1. Guo Yu 2008.10 USTC, Suzhou http://ssg.ustcsz.edu.cn/~guoyu/fall08/
See Code Run (1)
Guo Yu
USTC, Suzhou

2. Quiz How do machine execute a c program? #include <stdio.h>
int main (int argc, char * argv[]) {
printf(“%i\n”,5);
return 0; }

3. Life Cycle Source File Compiler Object File Linker Executable File
Loader
Data Image

4. Source File #include <stdio.h>
int main (int argc, char * argv[]) {
printf(“hello\n”);
return 0; }

5. C Compiler
GCC
Microsoft C/C++ compiler
MinGW
Intel C/C++ Compiler …

6. Example D:\> cl /c hello.c
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.
hello.c
D:\>dir hello.*
驱动器 D 中的卷没有标签。
卷的序列号是 B44E-5810
D:\ 的目录
: hello.c
: hello.obj
2 个文件 字节
0 个目录 8,285,204,480 可用字节

7. Life Cycle Source File Compiler Object File Linker Executable File
Loader
Data Image

8. Object File Binary Code and Binary Data Disassembled to ASM file
Executable?

9. Object File
Object File
Code
Data
Others
Others
0x1234abcd : AA BB

10. Example D:\>dumpbin hello.obj
Microsoft (R) COFF/PE Dumper Version
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file hello.obj
File Type: COFF OBJECT
Summary
7 .data
60 .debug$S
2F .drectve
14 .text

11. Code Section Text Section (Segment) Content Read-only usually
Computer instructions
Read-only usually
Otherwise, self-modifying code
Support multiple processors

12. Example D:\>dumpbin /disasm hello.obj . . . _main:
: push ebp
: 8B EC mov ebp,esp
: push offset $SG2472
: E call _printf
D: 83 C add esp,4
: 33 C xor eax,eax
: 5D pop ebp
: C ret

13. Data Section Data section Content Readable and writable, usually
Global variables
Initialized by programmer or compiler
Initialized strings
Readable and writable, usually

14. Example D:\>dumpbin /all hello.obj . . . RAW DATA #3
: C 6C 6F 0A hello..

15. BSS Section From Block Started by Symbol Content Readable and Writable
Unintialized static variables
Global variales initialized by zero
Readable and Writable
Initialized to zero when loading
Historically, BSS (from Block Started by Symbol) was a pseudo-operation in UA-SAP (United Aircraft Symbolic Assembly Program), the assembler developed in the mid-1950s for the IBM 704 by Roy Nutt, Walter Ramshaw, and others at United Aircraft Corporation.
The BSS keyword was later incorporated into FAP (FORTRAN Assembly Program), IBM's standard assembler for its 709 and 7090/94 computers. It defined a label and reserved uninitialized space for a given number of words.

16. Example static char code[100]; int main() { ... } Summary 64 .bss
3 .data
60 .debug$S
2F .drectve
19 .text

17. Symbol Table Symbols Untyped Symbols Undefined symbol Static Symbol
Common Symbol
Absolute Symbol
Untyped Symbols

18. Example D:\>dumpbin /symbols hello.obj . . . COFF SYMBOL TABLE
ABS notype Static
ABS notype Static
SECT1 notype Static | .drectve
Section length 2F, #relocs 0, #linenums 0, checksum
SECT2 notype Static | .debug$S
Section length 60, #relocs 0, #linenums 0, checksum
SECT3 notype Static | .data
Section length 7, #relocs 0, #linenums 0, checksum 74362A0B
SECT3 notype Static | $SG2472
SECT4 notype Static | .text
Section length 14, #relocs 2, #linenums 0, checksum F829D91C
00B SECT4 notype () External | _main
00C UNDEF notype () External | _printf
String Table Size = 0x0 bytes. . .

19. Quiz
What’s “_printf”
Where is “printf”

20. Far Jump to Assembly

21. Quiz Again 00000003: 68 00 00 00 00 push offset $SG2472
: E call _printf
Why zero ?

22. Example D:\>dumpbin /relocations hello.obj . . . RELOCATIONS #4
Symbol Symbol
Offset Type Applied To Index Name
DIR $SG2472
REL C _printf
String Table Size = 0x0 bytes. . .

23. Life Cycle Source File Compiler Object File Linker Executable File
Loader
Data Image

24. Executable File Header
Linking
Object File
Executable File
Executable File Header

25. Linker Object File Object File Object File Linker Library File
Dynamic Link File
Executable File

26. Task of Linker Resolving symbols Relocation Direct jump and call
Variable reference

27. Static Linking
printf
hello
main
printf
printf
hello
main

28. Example
D:\>link /subsystem:console hello.obj
D:\>hello.exe

29. Linker Static Linking Dynamic Linking Shared Library DLL Files
Library B
Library A
Program1
Program2
Program3

30. Dynamic Linking
printf
hello
main
printf
printf
hello
main

31. Dynamic Linking Method (1)
stub code
jump
printf stub-code
printf
printf
hello
main
Hello.exe
aaa.dll

32. Dynamic Linking Method (2)
Indirect jump
call dword ptr [ ____ ]
printf
printf
hello
main
Hello.exe
aaa.dll

33. Example D:\>cl /c /MD hello.c
D:\>link /subsystem:console hello.obj
D:\>dumpbin /disasm hello.obj
_main:
: push ebp
: 8B EC mov ebp,esp
: push offset $SG2473
: FF call dword ptr [__imp__printf]
E: 83 C add esp,4
: 33 C xor eax,eax
: 5D pop ebp
: C ret

34. Dynamic Linking Style Which “dll” file to link with ?
How does a program know?
Link when loading
Dynamic Linking with static loading
Dynamic Linking with dynamic loading
Postpone this topic after loader

35. Life Cycle Source File Compiler Object File Linker Executable File
Loader
Data Image

36. Executable File DOS Windows 3.0/3.1 Windows 95 WinNT/2k/XP/Vista Linux
.COM
Start address : 0x100H
Size : 64k, size of a segment
EXE (MZ Header)
Size : > 64k
Windows 3.0/3.1
EXE (MZ Header, NE Header)
Loading
Windows 95
VxD (Linear executable, LE)
WinNT/2k/XP/Vista
EXE, DLL, SYS, CPL(MZ Header, PE Header)
COFF
Linux
a.out
Executable and Linkable Format (ELF)

37. Windows PE
.text
.data
.rc
Sections Table
PE Header
Sections
MZ Header

38. Life Cycle Source File Compiler Object File Linker Executable File
Loader
Data Image

39. Tasks of Loader Loading program from executables into memory
Preparing them for execution
Relocate and dynamic link
Executing them

40. Loading
Entry
Object File
Harddisk
Memory

41. Example

42. Dynamic Linking Memory Import table kernel32.dll executable
Export table
aaa.dll
Memory

43. Dynamic Linking Style Which “dll” file to link with ?
How does a program know?
Link when loading
Dynamic Linking with static loading
Dynamic Linking with dynamic loading

44. Dynamic Linking Style (1)
Import table
printf
hello
main
aaa.dll
print
Export table
printf
aaa.dll
Dynamic Linking with static loading

45. Dynamic Linking Style (2)
#include <windows.h>
int main() {
HMODULE hmod = LoadLibraryA("msvcrt.dll");
typedef int (* MYPROC)(char *s);
MYPROC proc = (MYPROC)GetProcAddress(hmod, "printf");
proc("hello\n");
FreeLibrary(hmod);
return 0; }
Dynamic Linking with dynamic loading

46. Homework IDE http://www.microsoft.com/express/vc/
Visual C Express Edition (with SP1)
Repeat what I do in the class
Homework

47. Guo Yu 2008.10 USTC, Suzhou http://ssg.ustcsz.edu.cn/~guoyu/fall08
See Code Run (2)
Guo Yu
USTC, Suzhou

48. Outline
C Run-time Stack
Calling Convention
About “main()”

49. Running Stack Function call support Local Variables
Temporary Space for execution
Advanced Control Flow

50. Program #include <stdio.h> int add(int x, int y) {
int i = 0; int j = 10;
return (i+j+x+y); }
int main (int argc, char * argv[])
printf(“%d\n”; add(5,6));
return 0;

51. Stack Frame Arguments Return Address Old ebp Local Variable ebp high
2nd arg
1st arg
return address
ebp
old ebp x
esp y …
low …
stack
grow

52. int main (int argc, char * argv[]){
push ebp
B EC mov ebp,esp
EC sub esp,44h
push ebx
push esi
push edi
int i = add(5,6);
A push
B 6A push
D E8 61 F0 FF FF call C3
C add esp,8
FC mov dword ptr [ebp-4],eax
printf("%d\n", i);
B 45 FC mov eax,dword ptr [ebp-4]
B push eax
C 68 5C EC push EC5Ch
E8 08 F4 FF FF call E
C add esp,8
return 0;
C xor eax,eax }
B 5F pop edi
C 5E pop esi
D 5B pop ebx
E 8B E mov esp,ebp
D pop ebp
C ret

53. Program int add(int x, int y) { 00412520 55 push ebp
B EC mov ebp,esp
EC sub esp,48h
push ebx
push esi
push edi
int i = 0; int j = 10;
C7 45 FC mov dword ptr [ebp-4],0
C7 45 F8 0A mov dword ptr [ebp-8],0Ah
return (x+y);
B mov eax,dword ptr [ebp+8]
A C add eax,dword ptr [ebp+0Ch] }
D 5F pop edi
E 5E pop esi
F 5B pop ebx
B E mov esp,ebp
D pop ebp
C ret

54. Caller Stack int i = add(5,6); push 6 push 5 6 call 004115C3 ... ret 5
add esp,8 6 5
return address … …
stack
grow

55. Callee Stack y x prelog return address ebp old ebp i ... j epilog
int add(int x, int y) {
push ebp
mov ebp,esp
sub esp,48h
push ebx
push esi
push edi
int i = 0; int j = 10;
mov dword ptr [ebp-4],0
mov dword ptr [ebp-8],0Ah
return (x+y);
... }
pop edi
pop esi
pop ebx
mov esp,ebp
pop ebp
ret
prelog y x
return address
ebp
old ebp i
... j
epilog
old ebx
old esi
stack grow
old edi

56. Advanced Control Flow Exception or setjmp/longjmp Multithreading
Stack cutting
Multithreading
Stack switch
Continuation Operation
Stack store and stack load

57. Exception or setjmp/longjmp
try {
f(){
g(){
raise ex; }
catch{E}{
printf(“catched”)
exception
handler
high
frame1
frame2
frame3
low
stack grow

58. Multithreading Every thread have a stack Thread switching
Machine context switching
Stack switching
esp switching
frame
Thread A
Thread B
stack grow

59. Continuation Operation
Useful for web programming
Shields the programmer from the stateless nature of the HTTP protocol

68. Continuation Operation
Solving the program
Stack store and load
The Apache Cocoon Web application framework

69. Outline
C Run-time Stack
Calling Convention
About “main()”

70. Calling Convention Why to learn ?
Linking between modules in different programming languages
C <-> C++
JAVA <-> C
C <-> ASM
Virus Writer

71. Calling Convention Preserved registers Arguments passing
In registers
On the stack
In shared memory
Call-by-value or call-by-reference
Stack balance
Return value

72. __cdecl C programming language Caller saved registers
Default calling convension
Caller saved registers
eax, ecx, edx
callee saved registers
ebx, esp, ebp, esi, edi
Return value
eax
Arguments passing
From right to left, pushed into stack
Stack balance
Caller clear the space for arguments

73. Example add(5,6); int add(int x, int y); { push 6 ...
call add
add esp, 8
int add(int x, int y); {
...
mov eax,dword ptr [ebp+8]
add eax,dword ptr [ebp+0Ch] }
ret

74. __stdcall Windows API Caller saved registers callee saved registers
Default calling convention
APIENTRY or WINAPI
Caller saved registers
eax, ecx, edx
callee saved registers
ebx, esp, ebp, esi, edi
Return value
eax
Arguments passing
From right to left, pushed into stack
Stack balance
Callee clear the space for arguments

75. Example int __stdcall add(int x, int y); add(5,6); { ... push 6
mov eax,dword ptr [ebp+8]
add eax,dword ptr [ebp+0Ch] }
ret 8
add(5,6);
push 6
push 5
call add

76. __fastcall Caller saved registers callee saved registers Return value
eax, ecx, edx
callee saved registers
ebx, esp, ebp, esi, edi
Return value
eax
Arguments passing
ecx, edx, stack
Stack balance
Callee clear the space for arguments

77. Example int __fastcall add(int x, int y); add(5,6); {
mov dword ptr [ebp-8],edx
mov dword ptr [ebp-4],ecx
...
mov eax,dword ptr [ebp-4]
add eax,dword ptr [ebp-8] }
ret
add(5,6);
mov edx,6
mov ecx,5
call add

78. Quiz How to know what calling convention of one specific function
No source code
No c header file
e.g. windows library

79. Calling Convention Google Lookup documents
Decoration name (for Linking)
__stdcall
__cdecl _add
__fastcall
dumpbin /symbols add.obj

80. More This Call Naked call C++ ecx -> this pointer
__declspec(naked) int __cdecl add(int x, int y) {
__asm{
mov eax, [esp+4]
add eax, [esp+8]
ret }

81. Outline
C Run-time Stack
Calling Convention
About “main()”

82. Quiz
int main (int argc, char* argv[])

83. main() int main (int argc, char* argv[])
int WINAPI WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
PSTR szCmdLine,
int iCmdShow)
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved)

84. Windows Subsystems Console Windows Posix Windows DLL NTDLL.DLL
Windows Kernel

85. Exercise (1) Show a message box: hello world
Note : need invoke Windows API MessageBoxA
Don’t show any black console window
Either C or inline assembly is ok

86. Exercise (2) Based on exercise (1) Print Current Stack Frame
Analysis the Output

87. Submit Deadline : Next Wednesday (23:00) ftp://219.219.216.182
Username: student
Password: student
Zip Archive
SAxxxxxx(Name).zip
rar ok
The whole visual studio 2008 express project directory
No binary files (.obj .exe)

88. Good Luck !