

Tue, 31 Mar 2009 11:14:50 GMT

PingBack from http://aegisknight.org/2009/03/disabling-functions/

re: Why does the compiler generate a MOV EDI, EDI instruction at the beginning of functions?

Ishai — Fri, 25 Jun 2004 16:37:00 GMT

Detours change a binary file offline. Hot patching is done on a running executable and they want to guarantee that the instruction pointer does not point in the middle of the patched area.

Using the Detours method on a live process would require suspending threads and making sure no thread instruction pointer is pointing at the second, third, forth, or fifth byte of a function that is being Detoured and handling the case that it does.

A Detour will also put limitation on the code generation (i.e. never jump to instructions in bytes 2-5).

Seems to be possible but more complicated than placing a gap between functions and ensuring a 2-byte first instruction.

re: Why does the compiler generate a MOV EDI, EDI instruction at the beginning of functions?

Ziv Caspi — Fri, 25 Jun 2004 08:43:00 GMT

It's interesting they've chosen this method for patching. It not only requires 2 extra bytes per entry, but it also requires you put gaps every once in a while between methods for the 5-bytes long jump (in theory, one gap per method, if you need to patch them all).

It does have an advantage if you have extremely short functions (less than 5 bytes required for a long jump) or in cases where functions share code, but these could have been taken care of by a simple modification of the compiler in any case.

Do you know why they didn't rely on in-place patching like what is done with Detours?

(BTW -- Welcome aboard, Ishai!)