How to investigate the calling convention of PE binary file in windows?
Is there a tool to show whether the 开发者_Go百科calling convention is _cdecl or _stdcall or else?
Calling conventions are per function - not PE file.
Library functions. at least the ones provided by MS, are all _stdcall
. Everything else is spread across other calling conventions, most of them being _cdecl
.
You can read more here.
The short version:
cdecl
functions don't clear it's argument from the stack, allowing variable sized arguments. Good example isprintf()
which can a different number of arguments.stdcall
functions clears arguments from the stack themselves. Hence variable sized arguments isn't possible.
Edit: added example
Example for cdecl
from the link:
push c
push b
push a
call function_name
add esp, 12 ;Stack clearing, 3 arguments take 12 bytes of space (on 32bit)
So after function_name
returns, the caller clears the arguments off the stack.
精彩评论