These are WM_GETOBJECT returned equates in RosAsm Syntax
They are the Object Identifier Values for OBJID_QUERYCLASSNAMEIDX
MSAA_CLASSNAMEIDX_BASE 010000
MSAA_CLASSNAMEIDX_LISTBOX 010000
MSAA_CLASSNAMEIDX_BUTTON 010002
MSAA_CLASSNAMEIDX_STATIC 010003
MSAA_CLASSNAMEIDX_EDIT 010004
MSAA_CLASSNAMEIDX_COMBOBOX 010005
MSAA_CLASSNAMEIDX_SCROLLBAR 01000A
MSAA_CLASSNAMEIDX_STATUS 01000B
MSAA_CLASSNAMEIDX_TOOLBAR 01000C
MSAA_CLASSNAMEIDX_PROGRESS 01000D
MSAA_CLASSNAMEIDX_ANIMATE 01000E
MSAA_CLASSNAMEIDX_TAB 01000F
MSAA_CLASSNAMEIDX_HOTKEY 010010
MSAA_CLASSNAMEIDX_HEADER 010011
MSAA_CLASSNAMEIDX_TRACKBAR 010012
MSAA_CLASSNAMEIDX_LISTVIEW 010013
MSAA_CLASSNAMEIDX_UPDOWN 010016
MSAA_CLASSNAMEIDX_TOOLTIPS 010018
MSAA_CLASSNAMEIDX_TREEVIEW 010019
MSAA_CLASSNAMEIDX_RICHEDIT 01001C
http://msdn.microsoft.com/en-us/library/windows/desktop/dd318003(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/dd373606(v=vs.85).aspx#OBJID_QUERYCLASSNAMEIDX
http://msdn.microsoft.com/en-us/library/windows/desktop/dd373892(v=vs.85).aspx
I hope it helps someone.
Best Regards,
guga
RosAsm Syntax
;;
GetWindowPos v 1.1
This functions retrieves the x, y, width and heigth of any window.
Arguments:
hWnd(in): A handle to the window. The window can be a child, overlapped, a dialog a control etc.
PosStruct(out): A pointer to a WINPOS structure to rceive the values found.
Returned Value: If the window is a child window, the return value is a handle to the parent window. If the window is a top-level window with the WS_POPUP style, the return value is a handle to the owner window.
If the function fails, the return value is NULL. To get extended error information, call GetLastError.
This function typically fails for one of the following reasons:
*The window is a top-level window that is unowned or does not have the WS_POPUP style.
•The owner window has WS_POPUP style.
Remarks:
The WINPOS structure have the following format and specifications:
[WINPOS:
WINPOS.cx: D$ 0 ; The initial horizontal position of the window. For an overlapped or pop-up window, the x parameter is
; the initial x-coordinate of the window's upper-left corner, in screen coordinates. For a child window,
; x is the x-coordinate of the upper-left corner of the window relative to the upper-left corner of the
; parent window's client area.
WINPOS.cy: D$ 0 ; The initial vertical position of the window. For an overlapped or pop-up window, the y parameter is
; the initial y-coordinate of the window's upper-left corner, in screen coordinates. For a child window,
; y is the initial y-coordinate of the upper-left corner of the child window relative to the upper-left
; corner of the parent window's client area. For a list box y is the initial y-coordinate of the upper-left
; corner of the list box's client area relative to the upper-left corner of the parent window's client area.
WINPOS.width: D$ 0 ; The width, in device units, of the window.
WINPOS.height: D$ 0; The height, in device units, of the window.
]
Usage example:
[WINPOS:
WINPOS.cx: D$ 0
WINPOS.cy: D$ 0
WINPOS.width: D$ 0
WINPOS.height: D$ 0]
call 'USER32.GetDlgItem' D@hWnd, 156
call GetWindowPos eax, WINPOS
Author: Gustavo Trigueiros (aka: Beyond2000!)
Build Date: 19/05/2012 (v 1.0)
;;
Proc GetWindowPos:
Arguments @hWnd, @PosStruct
Local @width, @height, @hParent
Structure @WINDOWINFO 64, @WINDOWINFO.cbSizeDis 0, @WINDOWINFO.rcWindow_leftDis 4, @WINDOWINFO.rcWindow_topDis 8,
@WINDOWINFO.rcWindow_rightDis 12, @WINDOWINFO.rcWindow_bottomDis 16, @WINDOWINFO.rcClient_leftDis 20,
@WINDOWINFO.rcClient_topDis 24, @WINDOWINFO.rcClient_rightDis 28, @WINDOWINFO.rcClient_bottomDis 32,
@WINDOWINFO.dwStyleDis 36, @WINDOWINFO.dwExStyleDis 40, @WINDOWINFO.dwWindowStatusDis 44, @WINDOWINFO.cxWindowBordersDis 48,
@WINDOWINFO.cyWindowBordersDis 52, @WINDOWINFO.atomWindowTypeDis 56, @WINDOWINFO.wCreatorVersionDis 60
Uses esi, ecx, edx
call 'user32.GetAncestor' D@hWnd, &GA_PARENT
; call 'user32.GetParent' D@hWnd
On eax = 0, ExitP
mov D@hParent eax
call 'USER32.MapWindowPoints' D@hWnd, eax, D@PosStruct, 2
call ZeroMemory D@WINDOWINFO, 64
mov D@WINDOWINFO.cbSizeDis 64
call 'USER32.GetWindowInfo' D@hWnd, D@WINDOWINFO
mov esi D@PosStruct
mov eax D@WINDOWINFO.rcWindow_rightDis | sub eax D@WINDOWINFO.rcWindow_leftDis | mov D$esi+WINPOS.widthDis eax
mov eax D@WINDOWINFO.rcWindow_bottomDis | sub eax D@WINDOWINFO.rcWindow_topDis | mov D$esi+WINPOS.heightDis eax
mov eax D@WINDOWINFO.cxWindowBordersDis | sub D$esi+WINPOS.cxDis eax
mov eax D@WINDOWINFO.cyWindowBordersDis | sub D$esi+WINPOS.cyDis eax
mov eax D@hParent
EndP
Ftol2 similar to the one existant on msvcr100.dll.
It allows outouting on Buffers the integer and remainder parts.
Feel free to review/improve the code.
Usage example:
[teste: R$ -1.012341649e+5]
[FloattolResult: Q$ 0]
[RemainderResult: Q$ 0]
fld R$teste
call ftol2 FloattolResult, RemainderResult
Proc ftol2:
Arguments @pOutputInteger, @pOutPutRemainder
Local @Remainder
Structure @StoredNumber 8, @NumHiDis 0, @NumLowDis 4
Uses ecx, esi, edi, edx
mov edi D@pOutputInteger
mov esi D@StoredNumber
fld ST0
fst F@Remainder
fistp R$esi
fild R$esi
mov edx D@Remainder
mov eax D@NumHiDis
test eax eax | je @integer_QnaN_or_zero
@arg_is_not_integer_QnaN:
fsubp ST1 ST0
test edx edx | jns @positive
fstp F@Remainder
mov ecx D@Remainder
xor ecx 080000000
add ecx 07FFFFFFF
adc eax 00
mov edx D@NumLowDis
adc edx 00
jmp @localexit
@positive:
fstp F@Remainder
mov ecx D@Remainder
add ecx 07FFFFFFF
sbb eax 00
mov edx D@NumLowDis
sbb edx 00
jmp @localexit
@integer_QnaN_or_zero:
mov edx D@NumLowDis
test edx 07FFFFFFF | jne @arg_is_not_integer_QnaN
fstp F@Remainder
fstp F@Remainder
@localexit:
; Output the integer part here
mov D$edi eax
mov D$edi+4 edx
; Output the remainder part here
mov edi D@pOutPutRemainder
fld F@Remainder | fabs
fstp R$edi
EndP
One more set. Feel free to convert to masm/fasm.
This function have exactly the same functionality as in ntdll.dll
In a matter of fact. this function can either be used as RVAtoOffset.
When you set the imagebase the function will return the xact VA of the RVA. Ex: 04091C4
When no imagebase is used (BaseAddress = 0), the function will retunr the offset of the inputed RVA. Ex: 085C4
Note: In ntdll.dll the function contains an error when you try to retrieve the VA. Even you setting a imagebase value, the resultant VA is incorrect.
On my function, i fixed that. Now it retunr the correct VA.
Updated: 11/04/2012
;;
RTLImageRVAtoVA
Locates a relative virtual address (RVA) within the image header of a file that is mapped as a file
and returns the virtual address of the corresponding byte in the file.
Parameters
NtHeaders [in]: A pointer to an IMAGE_NT_HEADERS structure. This structure can be obtained by
calling the ImageNtHeader function. It is the 'PE' signature
BaseAddress [in]: The base address of an image that is mapped into memory through a call to
the MapViewOfFile function.
If this member is &NULL, the function will return the offset related to the RVA. Ex: 085C4
If the member is a image base value, the funtion it will return the VA related to the RVA. Ex: 04091C4
Rva [in]: The relative virtual address to be located.
pLastRvaSection [in, optional]: A pointer to an IMAGE_SECTION_HEADER structure that specifies
the last RVA section. This is an optional parameter.
When specified, it points to a variable that contains the last
section value used for the specified image to translate an RVA to a VA.
Return value: If the function succeeds, the return value is the virtual address in the mapped file.
If the function fails, the return value is NULL. To retrieve extended error information,
call GetLastError.
Examples:
1)
Proc XXXXX
Local @DiffAdded
(...)
mov edx D@PeOrigin
; in case we have a PE with 03 sections we do this:
mov D@DiffAdded2 edx | add D@DiffAdded2 SizeOf_PeHeader | add D@DiffAdded2 SizeOf_SectionsHeaders | add D@DiffAdded2 SizeOf_SectionsHeaders
lea esi D@DiffAdded2 ; esi is a pointer to the last section of the PE
call RTLImageRVAtoVA edx, D$edx+PeHeader.OptionalHeader.ImageBaseDis, 01154, esi
2)
mov edx D@PeOrigin
call RTLImageRVAtoVA edx, 0, 03012, 0
Remarks: The ImageRvaToVa function locates an RVA within the image header of a file that is mapped
as a file and returns the virtual address of the corresponding byte in the file.
All DbgHelp functions, such as this one, are single threaded. Therefore, calls from more
than one thread to this function will likely result in unexpected behavior or memory corruption.
To avoid this, you must synchronize all concurrent calls from more than one thread to this function.
;;
Proc RtlImageRvaToVa:
Arguments @NtHeader, @BaseAddress, @Rva, @pLastRvaSection
Local @FileAlignment
Uses esi, edi, edx, ecx
mov esi D@pLastRvaSection
mov edi D@Rva
mov edx D@NtHeader
move D@FileAlignment D$edx+PeHeader.OptionalHeader.FileAlignmentDis
If esi <> 0
mov ecx D$esi
mov eax D$ecx+SectionsHeaders.VirtualAddressDis
mov edx D$ecx+SectionsHeaders.SizeOfRawDataDis
Align_On_Variable D@FileAlignment edx | add edx eax
End_If
If_Or esi = 0, ecx = 0, edi < eax, edi >= edx
call RTLImageRVAtoSection D@NtHeader, D@BaseAddress, edi
mov ecx eax
End_If
xor eax eax
On ecx = 0, ExitP
If esi <> 0
mov D$esi ecx
End_if
If D@BaseAddress = 0
mov eax D$ecx+SectionsHeaders.PointerToRawDataDis
sub eax D$ecx+SectionsHeaders.VirtualAddressDis
End_If
add eax D@BaseAddress
add eax edi
EndP
One more i made on rosasmboard. As usual, feel free to port it to masm or fasm etc
;;
OffsettoRVA Function
Routine Description:
This function locates the RVA through a inputed raw offset of the PE File.
Arguments:
Offset [in] - The offset to be calculated.
pPEHdr [in] - A pointer to an IMAGE_NT_HEADERS structure ('PE' signature). This structure can be obtained by
calling the ImageNtHeader function.
Return Value:
If the function suceeds it retuns the RVA of the offset
If the function fails, it retunr FALSE.
Example:
call OffsettoRVA 0F1B, D@PeOrigin
Reference: http://hi.baidu.com/ximo2006/blog/item/cbf745f82f19ffd2b58f315c.html
http://forum.exetools.com/showthread.php?t=6042
www.ntcore.com/files/netint_injection/SectComp.cff
Author:
Gustavo Trigueiros (aka: Beyond2000! or Guga)
;;
Proc OffsettoRVA:
Arguments @InputOffset, @pPEHdr
Uses edx, ecx, edi
mov edx D@pPEHdr
movzx ecx W$edx+PeHeader.FileHeader.NumberOfSectionsDis
mov edi D@InputOffset
add edx SizeOf_PeHeader ; point to IMAGE_SECTION_HEADER
.While ecx <> 0 ; check all sections
mov eax D$edx+SectionsHeaders.PointerToRawDataDis
add eax D$edx+SectionsHeaders.SizeOfRawDataDis
.If_And edi >= D$edx+SectionsHeaders.PointerToRawDataDis, edi < eax
mov eax D$edx+SectionsHeaders.PointerToRawDataDis
sub edi eax ; edi == Offset - PointerToRawData
mov eax D$edx+SectionsHeaders.VirtualAddressDis
add eax edi ; eax == Offset - PointerToRawData + VirtualAddress
; Offset = VirtualAddress+(InOffset-PointerToRawData)
ExitP
.End_If
add edx SizeOf_SectionsHeaders
dec ecx
.End_While
xor eax eax
EndP
Another from a set of functions i made on rosasm board
;;
RVAtoOffset Function
Routine Description:
This function locates the raw offset of a PE through a inputed RVA value.
Arguments:
Offset [in] - The RVA to be calculated.
pPEHdr [in] - A pointer to an IMAGE_NT_HEADERS structure ('PE' signature). This structure can be obtained by
calling the ImageNtHeader function.
Return Value:
If the function suceeds it retuns the offset related to that RVA
If the function fails, it retunr FALSE.
Example:
call RVAtoOffset 02400, D@PeOrigin
Reference: http://hi.baidu.com/ximo2006/blog/item/cbf745f82f19ffd2b58f315c.html
http://forum.exetools.com/showthread.php?t=6042
www.ntcore.com/files/netint_injection/SectComp.cff
Author:
Gustavo Trigueiros (aka: Beyond2000! or Guga)
;;
Proc RVAtoOffset:
Arguments @InputRVA, @pPEHdr
Uses edx, ecx, edi, esi
mov edx D@pPEHdr
movzx ecx W$edx+PeHeader.FileHeader.NumberOfSectionsDis
mov edi D@InputRVA
add edx SizeOf_PeHeader ; point to IMAGE_SECTION_HEADER
.While ecx <> 0 ; check all sections
mov eax D$edx+SectionsHeaders.VirtualAddressDis
add eax D$edx+SectionsHeaders.SizeOfRawDataDis
.If_And edi >= D$edx+SectionsHeaders.VirtualAddressDis, edi < eax
; 0EF3 = 0C00 +02F3 = RawOffset + (inputRVA-RVA)
; RVA = PointerToRawData + (InRVA-VirtualAddress)
sub edi D$edx+SectionsHeaders.VirtualAddressDis
add edi D$edx+SectionsHeaders.PointerToRawDataDis
mov eax edi
ExitP
.End_If
add edx SizeOf_SectionsHeaders
dec ecx
.End_While
xor eax eax
EndP
I´m making a serie of functions analog to ntdll PE Functions that are found inside ntdll.dll, imagehlp.dll and dbghelp.dll.
RosAsm syntax. More functions at rosasm board. Feel free to port it to masm or fasm etc
;;
RtlImageDirectoryEntryToData
Obtains access to image-specific data.
This function locates a Directory Entry within the image header and returns either the virtual address or seek address of the
data the Directory describes.
This function has been superseded by the RtlImageDirectoryEntryToDataEx function.
Use RtlImageDirectoryEntryToDataEx to retrieve the section header.
Parameters:
BaseAddress [in]: A pointer to the base address of the image. THe 'MZ' signature.
MappedAsImage [in]: If this parameter is TRUE, the file is mapped by the system as an image. If the flag is FALSE, the file is mapped as a data file by the MapViewOfFile function.
DirectoryEntry [in]: The index number of the desired directory entry. This parameter can be one of the following values.
Equate Name Value Meaning
IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 Architecture-specific data
IMAGE_DIRECTORY_ENTRY_BASERELOC 5 Base relocation table
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 Bound import directory
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 COM descriptor table
IMAGE_DIRECTORY_ENTRY_DEBUG 6 Debug directory
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 Delay import table
IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 Exception directory
IMAGE_DIRECTORY_ENTRY_EXPORT 0 Export directory
IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 The relative virtual address of global pointer
IMAGE_DIRECTORY_ENTRY_IAT 12 Import address table
IMAGE_DIRECTORY_ENTRY_IMPORT 1 Import directory
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 Load configuration directory
IMAGE_DIRECTORY_ENTRY_RESOURCE 2 Resource directory
IMAGE_DIRECTORY_ENTRY_SECURITY 4 Security directory
IMAGE_DIRECTORY_ENTRY_TLS 9 Thread local storage directory
Size [out]: A pointer to a variable that receives the size of the data for the directory entry, in bytes.
Return value:
If the function succeeds, the return value is a pointer to the directory entry's data.
If the function fails, the return value is NULL. To retrieve extended error information, call GetLastError.
Remarks:
The ImageDirectoryEntryToData function is used to obtain access to image-specific data.
All DbgHelp functions, such as this one, are single threaded. Therefore, calls from more than one thread to this function
will likely result in unexpected behavior or memory corruption. To avoid this, you must synchronize all concurrent calls
from more than one thread to this function.
This function have the same functionality as the one existant inside ntdll and the function ImageDirectoryEntryToData from Dbghelp.dll
Example:
call RtlImageDirectoryEntryToData D@pFileData, &FALSE, &IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT, LoaderSize
Bibliography:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680149(v=vs.85).aspx
http://www.wasm.ru/forum/viewtopic.php?id=28082
Author:
Gustavo Trigueiros (aka: Beyond2000! or Guga)
;;
Proc RtlImageDirectoryEntryToData:
Arguments @BaseAddress, @MappedAsImage, @Directory, @pSize
Uses ebx
mov ebx D@BaseAddress
Test_If bl 1
and ebx 0-02
mov D@MappedAsImage 0
Test_End
call RtlpImageNtHeader ebx
On eax = 0, ExitP
If W$eax+PeHeader.OptionalHeader.MagicDis = &IMAGE_NT_OPTIONAL_HDR32_MAGIC
call RtlpImageDirectoryEntryToData32 ebx, D@MappedAsImage, D@Directory, D@pSize, eax
Else_If W$eax+PeHeader.OptionalHeader.MagicDis = &IMAGE_NT_OPTIONAL_HDR64_MAGIC
call RtlpImageDirectoryEntryToData64 ebx, D@MappedAsImage, D@Directory, D@pSize, eax
Else
xor eax eax
End_If
EndP
Hi guga,
The DbgHelp API function ImageRvaToVa (http://msdn.microsoft.com/en-us/library/windows/desktop/ms680218%28v=vs.85%29.aspx) also does this, in my tests its pretty quick and since it is only really used occasionally speed is not critical anyway. Ofcourse the main advantage is that it will also make your application source level portable to 64 bit, something that is useful in GoAsm and jWasm which are both for the most part 32/64 bit switchable with minimal modification.
Hi Edgar
Tks. Later i´ll give a try on dbghelp. But as far i can remember the one existent in dbghelp is exact the same one as in ntdll.
I already analysed it and made a function that works exactly teh same as thje one in ntdll.
http://masmforum.com/~masm32/board/index.php?topic=34.0
How are u my friend ?