[FF25] Setting jmp thunk table

herman_the_german · March 27, 2013, 11:19:09 PM

The invoke macro and masm compiler makes jump thunk tables.
But how is the manual setting in use32 ?


.486
.mmx
.model flat,stdcall
option casemap :none

										
.data
pMessageBoxA:
extrn MessageBoxA:dword
	
pT   DB "My Title here",0
pM  DB "Message",0
					

.code
start:
		
    PUSH 0                    
    PUSH offset pT         
    PUSH offset pM      
    PUSH 0                   
    CALL Jump               
    RETN
		
    Jump:
;   $-FF25 00104000     
    JMP [offset pMessageBoxA]    ; masm creates this automatic,  i want to determine the jmp place
 						

end

dedndave · March 28, 2013, 01:19:53 AM

that's going to crash because you are pointing at the jump instruction, not the operand
and - the operand is a pointer to a table that has another pointer to the code :P

btw - we call it an IAT - import address table

http://www.masmforum.com/board/index.php?topic=17073.msg142389#msg142389

herman_the_german · March 28, 2013, 03:06:04 AM

Hello Dave and thx for ur answer but the link did not help me.
Yes my source does not work , its only to show i was not lazy.
And just i have no idea, would be great if u could fix my code snippet :)

dedndave · March 28, 2013, 03:18:10 AM

looking at your code,

Code Select

.data
pMessageBoxA:
extrn MessageBoxA:dword

this doesn't work
the colon is used for code labels only - not data declarations
also - you want to include files and import libraries to make life much easier :P

let's start with a "normal" asm program with a message box

Code Select

;#################################################################

        .XCREF
        .NoList
        INCLUDE    \Masm32\Include\Masm32rt.inc
        .List

;#################################################################

        .DATA

szMsg   db 'Message',0
szTitle db 'Title',0

;*****************************************************************

;        .DATA?

;#################################################################

        .CODE

;*****************************************************************

WinMain PROC

        INVOKE  MessageBox,0,offset szMsg,offset szTitle,MB_OK
        INVOKE  ExitProcess,eax

WinMain ENDP

;#################################################################

        END     WinMain

once you are able to build that and make it work, we will move to the next step :t

herman_the_german · March 28, 2013, 03:35:52 AM

done and i´m waiting of step 2 :)

dedndave · March 28, 2013, 03:39:43 AM

as you may already understand, INVOKE is a macro (internal to masm)
we can generate exactly the same EXE with this code

Code Select

WinMain PROC

        push    MB_OK
        push    offset szTitle
        push    offset szMsg
        push    0
        CALL    MessageBox

        INVOKE  ExitProcess,eax

WinMain ENDP

but, let's back up a minute and see what is going on at "offset MessageBox"
we can use the masm32 "uhex$" macro to simplify the code

Code Select

WinMain PROC

        mov     edx,offset MessageBox
        movzx   ecx,word ptr [edx]
        INVOKE  MessageBox,0,uhex$(ecx),offset szTitle,MB_OK
        INVOKE  ExitProcess,eax

WinMain ENDP

we will see the FF25 JMP instruction, with the bytes reversed

we know that the operand of that branch is encoded in the 4 bytes that follow

Code Select

WinMain PROC

        mov     edx,offset MessageBox
        mov     ecx,[edx+2]
        INVOKE  MessageBox,0,uhex$(ecx),offset szTitle,MB_OK
        INVOKE  ExitProcess,eax

WinMain ENDP

FF25 is an opcode for JMP dword ptr [address]
meaning that the operand is a memory location that contains the target address
what we really want to see is that address

Code Select

WinMain PROC

        mov     edx,offset MessageBox
        mov     edx,[edx+2]
        mov     ecx,[edx]
        INVOKE  MessageBox,0,uhex$(ecx),offset szTitle,MB_OK
        INVOKE  ExitProcess,eax

WinMain ENDP

that is the actual address of the code

now, we can put it all together and call that address, rather than MessageBox from the IAT

Code Select

WinMain PROC

        mov     edx,offset MessageBox
        mov     edx,[edx+2]
        mov     ecx,[edx]

        push    MB_OK
        push    offset szTitle
        push    offset szMsg
        push    0
        CALL    ecx

        INVOKE  ExitProcess,eax

WinMain ENDP

herman_the_german · March 28, 2013, 04:00:05 AM

The code stores the IAT to the called ECX, yeah good to know ...
but how i can determine the offset address from the compiled jmp2iat entries.
For example, i want to have it upside the entrypoint :)

dedndave · March 28, 2013, 04:03:21 AM

you will have to explain the a little better
i don't understand what you want to do :P

Quotei want to have it upside the entrypoint

:redface:

are you saying that you want to call the code, directly ?

herman_the_german · March 28, 2013, 04:11:53 AM

i meant the jumps should be between iat & entrypoint.

dedndave · March 28, 2013, 04:31:18 AM

i am still not sure i understand what you are trying to do - lol

i guess you are trying to create your own IAT in the .CODE section ?
maybe what you want to study is the PE file format

dedndave · March 28, 2013, 04:43:38 AM

maybe you are missing an important point

the address of the code is not known until the operating system loads the PE EXE and runs it
during the load process, the operating system looks in the PE header and gets the address of the IAT
then, it fills it in with table addresses before transfering control to the EXE code
so, you can create your own IAT, but you have to alter the PE header to let the OS know where it is

Sinsi was telling me, the other day, that FASM allows you to do this fairly easily

http://masm32.com/board/index.php?topic=1681.msg17136#msg17136

i have never tried it, but if he says it works, it probably does :P

herman_the_german · March 28, 2013, 04:59:34 AM

The iat is created by masm (with /MERGE settings) to rva 0x00401000
And the jmp´s entries are at 0x00401030 & 0x00401036, also created by masm.
and i want have(move) it to 0x00401010 address :)

edit:

that the point, i did start with fasm, also i´m new with asm,
so isn´t possible with masm... i did´nt know that .

Thx for your time and help dedndave :)

dedndave · March 28, 2013, 05:06:07 AM

the only way i can think of is to "manually" alter the PE file
some of the other guys might know a better way

but, sooner or later, someone is going to want to know why you want to do this
and, they may point you at the forum rules and lock the thread :P

herman_the_german · March 28, 2013, 05:16:25 AM

Dont worry, i'm just an empowered citizen and i dont like that always is automatic,
i want to have the power for my own. Or is that against the forum rules ?

japheth · March 28, 2013, 05:17:31 AM

Quote from: herman_the_german on March 28, 2013, 04:59:34 AM
that the point, i did start with fasm, also i´m new with asm,
so isn´t possible with masm... i did´nt know that .

Actually, fasm is able to do so because it supports formats that don't need a link step.

Masm has no such support. It is the linker that generates the IAT ( and also adds the "jmp"-thunks ), and you cannot fully control the linker from inside the assembly source.

The MASM Forum

News:

[FF25] Setting jmp thunk table

herman_the_german

dedndave

herman_the_german

dedndave

herman_the_german

dedndave

herman_the_german

dedndave

herman_the_german

dedndave

dedndave

herman_the_german

dedndave

herman_the_german

japheth