试图理解 rsp 和 rbp 寄存器的奇怪行为

Question

While playing around with detours I noticed this behavior that goes against my understanding of how registers rsp and rbp work. I am hooking another function, and my goal is to retain the state of the registers and flags for when I return back to the original function. Playing around with this, I noticed that the values of rsp and rbp (and weirdly enough r15 ) are changing during my detour without me touching them. Testing this further, my detour consists of me first dumping the values of all the registers (except rsp , rbp , and rip ) and flags sequentially to a specific address, pushing and popping all registers and flags, then dumping all the registers and flags again, and finally the instructions that my hook overwrote in the original function.

The x64 code of my detour is below:

;dump registers
mov rax, 0x1C122560000
mov [rax], rcx
mov [rax+0x8], rdx
mov [rax+0x10], rbx
mov [rax+0x18], rdi
mov [rax+0x20], rsi
mov [rax+0x28], r8
mov [rax+0x30], r9
mov [rax+0x38], r10
mov [rax+0x40], r11
mov [rax+0x48], r12
mov [rax+0x50], r13
mov [rax+0x58], r14
mov [rax+0x60], r15
mov [rax+0x68], rsp
mov [rax+0x70], rbp

;dump flags
push rcx
pushfq
pop rcx
mov [rax+100], rcx
pop rcx

pushfq
push rcx
push rdx
push rbx
push rdi
push rsi
push r8
push r9
push r10
push r11
push r12
push r13
push r14
push r15

;this is where my actual detour instructions would happen, but it is currently empty

pop r15
pop r14
pop r13
pop r12
pop r11
pop r10
pop r9
pop r8
pop rsi
pop rdi
pop rbx
pop rdx
pop rcx
popfq

;dump registers
mov rax,  0x1C122560000
mov [rax+0x78], rcx
mov [rax+0x80], rdx
mov [rax+0x88], rbx
mov [rax+0x90], rdi
mov [rax+0x98], rsi
mov [rax+0xA0], r8
mov [rax+0xA8], r9
mov [rax+0xB0], r10
mov [rax+0xB8], r11
mov [rax+0xC0], r12
mov [rax+0xC8], r13
mov [rax+0xD0], r14
mov [rax+0xD8], r15
mov [rax+0xF0], rsp
mov [rax+0xF8], rbp

;dump flags
push rcx
pushfq
pop rcx
mov [rax+108], rcx
pop rcx

;original instructions (omitted)
...
...
...

ret

I am then reading the dumped registers from the address 0x1C122560000 with the corresponding offsets that each register was dumped with, and writing the results out. This result is shown below (suffix _1 marks value from the first dump, and _2 from the second dump):

rcx_1: 23E5A6FEE00
rdx_1: 0
rbx_1: 3FFFAB921FE0
rdi_1: 3FF636D38F00
rsi_1: 23E5A6FEE00
r8_1: 0
r9_1: 3FFFAB921FE0
r10_1: 2C7
r11_1: 9E057FFA78
r12_1: 1
r13_1: 0
r14_1: 0
r15_1: 24600000000
rsp_1: 24600000000
rbp_1: 9E00000000
flags_1: 0

rcx_2: 23E5A6FEE00
rdx_2: 0
rbx_2: 3FFFAB921FE0
rdi_2: 3FF636D38F00
rsi_2: 23E5A6FEE00
r8_2: 0
r9_2: 3FFFAB921FE0
r10_2: 2C7
r11_2: 9E057FFA78
r12_2: 1
r13_2: 0
r14_2: 0
r15_2: 0
rsp_2: 9E057FF750
rbp_2: 9E057FF860
flags_2: 0

I struggle to understand how the value of the registers rsp , rbp , and r15 are changing between the dumps, and the same "pattern" repeats every time the original function is called (all three registers change every time, every other register stays the same). To my understanding, the equal amount of pushes and pops should return the stack frame to point to the same address. Am I missing something very obvious about how these registers work? Is my approach to saving and restoring the original state of the hooked function by pushing and popping the registers flawed?

Answer 1

mov [rax+0x60], r15 mov [rax+0x68], rsp

 mov [rax+100], rcx

You are overwriting the stored values of R15 (at +96) and RSP (at +104), since the offset that you use in mov [rax+100], rcx is in decimal (+100).

Same thing happens in mov [rax+108], rcx , changing the stored value of RBP. Solution use hexadecimal as was intended:

mov [rax+0x100], rcx
...
mov [rax+0x108], rcx