Initial Register values

Hi folks!

How do I determine the initial values of the registers. Is this OS dependent or is it set by the processor?
Any documents or links are appreciated!

regards
PHaX

[peleon]

Hello phax,

If you mean in your WIndows program, NEVER assume initial register values cos it's OS dependant. The OS makes many things in your program context before your program entry point is called. So, initialize them by yourself if you don't want unexpected behaviours in another computers

Regards.

[gigaman]

Yes, you can asume that the values of the general registers are completely random at the entrypoint of your Win32 program. Some very specific registers are initialized to their necessary values though (ESP, FS).

Thanks for the replies.
I'm trying to add a kind of tracer to GT (or maybe it will be separate - don't know yet). But currently I have the problem that I donÄt know how to start.
I'm just talking 'bout 32-Bit Windows, anything else is postponed
I used OllyDbg to show me some initial values but especially the ebp and esp values are not clear.

eax seems to be 0
ecx seems to be an odd combination of 4 times (01) or (00)
edx seems to be 0xffffffff
ebx seems to be 0x7ffdf000
esp seems to be (stack commit + stack reserve + 0x00010000) - anything
ebp like esp + 0x2c
esi random
edi random

Also OllyDbg (or Windows?) already pushed something on the stack. There is something like an SEH chain and some crude return address (resolves to ProcessIDToSessionID in my kernel32.dll)

Any ideas???

regards
PHaX

[gigaman]

In my opinion - since the initial register values are "random", an application cannot rely on them. So, if you "define" the initial values for your tracer somehow (e.g. as zero), it should work - i.e. no application should see any difference from the real system.

As for the values in Olly - you can check other debuggers if the values will be the same (I'd guess not). Or, other operating systems...

I think it's OK that something is already pushed on stack. I believe it's done by the OS loader - either because of the way it works (how it passes the control from to loader to the real process code), or such that the process termination is handled easily (I mean - I know that there's an implicit return address to TerminateThread, together with the arguments, pushed by CreateThread to the newly created thread's stack; maybe CreateProcess, or the code below, does something similar for the process itself).

[TQN]

I think the initial register values are depend on OS version. On my Win2000 Server, they are:
EAX = 00000000 EBX = 7FFDF000 ECX = 00000101 EDX = FFFFFFFF
ESI = 00000000 EDI = 00000000 EIP = 7C4E87F2 ESP = 0012FFC8
EBP = 0012FFF0
Seam they are same as value of phax.
The loader code on my OS is:
_BaseProcessStart@4:
7C4E87B8 55 push ebp
7C4E87B9 8B EC mov ebp,esp
7C4E87BB 6A FF push 0FFFFFFFFh
7C4E87BD 68 C8 8E 4E 7C push 7C4E8EC8h
7C4E87C2 68 B4 F0 4F 7C push offset __except_handler3 (7C4FF0B4h)
7C4E87C7 64 A1 00 00 00 00 mov eax,dword ptr fs:[00000000h]
7C4E87CD 50 push eax
7C4E87CE 64 89 25 00 00 00 00 mov dword ptr fs:[0],esp
7C4E87D5 51 push ecx
7C4E87D6 51 push ecx
7C4E87D7 51 push ecx
7C4E87D8 53 push ebx
7C4E87D9 56 push esi
7C4E87DA 57 push edi
7C4E87DB 89 65 E8 mov dword ptr [ebp-18h],esp
7C4E87DE 83 65 FC 00 and dword ptr [ebp-4],0
7C4E87E2 6A 04 push 4
7C4E87E4 8D 45 08 lea eax,[ebp+8]
7C4E87E7 50 push eax
7C4E87E8 6A 09 push 9
7C4E87EA 6A FE push 0FFFFFFFEh
7C4E87EC FF 15 4C 13 4E 7C call dword ptr [__imp__NtSetInformationThread@16 (7C4E134Ch)]
7C4E87F2 FF 55 08 call dword ptr [ebp+8] ; EP of program
7C4E87F5 50 push eax
7C4E87F6 E8 40 D7 FF FF call _ExitThread@4 (7C4E5F3Bh)
So, the initial values were changed and depend on the NtSetInformationThread function.
Hope my information can help you, phax.
Regards.

Thanks for the tip with _BaseProcessStart@4.
So the very top level of the stack is the original EBP. I'll have a look at it.
I found out that ebx originally points to the PEB (Process Environment Block). Its address is fixed at 0x7ffdf000 (it can be verified by getting fs:[0x30])
Found some stuff here (Something non-european):
hxxp://www.nsfocus.net/index.php?act=magazine&do=view&mid=2002

Why is 0x00010000 added to the initial stack frame??? Is it for checking Stack overflows?

Edit: The initial value of ebp seems to be zero, since it is the first value stored on the stack by _BaseProcessStart@4 is ebp.
My startup code looks like this:

Code:

$ ==>    > . 55             PUSH EBP                                 ;  Main entrypoint
$+1      > . 8BEC           MOV EBP,ESP
$+3      > . 6A FF          PUSH -1
$+5      > . 68 001BE877    PUSH KERNEL32.77E81B00
$+A      > . 68 97E5E777    PUSH KERNEL32.77E7E597                   ;  SE handler installation
$+F      > . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
$+15     > . 50             PUSH EAX
$+16     > . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
$+1D     > . 51             PUSH ECX
$+1E     > . 51             PUSH ECX
$+1F     > . 51             PUSH ECX
$+20     > . 53             PUSH EBX
$+21     > . 56             PUSH ESI
$+22     > . 57             PUSH EDI
$+23     > . 8965 E8        MOV DWORD PTR SS:[EBP-18],ESP
$+26     > . 8365 FC 00     AND DWORD PTR SS:[EBP-4],0
$+2A     > . 6A 04          PUSH 4
$+2C     > . 8D45 08        LEA EAX,DWORD PTR SS:[EBP+8]
$+2F     > . 50             PUSH EAX
$+30     > . 6A 09          PUSH 9
$+32     > . 6A FE          PUSH -2
$+34     > . FF15 4C13E777  CALL DWORD PTR DS:[<&NTDLL.NtSetInformat>;  ntdll.ZwSetInformationThread
$+3A     > . FF55 08        CALL DWORD PTR SS:[EBP+8]
$+3D     > . E9 365B0200    JMP KERNEL32.77EA7631

regards
PHaX

On XP,

EAX should be 0, because it'll be the return value of one of the APIs that the PE Loader calls (NtSetInformation i think).

EBX will be the value at fs:30h, which is the program's PEB.

EDX should be KiFastSystemRet, usually, since the PE Loader API that got called ended up going through that call.

EDI/ESI should not be assumed to be anything valid.

Best regards,
Alex Ionescu
Relsoft Technologies
http://www.relsoft.net