News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

help about native api

Started by jangogrand, August 11, 2017, 09:55:10 AM

Previous topic - Next topic

jangogrand

hi i try to use RtlCompareString to compare 2 strings , when i run that code in ollydbg it get bloked  any help please , about how to display RtlCompareString result, thank you

.386
.model flat, stdcall
option casemap:none
includelib C:\masm32\lib\kernel32.lib
includelib C:\masm32\lib\user32.lib
includelib C:\masm32\lib\ntdll.lib
include C:\masm32\include\kernel32.inc
include C:\masm32\include\user32.inc
include C:\masm32\include\windows.inc
include C:\masm32\include\ntdll.inc
.data

s1 db "abcd",0
s2 db "ab",0
.code
Main:
invoke RtlCompareString, OFFSET s1, OFFSET s2, TRUE

mov ebx,eax

end Main

hutch--

Just check a couple of things, make sure RtlCompareString is in both the library and include file and if that is not correct, try calling the API with LoadLibrary / GetProcAddress and close it on exit with FreeLibrary. I don't use Olly but you may need to check if it has the symbols for ntdll.dll.

jangogrand

yes  RtlCompareString is in both the library and include file , and i have use msgbox to dispaly the result but it not work

.386
.model flat, stdcall
option casemap:none
includelib C:\masm32\lib\kernel32.lib
includelib C:\masm32\lib\user32.lib
includelib C:\masm32\lib\ntdll.lib
include C:\masm32\include\kernel32.inc  ;cotient les prototype des function
include C:\masm32\include\user32.inc
include C:\masm32\include\windows.inc
include C:\masm32\include\ntdll.inc
.data

s1 db "abcd",0
s2 db "ab",0

MsgTitle db "My First MessageBox",0
.code
Main:
mov eax,0
invoke RtlCompareString, OFFSET s1, OFFSET s2, TRUE

mov ebx,eax
invoke MessageBoxA, NULL,  ebx, OFFSET MsgTitle, NULL

end Main

can please show me the technique  calling the API with LoadLibrary / GetProcAddress

thank you

jj2007

A quick example:
include \masm32\include\masm32rt.inc
uselib ntdll

.data
Src1a dw 20, 20
dd Src1
Src1 db "abcde", 0
Src2a dw 20, 20
dd Src2
Src2 db "abcdef", 0
.code
start:
  invoke RtlCompareString, addr Src1a, addr Src2a, 0
  inkey str$(eax), " returned", 13, 10
  exit
end start


It works. What do you need it for?

- google for "counted string"
- read the forum rules regarding black hat activities
- study this two-pager

jangogrand

hi thank you jj2007 , but i dont understand your code , why you use dw 20, 20
and what that line mean inkey str$(eax), " returned", 13, 10

i need the program fro stading how to use native api with masm
thank you

jj2007

- inkey str$(): \Masm32\help\hlhelp.chm, macro categories, string macros
- dw 20, 20: google for "counted strings"

Here is a better example:include \masm32\include\masm32rt.inc
uselib ntdll

.data
Src1a dw 5, 5 ; min, max
dd Src1
Src1 db "abcde", 0
Src2a dw 6, 6
dd Src2
Src2 db "ABCDEF", 0
.code
start:
  invoke RtlCompareString, addr Src2a, addr Src1a, 0
  print str$(eax), " returned", 13, 10
  invoke RtlCompareString, addr Src2a, addr Src1a, 1
  inkey str$(eax), " returned", 13, 10
  exit
end start


Why do you want to use "native api" with Masm...?

jangogrand

how i can get the result , are it stored in eax can we desplay it using msgbox , ur program when i open it with ollydbg it give eax >0 when the 2 string are same and that is not the correct result

felipe

Quote from: jangogrand on August 11, 2017, 09:55:10 AM

.386
.model flat, stdcall
option casemap:none
includelib C:\masm32\lib\kernel32.lib
includelib C:\masm32\lib\user32.lib
includelib C:\masm32\lib\ntdll.lib
include C:\masm32\include\kernel32.inc
include C:\masm32\include\user32.inc
include C:\masm32\include\windows.inc
include C:\masm32\include\ntdll.inc

Don't you need to put windows.inc declaration first of all?

jangogrand

jj2007 the program is not displaying any result , i have test it on my windows xp on virtualbox.

felipe we can put windows.inc any where

felipe

Quote from: jangogrand on August 11, 2017, 11:21:37 AM

felipe we can put windows.inc any where

Yeah, seems as you are right.

aw27


Hello jangogrande

This is how you should use the function, most examples here are pure crap.



.386

.model Flat, STDCALL
option Casemap :None

TRUE equ 1

includelib \masm32\lib\ntdll.lib
RtlCompareString PROTO STDCALL :ptr,:ptr,:BYTE

includelib \masm32\lib\msvcrt.lib
printf PROTO C :ptr, :vararg

_STRING struct
_Length word ?
_Maximumlength word ?
_Buffer dword ?
_STRING ends

.data
s1 db "abcd" ;
s2 db "bab"
format db 'result: %d',13,10,0

.code

main proc
LOCAL str1 : _STRING
LOCAL str2 : _STRING

mov str1._Length, LENGTHOF s1
mov str1._Maximumlength, LENGTHOF s1
mov eax, offset s1
mov str1._Buffer, eax

mov str2._Length, LENGTHOF s2
mov str2._Maximumlength, LENGTHOF s2
mov eax, offset s2
mov str2._Buffer, eax

INVOKE RtlCompareString, addr str1, addr str2, TRUE

INVOKE printf, addr format, eax ; should display negative

ret
main endp

end main


Beware also that the prototype of RtlCompareString is wrong in the NtDll.inc include file.


aw27

Hello jangogrande

This is how you should use the function, most examples here are misleading (or pure crap).



.386

.model Flat, STDCALL
option Casemap :None

TRUE equ 1

includelib \masm32\lib\ntdll.lib
RtlCompareString PROTO STDCALL :ptr,:ptr,:BYTE

includelib \masm32\lib\msvcrt.lib
printf PROTO C :ptr, :vararg

_STRING struct
_Length word ?
_Maximumlength word ?
_Buffer dword ?
_STRING ends

.data
s1 db "abcd" ;
s2 db "bab"
format db 'result: %d',13,10,0

.code

main proc
LOCAL str1 : _STRING
LOCAL str2 : _STRING

mov str1._Length, LENGTHOF s1
mov str1._Maximumlength, LENGTHOF s1
mov eax, offset s1
mov str1._Buffer, eax

mov str2._Length, LENGTHOF s2
mov str2._Maximumlength, LENGTHOF s2
mov eax, offset s2
mov str2._Buffer, eax

INVOKE RtlCompareString, addr str1, addr str2, TRUE

INVOKE printf, addr format, eax ; should display negative

ret
main endp

end main


Beware also that the prototype of RtlCompareString is wrong in the NtDll.inc include file.

hutch--

 :biggrin:

Microsoft C prototype

; LONG RtlCompareString(
;   _In_ const STRING  *String1,
;   _In_ const STRING  *String2,
;   _In_       BOOLEAN CaseInSensitive
; );


MASM32 prototype

RtlCompareString PROTO STDCALL :DWORD,:DWORD,:DWORD


aw prototype

RtlCompareString PROTO STDCALL :ptr,:ptr,:BYTE


MASM32 version of ntdll.dll internal data

RtlCompareString@12
__imp__RtlCompareString@12


The data for the linker says 3 x DWORD values.

hutch--

aw,

I built your version but it does not run on my Win10 64. Builds OK, just does nothing.

Running this,

    LOCAL hLib  :DWORD
    LOCAL pFnc  :DWORD
    LOCAL rval  :DWORD

    mov hLib, rv(LoadLibrary,"ntdll.dll")
    print str$(hLib)," Library handle",13,10

    mov pFnc, rv(GetProcAddress,hLib,"RtlCompareString")
    print str$(pFnc)," Procedure address",13,10

    push FALSE
    push ptx3
    push ptx1
    call pFnc
    mov rval, eax


Mine crashes.

aw27

Quote from: hutch-- on August 11, 2017, 03:51:03 PM
The data for the linker says 3 x DWORD values.
For the linker will always be a multiple of 4 because you can not push a byte on the stack.  :P