killchain-compendium/exploit/buffer_overflow/docs/amd64.md

# amd64

* `rax` return value, caller saved.
* `rbx` base register (used for mem basepointer)
* `rcx` counter register
* `r10`, `r11` are caller saved.
* `rbx`, `r12`, `r13`, `r14` are callee saved 
* `rdx` data register
* `rbp` is also callee saved(and can be optionally used as a frame pointer)
* `rsp` is callee saved
* `rip` next instruction pointer

## Function argument registers
* `rdi`,`rsi`,`rdx`,`rcx`,`r8 `,`r9 `, called saved.
* Further function args are stored inside its stack frame.


## Overwriting Variables and Padding
* Overwrite an atomic variable behind a buffer
```C
int main ( int argc, char ** argv ) {
    int var = 0 
    char buffer[12];
    
    gets(buffer);
    [...]
}
```
* Stack layout 
```
Bottom 
+------------------+
| Saved registers  |
+------------------+
| int var          |
+------------------+
| char buffer [11] |
| ...              |
| ...              |
| ...              |
| char buffer [0]  |
+------------------+
| char ** argv     |
+------------------+
| char argc        |
+------------------+
Top
```

* Watch out! I.e., a 12 byte array is padded to system memory allocation size.
```
+-------------+----+
|12 byte array| 4b |
+-------------+----+
0            12   16 byte
```
second commit 2021-08-23 01:13:54 +02:00			`# amd64`

			* `rax` return value, caller saved.
some amd64 2021-11-08 21:24:23 +01:00			* `rbx` base register (used for mem basepointer)
			* `rcx` counter register
second commit 2021-08-23 01:13:54 +02:00			* `r10`, `r11` are caller saved.
			* `rbx`, `r12`, `r13`, `r14` are callee saved
some amd64 2021-11-08 21:24:23 +01:00			* `rdx` data register
second commit 2021-08-23 01:13:54 +02:00			* `rbp` is also callee saved(and can be optionally used as a frame pointer)
			* `rsp` is callee saved
some amd64 2021-11-08 21:24:23 +01:00			* `rip` next instruction pointer
second commit 2021-08-23 01:13:54 +02:00
			`## Function argument registers`
			* `rdi`,`rsi`,`rdx`,`rcx`,`r8 `,`r9 `, called saved.
			`* Further function args are stored inside its stack frame.`


			`## Overwriting Variables and Padding`
			`* Overwrite an atomic variable behind a buffer`
			```C
			`int main ( int argc, char ** argv ) {`
			`int var = 0`
			`char buffer[12];`

			`gets(buffer);`
			`[...]`
			`}`
			```
			`* Stack layout`
			```
			`Bottom`
			`+------------------+`
some amd64 2021-11-08 21:24:23 +01:00			`\| Saved registers \|`
second commit 2021-08-23 01:13:54 +02:00			`+------------------+`
			`\| int var \|`
			`+------------------+`
			`\| char buffer [11] \|`
			`\| ... \|`
			`\| ... \|`
			`\| ... \|`
			`\| char buffer [0] \|`
			`+------------------+`
			`\| char ** argv \|`
			`+------------------+`
			`\| char argc \|`
			`+------------------+`
			`Top`
			```

			`* Watch out! I.e., a 12 byte array is padded to system memory allocation size.`
			```
			`+-------------+----+`
			`\|12 byte array\| 4b \|`
			`+-------------+----+`
			`0 12 16 byte`
			```