@@ -181,20 +181,20 @@ In this structure, only a few fields really matter. The rest we simply make NUL
181181``` nasm
182182 ; Call CreateProcessA
183183 mov rax, rsp ; Get current stack pointer
184- sub rax, 0x500 ; Setup space on the stack for holding process info
185- push rax ; ProcessInfo
186- push rdi ; StartupInfo -> Pointer to STARTUPINFOA
184+ sub rax, 0x18 ; Setup space on the stack for holding process info
185+ push rax ; Address of the ProcessInformation structure | 10th parameter
186+ push rdi ; Address of the STARTUPINFOA structure | 9th parameter
187187 xor rax, rax
188- push rax ; lpCurrentDirectory
189- push rax ; lpEnvironment
190- push rax
188+ push rax ; lpCurrentDirectory | 8th parameter
189+ push rax ; lpEnvironment | 7th parameter
190+ push rax ; dwCreationFlags | 6th parameter
191191 inc rax
192- push rax ; bInheritHandles -> 1
192+ push rax ; bInheritHandles -> 1 | 5th parameter
193193 xor rax, rax
194- push rax ; hStdInput = NULL
195- push rax ; hStdOutput = NULL
196- push rax ; hStdError = NULL
197- push rax ; dwCreationFlags
194+ push rax ; Reserve space for the function return area | 4th parameter
195+ push rax ; Reserve space for the function return area | 3rd parameter
196+ push rax ; Reserve space for the function return area | 2nd parameter
197+ push rax ; Reserve space for the function return area | 1st parameter
198198 mov r8, rax ; lpThreadAttributes
199199 mov r9, rax ; lpProcessAttributes
200200 mov rdx, rcx ; lpCommandLine = "cmd.exe"
0 commit comments