When using INVOKE the codes does not seem to be great.
An example :
INVOKE SendMessage,hMsDosDump + rip,WM_CLOSE,0,0
will generate:
0x0000047D mov r9,0 49 C7 C1 00 00 00 00
0x00000484 mov r8,0 49 C7 C0 00 00 00 00
0x0000048B mov edx,10 BA 10 00 00 00
0x00000490 mov rcx,qword ptr [000000014001C820] 48 8B 0D 89 B7 01 00
0x00000497 call 000000014000C66F E8 D3 B5 00 00
0x0000049C mov r9,0 49 C7 C1 00 00 00 00 (Entered MOV R9D,0)
0x000004A3 mov r8,0 49 C7 C0 00 00 00 00 (Idem with R8)
0x000004AA mov edx,10 BA 10 00 00 00
0x000004AF mov rcx,qword ptr [000000014001CA10] 48 8B 0D 5A B9 01 00
0x000004B6 call 000000014000C66F E8 B4 B5 00 00
0x000004BB xor R8D,R8D 45 31 C0
0x000004C2 mov R8D,R9D 45 31 C9
0x000004C9 mov edx,10 BA 10 00 00 00 (It uses 32 bits register)
0x000004CE mov rcx,qword ptr [000000014001C7F0] 48 8B 0D 1B B7 01 00
0x000004D5 call 000000014000C66F E8 95 B5 00 00
First call uses 31 bytes and the last call uses 26 bytes
Is it normal that "MOV R9D,0" as the same coding as "MOV R9,0"?
Windows parameters, except for addresses, are in 32 bits, the assembler could generates them in 32 bits.
My original code
mov rcx,hMsDosHeader + rip
mov rdx,WM_CLOSE
xor r8d,r8d
xor r9d,r9d
call SendMessage
INVOKE SendMessage,hMsDosDump + rip,WM_CLOSE,0,0
mov rcx,hMsDosDump + rip
mov rdx,WM_CLOSE
mov r9d,0
mov r8d,0
call SendMessage
mov rcx,hMsDosDump + rip
mov rdx,WM_CLOSE
xor r9d,0
xor r8d,0
call SendMessage
It seems it proceeds like in C with the DECLSPEC(DLLIMPORT) I have not found a call XXXXX
in that case the assembler would have generates a JMP rather than a CALL
Hi Philippe,
LRESULT SendMessage(
[in] HWND hWnd,
[in] UINT Msg,
[in] WPARAM wParam,
[in] LPARAM lParam
);
sizeof(UINT)=4 bytes
A quick test :
SendMessage((HWND)1,WM_CLOSE,1,1);
mov ecx, 1
mov edx, 16
mov r8d, 1
mov r9d, 1
call qword ptr [__imp_SendMessageA]
Hi Vortex,
tihs call is made with an import like this one must call LoadLibrary & GetProcAdress must be called when launching the softwares?
Hi Philippe,
We talked about this method, probably better than GetProcAddress :
https://forum.pellesc.de/index.php?topic=11472.msg40299#msg40299
Hi Vortex,
It is not the same in this case it Windos taht must do it when crossing the PE Filer
SendMessage can be found from user32.lib import library, so why not just use it ?
Hi Philippe,
QuoteIt is not the same in this case it Windos taht must do it when crossing the PE Filer
Could you give more details about the case of portables executables?
If I remember, Windows must load the library the call GetProcAddress, it iit the reason some softwares are very long to start.
Hi Philippe,
Could you check my NoImport example?
https://forum.pellesc.de/index.php?topic=11386.msg39685#msg39685
Perfect that's what the OS makes with some PE files
Quote from: HellOfMice on January 18, 2025, 09:21:28 AM
If I remember, Windows must load the library the call GetProcAddress, it iit the reason some softwares are very long to start.
Quote from: HellOfMice on January 18, 2025, 10:11:06 AM
Perfect that's what the OS makes with some PE files
What these sentences actually means ???
Any links ?
Hi Philippe,
The import section of a Portable Executable contains all the data to call the external API functions, why this should cause any delay? Could you provide more details?