I was reading about Windbg Breakpoints-Based Actions, its like automate the execution of commands within the debugger when a breakpoints is triggered.
for example this :
0:005> bp kernel32!WriteFile ".printf \"The number of bytes written is: %p\", poi(esp
+ 0x0C);.echo;g"
the idea from this command is to display the bytes that has been written in the file .
ignore the command, just focus on why they used esp + 0x0c as an offset for WriteFile API ? i mean when i checked the prototype of this winapi from Microsoft
BOOL WriteFile(
[in] HANDLE hFile,
[in] LPCVOID lpBuffer,
[in] DWORD nNumberOfBytesToWrite,
[out, optional] LPDWORD lpNumberOfBytesWritten,
[in, out, optional] LPOVERLAPPED lpOverlapped
);
and this WINAPI use _stdcall convention because its 32 bit, so the arguments will be from right to left like this :
esp+0x00 would be the address of hFile.
esp+0x04 would be the address of lpBuffer.
esp+0x08 would be the address of nNumberOfBytesToWrite.
so why in the command above they used the offset 12 and it works not 8 ? is there any thing i missed here.
the command above is from OSED course
0x402020 call Writefile 0x40202x return here
Call Writefile will push the return address 0x40202x before entering the Writefile
So on entry into the function