Register Parameter Area Annotation

Given the requirement that the register parameter area be allocated on the stack in the context of a function that calls other functions, it is possible to statically annotate specific portions of the stack frame for a function as being the location of the caller's register parameter area. Furthermore, the location of a given function's register parameter area that is to be used by called functions can also be annotated.

The location of the register parameter area is always at a fixed location in a stack frame. Specifically, it immediately follows the return address on the stack. If annotations are added for CallerRCX at offset 0x8, CallerRDX at offset 0x10, CallerR8 at offset 0x18, and CallerR9 at offset 0x20, it is possible to get a better view of the stack frame for a given function. It also makes it easier to understand when and how this region of the stack is used by a function. For instance, the CcAcquireByteRangeForWrite function in ntoskrnl.exe makes use of this area to store the values of the first four parameters:

.text:0000000000434520    mov     [rsp+CallerR9], r9
.text:0000000000434525    mov     dword ptr [rsp+CallerR8], r8d
.text:000000000043452A    mov     [rsp+CallerRDX], rdx
.text:000000000043452F    mov     [rsp+CallerRCX], rcx