Every program that is executed on a processor usually consists of small parts, often called functions or routines. These functions often modify the small, very fast memories of the processor, which are there, for example, to pass values between the functions or to tell the processor where the next instruction is. These small memories are called registers.
So important register contents that are changed must be saved at the beginning of a routine and restored at the end. The beginning is also called the prologue, the end the epilogue.
These parts of a subroutine often include techniques to avoid security holes.
What register contents need to be secured and how that needs to be done depends on the operating system respectively its kernel.
For example, FreeBSD, macOS, Solaris, and Linux (following the convention of the so-called System V ABI) use the RDI, RSI, RDX, and RCX registers for arguments for a function with four integers.
The Microsoft x64 calling convention uses RCX, RDX, R8 and R9 here.
A typical prologue in the Microsoft convention would be:
mov [RSP + 8], RCX
push R15
push R14
push R13
sub RSP, 32
lea R13, 128[RSP]
The epilogue restoring the values would look like this:
add RSP, 32
pop R13
pop R14
pop R15
ret
Here not only contents are saved but also a simple technique is used to detect a so-called buffer overflow or stack overflow. These overflows are probably the most common software vulnerabilities.
sub rsp, 28h
call __security_init_cookie
add rsp, 28h
jmp __scrt_common_main_seh
__security_init_cookie:
mov [rsp-8+arg_18], rbx
push rbp
mov rbp, rsp
sub rsp, 20h
mov rax, cs:__security_cookie
mov rbx, 123456789012h
cmp rax, rbx
jnz short ...