INVOKE

[HellOfMice]

When using INVOKE the codes does not seem to be great.
An example :

INVOKE SendMessage,hMsDosDump + rip,WM_CLOSE,0,0
will generate:

    0x0000047D  mov      r9,0                              49 C7 C1 00 00 00 00
    0x00000484  mov      r8,0                              49 C7 C0 00 00 00 00
    0x0000048B  mov      edx,10                            BA 10 00 00 00
    0x00000490  mov      rcx,qword ptr [000000014001C820]  48 8B 0D 89 B7 01 00
    0x00000497  call     000000014000C66F                  E8 D3 B5 00 00

    0x0000049C  mov      r9,0                              49 C7 C1 00 00 00 00 (Entered MOV R9D,0)
    0x000004A3  mov      r8,0                              49 C7 C0 00 00 00 00 (Idem with R8)
    0x000004AA  mov      edx,10                            BA 10 00 00 00
    0x000004AF  mov      rcx,qword ptr [000000014001CA10]  48 8B 0D 5A B9 01 00
    0x000004B6  call     000000014000C66F                  E8 B4 B5 00 00

    0x000004BB  xor      R8D,R8D                           45 31 C0
    0x000004C2  mov      R8D,R9D                           45 31 C9
    0x000004C9  mov      edx,10                            BA 10 00 00 00   (It uses 32 bits register)
    0x000004CE  mov      rcx,qword ptr [000000014001C7F0]  48 8B 0D 1B B7 01 00
    0x000004D5  call     000000014000C66F                  E8 95 B5 00 00

First call uses 31 bytes and the last call uses 26 bytes

Is it normal that "MOV R9D,0" as the same coding as "MOV R9,0"?

Windows parameters, except for addresses, are in 32 bits, the assembler could generates them in 32 bits.

My original code

    mov     rcx,hMsDosHeader + rip
    mov     rdx,WM_CLOSE
    xor     r8d,r8d
    xor     r9d,r9d
    call    SendMessage

    INVOKE  SendMessage,hMsDosDump + rip,WM_CLOSE,0,0
   
    mov     rcx,hMsDosDump + rip
    mov     rdx,WM_CLOSE
    mov     r9d,0
    mov     r8d,0
    call    SendMessage

    mov     rcx,hMsDosDump + rip
    mov     rdx,WM_CLOSE
    xor     r9d,0
    xor     r8d,0
    call    SendMessage

[HellOfMice]

It seems it proceeds like in C with the DECLSPEC(DLLIMPORT) I have not found a call XXXXX
in that case the assembler would have generates a JMP rather than a CALL

[Vortex]

Hi Philippe,

Code: [Select]

LRESULT SendMessage(
  [in] HWND   hWnd,
  [in] UINT   Msg,
  [in] WPARAM wParam,
  [in] LPARAM lParam
);
sizeof(UINT)=4 bytes

A quick test :

Code: [Select]

SendMessage((HWND)1,WM_CLOSE,1,1);

Code: [Select]

        mov     ecx, 1
        mov     edx, 16
        mov     r8d, 1
        mov     r9d, 1
        call    qword ptr [__imp_SendMessageA]


[HellOfMice]

Hi Vortex,


tihs call is made with an import like this one must call LoadLibrary & GetProcAdress must be called when launching the softwares?

[Vortex]

Hi Philippe,

We talked about this method, probably better than GetProcAddress :

https://forum.pellesc.de/index.php?topic=11472.msg40299#msg40299

[HellOfMice]

Hi Vortex,

It is not the same in this case it Windos taht must do it when crossing the PE Filer

[TimoVJL]

SendMessage be found from user32.lib import library.