This can only use for telling the compiler to directly call the dll function rather than creating a stub.
That means, for example, if I call CreateWindowEx the compiler generates "JMP XXXXX" and at the "XXXXX" we have a "CALL CreateWIndowss" Address. This directive kills the "JMP XXXXX".
How to do the same in ASM this directive does not exist?
Hi Philippe,
I think you are trying to call directly an API function to avoid jump tables, is that right?
Yes, if the C compiler does it I thought the assembler could do it also
Hi Philippe,
The ArgCount and prX macros were coded by Hutch, maintainer of the Masm32 package. You can find them in the master include file \masm32\include\windows.inc
.386
.model flat,stdcall
option casemap:none
ArgCount MACRO number
LOCAL txt
txt equ <typedef PROTO :DWORD>
REPEAT number - 1
txt CATSTR txt,<,:DWORD>
ENDM
EXITM <txt>
ENDM
pr0 typedef PROTO
pr1 ArgCount(1)
pr2 ArgCount(2)
pr3 ArgCount(3)
pr4 ArgCount(4)
MB_OK equ 0
EXTERNDEF _imp__MessageBoxA:pr4
EXTERNDEF _imp__ExitProcess:pr1
MessageBox TEXTEQU <_imp__MessageBoxA>
ExitProcess TEXTEQU <_imp__ExitProcess>
.data
capt db 'Hello',0
msg db 'Direct function call demo',0
.code
start:
push MB_OK
push OFFSET capt
push OFFSET msg
push 0
call MessageBox
push 0
call ExitProcess
END start
Disassembling the object module :
_start PROC NEAR
push 0
push offset capt
push offset msg
push 0
call dword ptr [__imp__MessageBoxA@16]
push 0
call dword ptr [__imp__ExitProcess@4]
_start ENDP
I verified this in my post about INVOKE
Hi Philippe,
You can try the same method with 64-bit coding.
XWhat I read in the help file is that it generates __imp__function but I don't see in DBG64 (looks like OllyDbg)
Hi Philippe,
During the x32\64dbg session, you should see something like the following :
call dword ptr ds:[<MessageBoxA>] ; Direct function call
The expression _imp__ is a part of the MS COFF object file name decoration.
Hi Eroll
Thank You.
I thought that it also was in the exe file because I found function declared with it:
WriteClassStm TEXTEQU <__imp_WriteClassStm>
TEXTEQU should be replaced by ALIAS?
Merci
Philippe
Hi Philippe,
Better to keep things simple so TEXTEQU is preferable.
So poasm INVOKE is tricky
This make jumptable
;hello64.asm
extern ExitProcess : proc
extern MessageBoxA : proc
.data
text db "Hello world!",0
caption db "Message",0
.code
WinMainCRTStartup proc
sub rsp, 28h
xor r9, r9
lea r8, [rip + caption]
lea rdx, [rip + text]
xor ecx, ecx
call MessageBoxA
xor ecx, ecx
call ExitProcess
WinMainCRTStartup endp
end
this not;hello64x.asm
extern __imp_ExitProcess :DWORD
extern __imp_MessageBoxA :QWORD
ExitProcess TEXTEQU <qword ptr [rip+__imp_ExitProcess]>
MessageBox TEXTEQU <qword ptr [rip+__imp_MessageBoxA]>
.data
text db "Hello world!",0
caption db "Message",0
.code
WinMainCRTStartup proc
sub rsp, 28h
xor r9, r9
lea r8, [rip + caption]
lea rdx, [rip + text]
xor ecx, ecx
;call qword ptr [rip+__imp_MessageBoxA]
call MessageBox
xor ecx, ecx
;call qword ptr [rip+__imp_ExitProcess]
call ExitProcess
;INVOKE ExitProcess
WinMainCRTStartup endp
end
so problem is, how to use INVOKE same way
Use Pelle's pope.exe to check results
To add pope to filemanager menu
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Classes\*\shell\Open With Pope\command]
@="\"c:\\code\\bin64\\pope.exe\" %1"
Thank You Timo :)