Foreword

Abstract: As Windows x64 becomes a more prominent platform, it will become necessary to develop techniques that improve the binary analysis process. In particular, automated techniques that can be performed prior to doing code or data flow analysis can be useful in getting a better understanding for how a binary operates. To that point, this paper gives a brief explanation of some of the changes that have been made to support Windows x64 binaries. From there, a few basic techniques are illustrated that can be used to improve the process of identifying functions, annotating their stack frames, and describing their exception handler relationships. Source code to an example IDA plugin is also included that shows how these techniques can be implemented.

Thanks: The author would like to thank bugcheck, sh0k, jt, spoonm, and Skywing.

Update: The article in MSDN magazine by Matt Pietrek was published after this article was written. However, it contains a lot of useful information and touches on many of the same topics that this article covers in the background chapter. The article can be found here: http://msdn.microsoft.com/msdnmag/issues/06/05/x64/default.aspx.

With that, on with the show...