Readers are expected to have a good understand of how things work on the X86 CPU in terms of register usage, stack usage and function layout to make most of this tutorial. RtlAllocateHeap ( c21b70) msvcrt! Figure 9 : Parameter Homing Space In the example below, the "sub rsp, 20h" instruction shows the prolog of a function allocating 0x20 bytes on the stack, which is enough homing space for four 64-bit values. Summary of Techniques The discussions in this section assume that the X64 functions have been compiled without the /homeparams flag. LdrpInitialize: c030f0 48895c2408 mov qword ptr rsp8,rbx c030f mov qword ptr rsp10h,rsi c030fa 57 push rdi c030fb 4154 push r c030fd 4155 push r c030ff 4156 push r c push r c ec40 sub rsp,40h c03107 4c8bea mov r13,rdx c0310a 4c8be1 mov r12,rcx.

Malloc0x4f (000007fefe677f8d call to msvcrt! fnodobfm:string'0x2bea0 0e f9b ntdll! The value being saved would be the same value that was loaded into the RCX. In these cases, the debugger needs the symbols of the module to be able to accurately walk the call stack.

