`__chkstk` screws up stack pointer analysis

[xusheng6]

In the screenshot, we see that rsp becomes a variable due to the __chkstk call:

BEDaisy.sys.zip

If we patch and remove the code the stack variables are correctly analyzed:

[zznop]

In case it's useful to anyone else, here's a snippet that automates nop'ng out the instructions surrounding calls to chkstk.

# Find all calls to __chkstk and nop out the call instruction and code operating on rsp
# 1400639b0  e83b310100         call    __chkstk
# 1400639b5  4829c4             sub     rsp, rax
for ref in bv.get_code_refs(bv.get_functions_by_name("__chkstk")[0].start):
    bv.write(ref.address, b"\x90"*8)

bv.reanalyze()

[mishka-freddy]

Is there any update on this issue?

[psifertex]

No updates -- because there's a documented work-around it's currently prioritized as low impact but medium effort which means we're unlikely to get to it soon. If the work-around doesn't produce good results for you or there's other reasons we should re-assess the impact, definitely let us know!

[monotonik-guy]

In case it's useful to anyone else, here's a snippet that automates nop'ng out the instructions surrounding calls to chkstk.

Find all calls to __chkstk and nop out the call instruction and code operating on rsp

#1400639b0  e83b310100         call    __chkstk
#1400639b5  4829c4             sub     rsp, rax
for ref in bv.get_code_refs(bv.get_functions_by_name("__chkstk")[0].start):
    bv.write(ref.address, b"\x90"*8)

bv.reanalyze()```

actually it's not totally correct, because rsp don't match properly, actually need to take constant from rax register and replace sub to sub rsp, {constant} and problem happen when some of replaced instructions is related to relocations, then this will not work. Better solution to write workflow fix for this.