Question

Recently I disassembled a DLL (written in c/c++) and noticed that there are many "jump stubs" inside the code segment. These stubs do nothing but jump to a function inside the DLL.

eg: 

jmp foo() 
jmp foo2()
...

Why does the compiler (Visual studio 2012) include these function stubs inside the binary?

Thanks!

Was it helpful?

Solution

Is there a big bunch of 0xCC bytes after all the stubs? If so, you're looking at code which has been compiled with incremental linking enabled (default for debug builds).

When compiling for incremental linking, the compiler creates a stub for every function and makes sure that all calls go via the stub. In case a function needs to be replaced with updated code, the new code can be added the end and only the jump thunk needs to be patched - all existing calls will be redirected to the new code. The extra CCs are reserved for more stubs in case new functions are added.

For more background info, see MSDN.

OTHER TIPS

That's how the symbols for the linker and DLL are "mashed together". It guarantees that the right kind of offset is used in the symbol table, that can be resolved by the loader that loads the DLL (and thus updates the address of the functions in the DLL), and that compiled code can still deal with for example function pointers:

void (*fptr)() = foo;

If foo is just a reference to a place in the DLL, how this address is resolved will be dependent on the loader. It's much more complex to solve that, than it is to solve the problem of "here's a foo() entry point, that gets you to the real foo".

DLL's are relocatable, which means they may end up anywhere in memory. This means all calls to them have to be rewritten. By keeping all such calls together in a small jumptable, only one page needs to be rewritten in case of a relocation. This matters, because an unchanged page of code can be shared across processes, but each process has its own copy of a modified page.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top