__declspec

[HellOfMice]

This can only use for telling the compiler to directly call the dll function rather than creating a stub.


That means, for example, if I call CreateWindowEx the compiler generates "JMP XXXXX" and at the "XXXXX" we have a "CALL CreateWIndowss" Address. This directive kills the "JMP XXXXX".


How to do the same in ASM this directive does not exist?

[Vortex]

Hi Philippe,

I think you are trying to call directly an API function to avoid jump tables, is that right?

[HellOfMice]

Yes, if the C compiler does it I thought the assembler could do it also

[Vortex]

Hi Philippe,

The ArgCount and prX macros were coded by Hutch, maintainer of the Masm32 package. You can find them in the master include file \masm32\include\windows.inc

Code: [Select]

.386
.model flat,stdcall
option casemap:none       

ArgCount MACRO number
LOCAL txt
    txt equ <typedef PROTO :DWORD>
    REPEAT number - 1
        txt CATSTR txt,<,:DWORD>
    ENDM
    EXITM <txt>
ENDM

pr0  typedef PROTO
pr1  ArgCount(1)
pr2  ArgCount(2)
pr3  ArgCount(3)
pr4  ArgCount(4)

MB_OK equ 0

EXTERNDEF _imp__MessageBoxA:pr4
EXTERNDEF _imp__ExitProcess:pr1

MessageBox TEXTEQU <_imp__MessageBoxA>
ExitProcess TEXTEQU <_imp__ExitProcess>

.data

capt    db 'Hello',0
msg     db 'Direct function call demo',0

.code

start:

    push    MB_OK
    push    OFFSET capt
    push    OFFSET msg
    push    0
    call    MessageBox

    push    0
    call    ExitProcess

END start

Disassembling the object module :

Code: [Select]

_start  PROC NEAR
        push    0
        push    offset capt
        push    offset msg
        push    0
        call    dword ptr [__imp__MessageBoxA@16]
        push    0
        call    dword ptr [__imp__ExitProcess@4]
_start  ENDP


[HellOfMice]

I verified this in my post about INVOKE

[Vortex]

Hi Philippe,

You can try the same method with 64-bit coding.

[HellOfMice]

XWhat I read in the help file is that it generates __imp__function but I don't see in DBG64 (looks like OllyDbg)

[Vortex]

Hi Philippe,

During the x32\64dbg session, you should see something like the following :

Code: [Select]

call dword ptr ds:[<MessageBoxA>] ; Direct function call
The expression _imp__ is a part of the MS COFF object file name decoration.

[HellOfMice]

Hi Eroll


Thank You.


I thought that it also was in the exe file because I found function declared with it:
WriteClassStm                     TEXTEQU      <__imp_WriteClassStm>

TEXTEQU should be replaced by ALIAS?

Merci

Philippe

[Vortex]

Hi Philippe,

Better to keep things simple so TEXTEQU is preferable.

[TimoVJL]

So poasm INVOKE is tricky

This make jumptable

Code: [Select]

;hello64.asm

extern ExitProcess : proc
extern MessageBoxA : proc

.data
text    db "Hello world!",0
caption db "Message",0

.code

WinMainCRTStartup proc
sub rsp, 28h
xor r9, r9
lea r8, [rip + caption]
lea rdx, [rip + text]
xor ecx, ecx
call MessageBoxA
xor ecx, ecx
call ExitProcess
WinMainCRTStartup endp
end
this not

Code: [Select]

;hello64x.asm

extern __imp_ExitProcess :DWORD
extern __imp_MessageBoxA :QWORD

ExitProcess TEXTEQU <qword ptr [rip+__imp_ExitProcess]>
MessageBox TEXTEQU <qword ptr [rip+__imp_MessageBoxA]>

.data
text    db "Hello world!",0
caption db "Message",0

.code

WinMainCRTStartup proc
sub rsp, 28h
xor r9, r9
lea r8, [rip + caption]
lea rdx, [rip + text]
xor ecx, ecx
;call qword ptr [rip+__imp_MessageBoxA]
call MessageBox
xor ecx, ecx
;call qword ptr [rip+__imp_ExitProcess]
call ExitProcess
;INVOKE ExitProcess
WinMainCRTStartup endp
end
so problem is, how to use INVOKE same way
Use Pelle's pope.exe to check results

To add pope to filemanager menu

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\*\shell\Open With Pope\command]
@="\"c:\\code\\bin64\\pope.exe\" %1"


[HellOfMice]

Thank You Timo