Geek Answers Handbook

REX.w prefix value before AMD64 jmp (FF25)

In solving the problem, I came across the difference between the transition tables between the two Win64 libraries. The 64-bit version of kernel32.dll uses the plain FF25 jmp FF25 in its import conversion tables. On the other hand, the 64-bit version of advapi32.dll uses 48FF25 , which indicates the prefix REX.w=1 before the operation code jmp. However, both have a 32-bit operand indicating the RIP + offset address.

Does it make sense for the REX.w prefix for this particular opcode?

I often donโ€™t work with machine code, so please excuse any actual errors.

+7
assembly x86-64 winapi
source share
1 answer

The prefix REX.W is ignored. In 64-bit mode, the FF /4 opcode always has a 64-bit operand (JMP r / m64), so the prefixes for changing the size of the operand (REX.W, 66) have no effect.

The reason this REX.W prefix is โ€‹โ€‹present probably matches the terms of the agreement to use Microsoft x64 to unwind. The jump import column is actually one function of the command, and since exceptions on Windows are asynchronous, they can occur at any time, it is possible that an exception is thrown when this function is executed. Microsoft sets a number of restrictions on the instructions used at the beginning and end of functions . In particular, a function must end with an epilogue that contains only specific instructions. According to Kevin Frey 's MSDN blog , if the last instruction is an indirect jump, it should use the REX.W prefix:

One more note: if the last jmp is not ip-relative jmp, but indirect jmp, it must be preceded by the REX prefix to tell the OS to expand that the jump goes beyond the function, otherwise, the OS involves moving to another place inside the same function.

There may be an inconsistency between the use of REX.W, because this rule described above does not fully comply with what Microsoft official documentation requires for the final JMP instruction:

In epilog, only a subset of jmp statements is allowed. These are exclusively from the jmps class with ModRM memory addresses, where ModRM mod is the value of field 00. Using jmps in the epilogue with the mod value mod 01 or 10 is prohibited.

Please note that since this excludes relative JMP instructions that do not use ModR / M encoding, the most common form of JMP is to terminate a function, so I tend to assume that the official documentation is in error here.

Other possible causes of inconsistency are Microsoft unwinding, specifically designed for import transitions, or that transition cups without the REX.W prefix are an error and can lead to program termination in the very unlikely event that an exception occurs while they are executed.

+9
source share

More articles:


All Articles