Hello,
In cpp (and other LLVM based languages), the windows API function address
is taken from the DLL after it has been loaded in the Virtual Memory space
(or at least something like that).
In go, everything is wrapped around that SyscallN function, which sadly I
am not understanding how it works.
1. Why is it called syscall ? I know Syscall in windows have a syscall
number ...
2. I feel (just a feeling) it is bypassing hook put in place by security
solution (Bitdefender and other EDR) that hook Syscall after ntdll has been
loaded in process memory
I found the definition here:
```
func syscall_SyscallN(fn uintptr, args ...uintptr) (r1, r2, err uintptr) {
if len(args) > maxArgs {
panic("runtime: SyscallN has too many arguments")
}
// The cgocall parameters are stored in m instead of in
// the stack because the stack can move during fn if it
// calls back into Go.
c := &getg().m.winsyscall
c.fn = fn
c.n = uintptr(len(args))
if c.n != 0 {
c.args = uintptr(noescape(unsafe.Pointer(&args[0])))
}
cgocall(asmstdcallAddr, unsafe.Pointer(c))
// cgocall may reschedule us on to a different M,
// but it copies the return values into the new M's
// so we can read them from there.
c = &getg().m.winsyscall
return c.r1, c.r2, c.err
}
```
If I get the doc of getg I read:
```
getg returns the pointer to the current g. The compiler rewrites calls to
this function into instructions that fetch the g directly (from TLS or from
the dedicated register).
```
Does that mean all the address are written in the TLS allocated at the
beginning of the program ?
Any more doc about what "g" and "m" stand for ?
I would be very thankfull if someone helps clarify this as I find it
fascinating.
Thanks
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/golang-nuts/9fe5be51-bda3-49f1-a160-eecb9210390dn%40googlegroups.com.
