Believe it or not, calling conventions is one of the things that\nprograms frequently get wrong. The compiler yells at you when\nyou mismatch a calling convention, but lazy programmers will just\nstick a cast in there to get the compiler to “shut up already”.<\/p>\n
\nAnd then Windows is stuck having to support your buggy code forever.\n<\/p>\n
\nSo many people misdeclare their window procedures (usually by\ndeclaring them as __cdecl instead of __stdcall),\nthat the function that dispatches messages to window procedures\ncontains extra protection\nto detect incorrectly-declared window procedures and perform the\nappropriate fixup. This is the source of the mysterious 0xdcbaabcd\non the stack. The function that dispatches messages to window\nprocedures checks whether this value is on the stack in the correct\nplace. If not, then it checks whether the window procedure popped\none dword too much off the stack (if so, it fixes up the stack;\nI have no idea how this messed up a window procedure could have existed),\nor whether the window procedure was mistakenly declared as __cdecl\ninstead of __stdcall (if so, it pops the parameters off the stack that\nthe window procedure was supposed to do).\n<\/p>\n<\/dd>\n
\nMany DirectX functions use callbacks, and people once again misdeclared\ntheir callbacks as __cdecl instead of __stdcall, so the DirectX\nenumerators have to do special stack cleanup for those bad functions.\n<\/p>\n<\/dd>\n
\nI remember there was one program that decided to declare their\nCreateViewWindow function incorrectly, and somehow they managed\nto trick the compiler into accepting it!\n<\/p>\n
\nclass BuggyFolder : public IShellFolder ... {\n ...\n \/\/ wrong function signature!\n HRESULT CreateViewObject(HWND hwnd) { return S_OK; }\n}\n<\/pre>\n\nNot only did they get the function signature wrong, they\nreturned S_OK even though they failed to do anything!\nI had to add extra code to clean up the stack after calling this\nfunction, as well as verify that the return value wasn’t a lie.\n<\/p>\n
\n\nThe function signature required for functions called by rundll32.exe\nis documented in this Knowledge Base article<\/a>.\nThat hasn’t stopped people from using rundll32 to call random functions\nthat weren’t designed to be called by rundll32,\n\nlike user32 LockWorkStation<\/a> or\n\nuser32 ExitWindowsEx<\/a>.\n<\/p>\n \nLet’s walk through what happens when you try to use rundll32.exe\nto call a function like ExitWindowsEx:\n<\/p>\n \nThe rundll32.exe program parses its command line and calls the\nExitWindowsEx function on the assumption that the function is written\nlike this:<\/p>\n But it isn’t. The actual function signature for ExitWindowsEx is<\/p>\n What happens? Well, on entry to ExitWindowsEx, the stack\nlooks like this:\n<\/p>\n\nvoid CALLBACK ExitWindowsEx(HWND hwnd, HINSTANCE hinst,\n LPSTR pszCmdLine, int nCmdShow);\n<\/pre>\n
\nBOOL WINAPI ExitWindowsEx(UINT uFlags, DWORD dwReserved);\n<\/pre>\n