generate for nearly every function. The particulars of these sequences depend
on the specific compiler used and on other issues such as calling convention.
Calling conventions are discussed in the section on calling conventions in
Appendix C.
On IA-32 processors function are nearly always called using the CALL
instruction, which stores the current instruction pointer in the stack and jumps
to the function address. This makes it easy to distinguish function calls from
other unconditional jumps.Internal Functions
Internal functions are called from the same binary executable that contains
their implementation. When compilers generate an internal function call
sequence they usually just embed the function’s address into the code, which
makes it very easy to detect. The following is a common internal function call.Call CodeSectionAddressImported Functions
An imported function call takes place when a module is making a call into a
function implemented in another binary executable. This is important because
during the compilation process the compiler has no idea where the imported
function can be found and is therefore unable to embed the function’s address
into the code (as is usually done with internal functions).
Imported function calls are implemented using the Import Directory and
Import Address Table (see Chapter 3). The import directory is used in runtime
for resolving the function’s name with a matching function in the target exe-
cutable, and the IAT stores the actual address of the target function. The caller
then loads the function’s pointer from the IAT and calls it. The following is an
example of a typical imported function call:call DWORD PTR [IAT_Pointer]Notice the DWORD PTRthat precedes the pointer—it is important because it
tells the CPU to jump not to the address of IAT_Pointerbut to the address
that is pointed to by IAT_Pointer. Also keep in mind that the pointer will
usually not be named (depending on the disassembler) and will simply con-
tain an address pointing into the IAT.
Detecting imported calls is easy because except for these types of calls, func-
tions are rarely called indirectly through a hard-coded function pointer. I
would, however, recommend that you determine the location of the IAT early
on in reversing sessions and use it to confirm that a function is indeedDeciphering Code Structures 48721_574817 appa.qxd 3/16/05 8:52 PM Page 487