I try to hook some functions, doesn't matter if __stdcall or __cdecl on x86.
I want to do the following things:
1. Preserve the stack
2. Preserve de registers
3. Do my things
4. Restore the registers
5. Restore the stack
I don't have problems with the stack, but I do have some problems with my registers backup: I cannot backup registers without modifying some of them (I can NOT use the stack because I cannot backup the stack this way)!
It is possible for me to backup them on the heap (I use a structure with some .EAX , .EBX and so on members), I acces that structure from ASM and here is the problem... I have to modify some registers to be able to do this!
However, this is my story. What I really want to understand is the answer to the following question:
Is there any "rule" about the registers that can be modified and the registers that are NOT modified during a function call?
I checked with a debugger some function calls. I add a breakpoint at "call SomeFunction", press F8 to "step over function call" and check the modified registers. I can see something like this: 1. ESP/EBP may be modified depending on calling convention (cdecl vs stdcall) 2. EAX, EBX, EDX - are almost always modified! 3. EBX, EDI, ESI seems to be ALWAYS preserved!
So here comes my "pseudo-solution": is is ok if I preserve only those registers (EBX, EDI, ESI)? I don't mess up the stack so EBP and ESP are not a problem. But I have to modify some registers (EAX, ECX, EDX).
Will I have any problems with some compiler optimizations? Is it possible to mess up the code by modifying those "innocent" registers: EAX, ECX, EDX?
Thank you