Windows Application Programming Interface

The Windows application programming interface (API) is the user-mode system programming
interface to the Windows operating system family. Prior to the introduction of 64-bit versions of
Windows, the programming interface to the 32-bit versions of the Windows operating systems was
called the Win32 API to distinguish it from the original 16-bit Windows API, which was the program-
ming interface to the original 16-bit versions of Windows. In this book, the term Windows API refers
to both the 32-bit and 64-bit programming interfaces to Windows.

software interrupt –

WinDbg shows “int” Instruction

ntdll!DbgBreakPoint:
7c901230 cc int 3
7c901231 c3 ret
7c901232 8bff mov edi,edi
ntdll!DbgUserBreakPoint:
7c901234 90 nop
7c901235 90 nop
7c901236 90 nop
7c901237 90 nop
ntdll!DbgBreakPointWithStatus:
7c901238 90 nop
ntdll!DbgUserBreakPoint:
7c901239 cc int 3
7c90123a c3 ret
7c90123b 90 nop
7c90123c 8bff mov edi,edi

7c901230 cc int 3

Process Involved

WinRAR program on windows .

Explanation

INT is an assembly language instruction for x86 processors for
generating a software interrupt. It takes the interrupt number
formatted as a byte value.[1] Depending on the context, compiler or
assembler, a software interrupt number is often given as a hexadecimal
value, sometimes with a prefix 0x or the suffix h (e.g. interrupt 0x21, int
33, or interrupt 21h).
When done in assembly language code, the instruction is written like
this:
INT X
Where X is the software interrupt that should be generated. For
example:
INT 40
Will generate a software interrupt 0x28 (40 in decimal), causing the
function pointed to by the 40th vector in the interrupt table to be
executed.

source : http://en.wikipedia.org/wiki/INT_(x86_instruction)

LEAVE Instruction ++

WinDbg shows “leave” instruction

7c901227 c9              leave
7c901228 c20400          ret     4
7c90122b 90              nop
7c90122c 90              nop
7c90122d 90              nop
7c90122e 90              nop
7c90122f 90              nop
ntdll!DbgBreakPoint:
7c901230 cc              int     3

7c901227 c9 leave

Process Involved

Program :  "notepad" on Windows.

Explanation

LEAVE -- High Level Procedure Exit
LEAVE reverses the actions of the ENTER instruction. By copying the
frame pointer to the stack pointer, LEAVE releases the stack space
used by a procedure for its local variables.

source : http://www.cs.uaf.edu/~cs301/notes/Chapter9/node11.html
source : http://d3s.mff.cuni.cz/~ceres/sch/osy/text/ch03s02s02.php
source : http://pdos.csail.mit.edu/6.858/2010/readings/i386/ENTER.htm
source : http://pdos.csail.mit.edu/6.858/2010/readings/i386/LEAVE.htm

NOP machine instruction

| NOP instruction |



source : | Windows Debugger |
In computer science NOP or NOOP (short for No Operation or No
 Operation Performed) is an assembly language instruction, sequence of
 programming language statements, or computer protocol command that
 effectively does nothing at all.

source : http://en.wikipedia.org/wiki/NOP

| pause | Suspends processing ..

software | Windows |


H:\>pause
Press any key to continue . . .

H:\>pause /?
Suspends processing of a batch program and displays the message
    Press any key to continue . . .
H:\>pause
Press any key to continue . . .

Pause
Suspends processing of a batch program and displays a message
 prompting the user to press any key to continue.

source :
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ntcmds.mspx?mfr=true

modify all segment registers except ..(CS)

software | Windows |


In computing, a code segment, also known as a text segment or simply
as text, is a phrase used to refer to a portion of memory or of an
object file that contains executable instructions.

source :
http://en.wikipedia.org/wiki/Code_segment

Note that code may always modify all segment registers except CS (the
 code segment). This is because the current privilege level (CPL) of the
 processor is stored in the lower 2 bits of the CS register. The only way
 to raise the processor privilege level (and reload CS) is through the
 lcall (far call) and int (interrupt) instructions. Similarly, the only way to
 lower the privilege level (and reload CS) is through lret (far return) and
 iret (interrupt return).

source :
http://en.wikipedia.org/wiki/X86_memory_segmentation

software | GNU/Linux |

(gdb) info registers
rax            0xfffffffffffffdfc	-516
rbx            0x5dc	1500
rcx            0xffffffffffffffff	-1
rdx            0x5dc	1500
rsi            0x1	1
rdi            0x7fff6f396d50	140735059422544
rbp            0xb4a160	0xb4a160
rsp            0x7fff6f396d00	0x7fff6f396d00
r8             0x0	0
r9             0xffffffff	4294967295
r10            0x8	8
r11            0x246	582
r12            0x7fff6f396d50	140735059422544
r13            0x7fff6f396d60	140735059422560
r14            0x0	0
r15            0x1	1
rip            0x7fc4561ec0c8	0x7fc4561ec0c8 
eflags         0x246	[ PF ZF IF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb)

cs 0x33 51

Register operands are always prefixes with `%'. The 80386 registers
 consist of the 6 section registers `%cs' (code section), `%ds' (data
 section), `%ss' (stack section), `%es', `%fs', and `%gs'.

source :
http://www.cs.utah.edu/dept/old/texinfo/as/as.html#SEC152

| Related Discussion |

CS Register Setting by VnutZ :: NR10 :: Show
The article correctly mentions the importance of setting up segment
 registers, yet like most neglects to set up CS (which is 0×0000). This is
 one nasty latent bug that shows itself as soon as you try doing indirect
 jumps. So if you want to use something like threaded code in your first
 stage bootloader set CS by "jmp 0×07c0:foo" first.


You’re right – it would have been "good practice" to set the CS register.
 However, the CS register is already correctly set by the BIOS. If it
 were not set … a computer would never boot up! CS (code segment)
 and IP (instruction pointer) are both set to point directly at 0000:7C00
 which is where the BIOS loads the bootsector into.

source:
http://www.omninerd.com/comments/10807

| Variation |


The way to execute user processes in kernel mode in AMD64 is almost
the same as it is in IA-32. To execute user processes in kernel mode,
 the only thing KML does is launch user processes with the CS segment
 register, which points to the kernel code segment instead of user code
 segment.


In AMD64 CPUs, the privilege level of running programs is determined by
 the privilege level of their code segment. This is almost the same as in
 IA-32 CPUs; the only difference is the segmentation memory system is
 degenerated in AMD64. Although segment registers still are used in 64
-bit mode of AMD64, the only segment that the segment registers can
 use is the 16 EB flat segment. Thus, the role of the segment
 descriptors is simply to specify privilege levels. Therefore, only four
 segments—kernel code segment, kernel data segment, user code
 segment—exist in 64-bit mode.

source and link(s) :
http://www.linuxjournal.com/article/8023?page=0,1
http://www.thefreedictionary.com/degenerated

eip in 32-bit mode,, and rip in 64-bit mode

software | Windows |


The instruction pointer is called ip in 16-bit mode, eip in 32-bit mode,,
 and rip in 64-bit mode. The instruction pointer register points to the
 memory address which the processor will next attempt to execute; it
 cannot be directly accessed in 16-bit or 32-bit mode, but a sequence
 like the following can be written to put the address of next_line into
 eax:
    call next_line
next_line:
    pop eax

source :
http://en.wikipedia.org/wiki/X86_assembly_language

software | GNU/Linux |

(gdb) info registers
rax            0xfffffffffffffdfc	-516
rbx            0x5dc	1500
rcx            0xffffffffffffffff	-1
rdx            0x5dc	1500
rsi            0x1	1
rdi            0x7fff09cf5780	140733357971328
rbp            0x2051160	0x2051160
rsp            0x7fff09cf5730	0x7fff09cf5730
r8             0x0	0
r9             0xffffffff	4294967295
r10            0x8	8
r11            0x246	582
r12            0x7fff09cf5780	140733357971328
r13            0x7fff09cf5790	140733357971344
r14            0x0	0
r15            0x1	1
rip            0x7f2e947000c8	0x7f2e947000c8 
eflags         0x246	[ PF ZF IF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb)

rip 0x7f2e947000c8 0x7f2e947000c8

The RIP register is the instruction pointer register. In 64-bit mode, the
 RIP register is extended to 64 bits to support 64-bit offsets. In 32-bit
 x86 architecture, the instruction pointer register is the EIP register.

source:
http://developers.sun.com/solaris/articles/x64_dbx.html

| Related Discussion |

Hi...I'm teaching myself some AMD 64 bit assembler programing and I'm
curious about RIP relative addressing. The docs that I've read state
 "You are recommended to use RIP relative addressing whenever possible
 to reduce code size" now my question is, is this the code size reduction
 they are talking about


Code:
example code 1 RIP-relative addressing

.section .data
	mydata: .long 0

.section .bss

.section .text
	.global _start
_start:
			movq	$64, mydata(%rdi)
Code:
example code 2
.section .data
	mydata: .long 0

.section .bss

.section .text
	.global _start
_start:
			movq	$64, mydata
and the results

Code:
example 1 RIP-relative addressing
code1:     file format elf64-x86-64


Disassembly of section .text:

00000000004000b0 :
  4000b0:	48 c7 87 bc 00 60 00 	movq   $0x40,0x6000bc(%rdi)
  4000b7:	40 00 00 00
Code:
example 2
code2:     file format elf64-x86-64


Disassembly of section .text:

00000000004000b0 :
  4000b0:	48 c7 04 25 bc 00 60 	movq   $0x40,0x6000bc
  4000b7:	00 40 00 00 00
are we talking about a one byte reduction in code size every time I use RIP relative addressing?

source :
http://www.linuxforums.org/forum/linux-programming-scripting/131795-amd-64-bit-rip-relative-addressing.html

| Variation |

How RIP/EIP relative addressing works in 32-bit mode

In 32-bit programs you can't do this :

mov al, [eip]

But you will have to do something like this instead :
call $ + 5
pop ebx
add ebx, 1 + 1 + 1 + 1 ; POP + ADD + ModRM + imm8
mov al, [ebx] ; EBX is now pointing to this instruction!



How RIP/EIP relative addressing works in 64-bit mode

In 64-bit programs you are allowed to write this :
mov al, [rip]

source :
http://www.codegurus.be/codegurus/Programming/riprelativeaddressing_en.htm


The Intel IA32 processors have a base pointer..

software | Windows |


The Intel IA32 processors have a base pointer register called EBP . The
EBP register is typically set to the value of the ESP register at the
 beginning of a procedure, and used to address the procedure arguments
 and locally allocated variables throughout the procedure. Thus, the
 arguments are located at positive offsets from the EBP register, while the
 variables are located at negative offsets from the EBP register.

source :
http://d3s.mff.cuni.cz/~ceres/sch/osy/text/ch03s02s02.php

software | GNU/Linux |

(gdb) info registers
rax            0xfffffffffffffdfc	-516
rbx            0x5dc	1500
rcx            0xffffffffffffffff	-1
rdx            0x5dc	1500
rsi            0x1	1
rdi            0x7ffffb2814d0	140737407096016
rbp            0x1f70160	0x1f70160
rsp            0x7ffffb281480	0x7ffffb281480
r8             0x0	0
r9             0xffffffff	4294967295
r10            0x8	8
r11            0x246	582
r12            0x7ffffb2814d0	140737407096016
r13            0x7ffffb2814e0	140737407096032
r14            0x0	0
r15            0x1	1
rip            0x7f668b3710c8	0x7f668b3710c8 
eflags         0x246	[ PF ZF IF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb)

rbp 0x1f70160 0x1f70160

In computer architecture, a processor register (or general purpose
 register) is a small amount of storage available on the CPU whose
 contents can be accessed more quickly than storage available
 elsewhere.
source :
http://en.wikipedia.org/wiki/Processor_register

The AMD64 architecture has sixteen 64-bit general purpose registers
 (GPRs): RAX, RBX, RCX, RDX, RBP, RSI, RDI, RSP, R8, R9, R10, R11, R12,
 R13, R14, and R15. Compared to the x86 architecture, the AMD64
 architecture has eight new GPRs.

source :
http://developers.sun.com/solaris/articles/x64_dbx.html

| Related Discussion |

 Hi, Could somebody please explain what GCC is doing for this piece of code? What is it initializing? The original code is:

#include 
int main()
{

}
And it was translated to:

    .file       "test1.c"
    .def        ___main;        .scl    2;      .type   32;     .endef
    .text
.globl _main
    .def        _main;  .scl    2;      .type   32;     .endef
_main:
    pushl       %ebp
    movl        %esp, %ebp
    subl        $8, %esp
    andl        $-16, %esp
    movl        $0, %eax
    addl        $15, %eax
    addl        $15, %eax
    shrl        $4, %eax
    sall        $4, %eax
    movl        %eax, -4(%ebp)
    movl        -4(%ebp), %eax
    call        __alloca
    call        ___main
    leave
    ret

| Variation |

Registers E(SP), E(IP) and E(BP) are promoted to 64-bits and are re-named RSP, RIP, and RBP respectively.

source and link(s) :
http://x86asm.net/articles/x86-64-tour-of-intel-manuals/