-5

Today, only for the testing purposes, I came with the following idea, to create and compile a naive source code in CodeBlocks, using Release target to remove the unnecessary debugging code, a main function with three nop operations only to find faster where the entry point for the main function is.

CodeBlocks sample naive program:

CodeBlocks code

Using IDA disassembler, I have seen something strange, OS actually can add aditional machine code calls in the main function (added implicitly), a call to system function which reside in kernel32.dll what is used for OS thread handling.

IDA program view:

IDA View Sample

In the machine code only for test reason the three "nop" (90) was replaced by "and esp, 0FFFFFFF0h", program was re-pached again, this is why "no operation" opcodes are not disponible in the view.

Observed behaviour:

It is logic to create a new thread for each process is opened, as we can explore it in the TaskManager, a process run in it's own thread, that is a reason why compiler add this code (the implicit default thread).

My questions:

How compiler know where to "inject" this call code automatically?

Why this call is not made before in the upper function (sub_401B8C) which will route to main function entry point?

LXSoft
  • 587
  • 5
  • 25
  • 2
    Presumably it's added to `main` only. The calling function is part of the C runtime, that's not generated during this compilation. Also it's not the OS adding it and it's probably added before machine code generation phase. Indeed, you can see it in `gcc -S` output already as `call ___main` (an unlucky naming choice) PS: please don't post code as images. – Jester Jul 26 '18 at 10:56
  • I have opened with Hex-Rays too, to avoid thinking that the machine code is actually a view from memory (is not runtime added call).It exist phisically on file on the disk. – LXSoft Jul 26 '18 at 11:04
  • 3
    Downvoted because all your code samples are posted as images. Don't do that please! – fuz Jul 26 '18 at 11:10
  • There's lots of speculation in your question, with some of it it's hard to tell, whether that is actually correct. In essence, it's unclear what you are really asking about, given the unreliable outset of your question. – IInspectable Jul 26 '18 at 11:13
  • @IInspectable My description was step by step described from source code to portable executable loaded in IDA. I have described this with too much details with what my observation and also in the bottom are really the questions what are perfectly linked to the question title. The question structure provided is most than is required (almost 80% of the questions here are unstructured). So much hate... – LXSoft Jul 26 '18 at 12:04
  • 3
    Your statements are incoherent. In your question, you claim that the OS were able to somehow inject code, yet in a [comment](https://stackoverflow.com/questions/51537008/how-mingw32-g-compiler-know-where-to-inject-system-calls-in-the-win32-machine?noredirect=1#comment90042070_51537008) you explain, that the calls were inserted by the compiler or linker. Actually, you didn't even provide that much detail. The structure doesn't help in clarifying any of this. – IInspectable Jul 26 '18 at 12:34
  • This is my confusion is runtime call added when is load and run in the memory modified by the OS, or at compile time static when source conde is compiled and linked. This is why I have tested the both variants...... – LXSoft Jul 26 '18 at 12:42
  • 1
    You already established, that *"[i]t exist phisically on file on the disk"*. That pretty much precludes the OS being involved in any way. It's either the compiler or linker that generated that code, if it winds up in the PE image on disk. I don't understand, what you are confused about, or what *"both variants"* are. – IInspectable Jul 26 '18 at 12:51
  • 2
    The code is added at compile time, and is special to a function called `main` when the code generated is for a hosted environment (and not freestanding).The `and esp, 0FFFFFFF0h` is to align the stack on a 16 byte boundary which is required by GCC generated code, and as Jester points out in his answer the call is to GCC's runtime code (library) that calls global constructors. You will not find this extra code generated by the compiler for functions other than `main` – Michael Petch Jul 26 '18 at 14:06

1 Answers1

5

To quote the gcc manual:

If no init section is available, when GCC compiles any function called main (or more accurately, any function designated as a program entry point by the language front end calling expand_main_function), it inserts a procedure call to __main as the first executable code after the function prologue. The __main function is defined in libgcc2.c and runs the global constructors.

Jester
  • 56,577
  • 4
  • 81
  • 125
  • "it inserts a procedure call to __main as the first executable code", thank you a lot! The threading stuff happens in the start() procedure. – LXSoft Jul 26 '18 at 13:44