(I'm going over Iczelion's tutorials, in particular the PE tutorial number 5.)

Here are the first few lines of my .code section (seh is a 20 byte structure)

start proc
LOCAL seh:SEH
invoke GetModuleHandle


And here are the first few lines from Ollydbg2
PUSH EBP
PUSH EBP, ESP
ADD ESP,-14
PUSH 0
CALL <GetModuleHandle>


What is causing PUSH EBP, PUSH EBP,ESP and ADD ESP,-14 to appear?  Is proc causing PUSH EBP and PUSH EBP,ESP, and LOCAL seh:SEH is causing ADD ESP,-14?

Also, why isn't the SEH structure being PUSH'd before the call to GetModuleHandle is made?

Thanks.
Posted on 2010-07-13 16:56:27 by SyWiles
1. The  fact that you have at least 1 local variable of any type makes your assembler construct a stack frame (2 first lines. btw, it's "push ebp", "mov ebp, esp", not "push ebp, esp").
2. The fact that you have a 20-bytes-long structure declared locally makes your assembler reserve 14h (20) bytes in the previously created stack frame. You subtract that value from esp because on Intel-compatible x86 machines, the stack is by default decreasing-full and most OSes actually use it in the decreasing-full mode. If it was increasing-full (the only other mode supported by x86), you'd have to increase the esp to reserve some space.
3. invoke GetModuleHandle is actually "call GetModuleHandle, 0", which means "push 0, cal GetModuleHandle".

Some assemblers emit stack frames even when there are no local variables.
Posted on 2010-07-14 00:12:01 by ti_mo_n