Jaa


Why does the compiler generate a MOV EDI, EDI instruction at the beginning of functions?

Why does the compiler generate a MOV  EDI, EDI instruction at the beginning of functions?

 

I’ve recently noticed that on the XPSP2 Beta that I am running the function prologs look like this:    

 

  MOV EDI, EDI

     PUSH EBP

     MOV EBP, ESP

The PUSH  EBP and MOV EBP, ESP instructions are standard frame establishment, but what is the purpose of the MOV EDI,EDI instruction?  Seems like a 2-byte NOP instruction.

 

MOV EDI,EDI is indeed a 2-byte no-op that is there to enable hot-patching.   It enables the application of a hot-fix to a function without a need for a reboot, or even a restart of a running application.   Instead, at runtime, the 2-byte NOP is replaced by a short jump to a long jump instruction that jumps to the hot-fix function.   A 2-byte instruction is required so that when patching the instruction pointer will not point in a middle of an instruction.

Comments

  • Anonymous
    June 24, 2004
    It's interesting they've chosen this method for patching. It not only requires 2 extra bytes per entry, but it also requires you put gaps every once in a while between methods for the 5-bytes long jump (in theory, one gap per method, if you need to patch them all).

    It does have an advantage if you have extremely short functions (less than 5 bytes required for a long jump) or in cases where functions share code, but these could have been taken care of by a simple modification of the compiler in any case.

    Do you know why they didn't rely on in-place patching like what is done with Detours?

    (BTW -- Welcome aboard, Ishai!)
  • Anonymous
    June 25, 2004
    The comment has been removed
  • Anonymous
    March 30, 2009
    PingBack from http://aegisknight.org/2009/03/disabling-functions/