The final calling convention that I haven’t gone over in depth is __thiscall.<\/p>\n
Unlike the other calling conventions that I have previously discussed, __thiscall is not typically explicitly decorated on functions (and in most cases, you cannot decorate it explicitly).<\/p>\n
As the name might imply, __thiscall is used exclusively for functions that have a this<\/em> pointer – that is, non-static C++ class member functions. In a non-static C++ class member function, the this<\/em> pointer is passed as a hidden argument. In Microsoft C++, the hidden argument is the first actual argument to the routine.<\/p>\n When a function is __thiscall, you will typically see the this<\/em> pointer passed in the ecx<\/em> register. In this respect, __thiscall is rather similar to __fastcall, as the first argument (this<\/em>) is passed via register in ecx<\/em>. Unlike __fastcall, however, all remaining arguments are passed via the stack; edx<\/em> is not supported as an additional argument register. Like __fastcall and __stdcall, when using __thiscall, the callee cleans the stack (and not the caller).<\/p>\n In some circumstances, with non-exported, internal-only-to-a-module functions, CL may use ebx<\/em> instead of ecx<\/em> for this<\/em>. For any exported __thiscall function (or a function whose address escapes a module), the compiler must use ecx<\/em> for this<\/em>, however.<\/p>\n Continuing with the previous examples, consider a function implementation like so:<\/p>\n This function operates the same as the other example functions that we have used, with the exception that ‘c’ is a member variable and not a parameter.<\/p>\n The implementation of this function looks like so in assembler:<\/p>\n Note that [ecx+0]<\/em> is the offset of the member variable ‘c’ from this<\/em>. This function is similar to the __stdcall version, except that instead of being passed as an explicit argument, the ‘c’ parameter is implicitly passed as part of the class object this<\/em> and is then referenced off of the this<\/em> pointer.<\/p>\n Consder a call to this function like this in C:<\/p>\n This is actually a bit more complicated than the other examples, because we also have a call to operator new<\/em> to allocate memory for the class object. In this instance, operator new<\/em> is a __cdecl function that takes a single argument, which is the count in bytes to allocate. Here, sizeof(class C) is 4 bytes.<\/p>\n In assembler, we can thus expect to see something like this:<\/p>\n Ignoring the call to operator new<\/em> for the most part, this is relatively what we would expect. ecx<\/em> is used to pass this<\/em>, and this->c<\/em> is set to 3 before the call to ThiscallFunction1, as we would expect, given the C++ code.<\/p>\n With all of this information, you should have all you need to recognize and identify __thiscall functions. The main takeaways are:<\/p>\n Note that if you explicitly specify a calling convention on a class member function, the function ceases to be __thiscall and takes on the characteristics of the specified calling convention, passing this<\/em> as the first argument according to the conventions of the requested calling convention.<\/p>\n That’s all for __thiscall. Next up in this series is a brief review and table of contents of what we have covered so far with common Win32 x86 calling conventions.<\/p>\n","protected":false},"excerpt":{"rendered":" The final calling convention that I haven’t gone over in depth is __thiscall. Unlike the other calling conventions that I have previously discussed, __thiscall is not typically explicitly decorated on functions (and in most cases, you cannot decorate it explicitly). As the name might imply, __thiscall is used exclusively for functions that have a this […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2,8,5],"tags":[],"_links":{"self":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts\/73"}],"collection":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=73"}],"version-history":[{"count":1,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts\/73\/revisions"}],"predecessor-version":[{"id":647,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts\/73\/revisions\/647"}],"wp:attachment":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=73"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=73"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=73"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}class C\r\n{\r\npublic:\r\n\tint c;\r\n\r\n\t__declspec(noinline)\r\n\tint ThiscallFunction1(int a, int b)\r\n\t{\r\n\t\treturn (a + b) * c;\r\n\t}\r\n};<\/pre>\n\r\nC::ThiscallFunction1 proc near\r\n\r\na= dword ptr 4\r\nb= dword ptr 8\r\n\r\nmov eax, [esp+8] ; eax=b\r\nmov edx, [esp+4] ; edx=a\r\nadd eax, edx ; eax=a+b\r\nimul eax, [ecx] ; eax=eax*this->c\r\nretn 8 ; return eax;\r\nC::ThiscallFunction1 endp\r\n<\/pre>\n
C* c = new C;\r\nc->c = 3;\r\nc->ThiscallFunction1(1, 2);<\/pre>\n
push 4 ; sizeof(class C) \r\ncall operator new ; allocate a class C object\r\nadd esp, 4 ; clean stack from new call\r\npush 2 ; 'a'\r\npush 1 ; 'b'\r\nmov ecx, eax ; (class C* c)'this'\r\nmov dword ptr [eax], 3 ; c->c = 3\r\ncall C::ThiscallFunction1 ; Make the call\r\n<\/pre>\n
\n