Readers are expected to have a good understand of how things work on the X86 CPU in terms of register usage, stack usage and function layout to make most of this tutorial. RtlAllocateHeap ( c21b70) msvcrt! Figure 9 : Parameter Homing Space In the example below, the "sub rsp, 20h" instruction shows the prolog of a function allocating 0x20 bytes on the stack, which is enough homing space for four 64-bit values. Summary of Techniques The discussions in this section assume that the X64 functions have been compiled without the /homeparams flag. LdrpInitialize: c030f0 48895c2408 mov qword ptr rsp8,rbx c030f mov qword ptr rsp10h,rsi c030fa 57 push rdi c030fb 4154 push r c030fd 4155 push r c030ff 4156 push r c push r c ec40 sub rsp,40h c03107 4c8bea mov r13,rdx c0310a 4c8be1 mov r12,rcx.

Malloc0x4f (000007fefe677f8d call to msvcrt! fnodobfm:string'0x2bea0 0e f9b ntdll! The value being saved would be the same value that was loaded into the RCX.

