__declspec

[HellOfMice]

This can only use for telling the compiler to directly call the dll function rather than creating a stub.


That means, for example, if I call CreateWindowEx the compiler generates "JMP XXXXX" and at the "XXXXX" we have a "CALL CreateWIndowss" Address. This directive kills the "JMP XXXXX".


How to do the same in ASM this directive does not exist?

[Vortex]

Hi Philippe,

I think you are trying to call directly an API function to avoid jump tables, is that right?

[HellOfMice]

Yes, if the C compiler does it I thought the assembler could do it also

[Vortex]

Hi Philippe,

The ArgCount and prX macros were coded by Hutch, maintainer of the Masm32 package. You can find them in the master include file \masm32\include\windows.inc

Code Select Expand

.386
.model flat,stdcall
option casemap:none       

ArgCount MACRO number
LOCAL txt
    txt equ <typedef PROTO :DWORD>
    REPEAT number - 1
        txt CATSTR txt,<,:DWORD>
    ENDM
    EXITM <txt>
ENDM

pr0  typedef PROTO
pr1  ArgCount(1)
pr2  ArgCount(2)
pr3  ArgCount(3)
pr4  ArgCount(4)

MB_OK equ 0

EXTERNDEF _imp__MessageBoxA:pr4
EXTERNDEF _imp__ExitProcess:pr1

MessageBox TEXTEQU <_imp__MessageBoxA>
ExitProcess TEXTEQU <_imp__ExitProcess>

.data

capt    db 'Hello',0
msg     db 'Direct function call demo',0

.code

start:

    push    MB_OK
    push    OFFSET capt
    push    OFFSET msg
    push    0
    call    MessageBox

    push    0
    call    ExitProcess

END start


Disassembling the object module :

Code Select Expand


_start  PROC NEAR
        push    0
        push    offset capt
        push    offset msg
        push    0
        call    dword ptr [__imp__MessageBoxA@16]
        push    0
        call    dword ptr [__imp__ExitProcess@4]
_start  ENDP


[HellOfMice]

I verified this in my post about INVOKE

[Vortex]

Hi Philippe,

You can try the same method with 64-bit coding.

[HellOfMice]

XWhat I read in the help file is that it generates __imp__function but I don't see in DBG64 (looks like OllyDbg)

[Vortex]

Hi Philippe,

During the x32\64dbg session, you should see something like the following :

Code Select Expand

call dword ptr ds:[<MessageBoxA>] ; Direct function call

The expression _imp__ is a part of the MS COFF object file name decoration.

[HellOfMice]

Hi Eroll


Thank You.


I thought that it also was in the exe file because I found function declared with it:
WriteClassStm                     TEXTEQU      <__imp_WriteClassStm>

TEXTEQU should be replaced by ALIAS?

Merci

Philippe

[Vortex]

Hi Philippe,

Better to keep things simple so TEXTEQU is preferable.

[TimoVJL]

So poasm INVOKE is tricky

This make jumptable

Code Select Expand

;hello64.asm

extern ExitProcess : proc
extern MessageBoxA : proc

.data
text    db "Hello world!",0
caption db "Message",0

.code

WinMainCRTStartup proc
sub rsp, 28h
xor r9, r9
lea r8, [rip + caption]
lea rdx, [rip + text]
xor ecx, ecx
call MessageBoxA
xor ecx, ecx
call ExitProcess
WinMainCRTStartup endp
end
this not

Code Select Expand

;hello64x.asm

extern __imp_ExitProcess :DWORD
extern __imp_MessageBoxA :QWORD

ExitProcess TEXTEQU <qword ptr [rip+__imp_ExitProcess]>
MessageBox TEXTEQU <qword ptr [rip+__imp_MessageBoxA]>

.data
text    db "Hello world!",0
caption db "Message",0

.code

WinMainCRTStartup proc
sub rsp, 28h
xor r9, r9
lea r8, [rip + caption]
lea rdx, [rip + text]
xor ecx, ecx
;call qword ptr [rip+__imp_MessageBoxA]
call MessageBox
xor ecx, ecx
;call qword ptr [rip+__imp_ExitProcess]
call ExitProcess
;INVOKE ExitProcess
WinMainCRTStartup endp
end
so problem is, how to use INVOKE same way
Use Pelle's pope.exe to check results

To add pope to filemanager menu

Code Select Expand

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\*\shell\Open With Pope\command]
@="\"c:\\code\\bin64\\pope.exe\" %1"


[HellOfMice]

Thank You Timo