News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

How to call winapi with syscall in Masm?

Started by morgot, September 02, 2019, 03:10:52 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

morgot

September 02, 2019, 03:10:52 AM
How to call api directly with syscall? https://j00ru.vexillium.org/syscalls/nt/32/ - list

can you give some example?
Sorry for the bad English

jj2007

#1
September 02, 2019, 04:45:48 AM
Test it with a debugger. And explain what you need it for...

Code Select
include \masm32\include\masm32rt.inc
uselib ntoskrnl

.code
start:
  exit
  call NtCreateFile
end start

__kernel_entry NTSYSCALLAPI NTSTATUS NtCreateFile(
  PHANDLE            FileHandle,
  ACCESS_MASK        DesiredAccess,
  POBJECT_ATTRIBUTES ObjectAttributes,
  PIO_STATUS_BLOCK   IoStatusBlock,
  PLARGE_INTEGER     AllocationSize,
  ULONG              FileAttributes,
  ULONG              ShareAccess,
  ULONG              CreateDisposition,
  ULONG              CreateOptions,
  PVOID              EaBuffer,
  ULONG              EaLength
);

Vortex

#2
September 02, 2019, 04:52:02 AM
Hi morgot,

Nothing special. They are __stdcall functions. A small example :

Code Select
.386
.model flat,stdcall
option casemap:none

include     \masm32\include\windows.inc
include     \masm32\include\kernel32.inc
include     \masm32\include\user32.inc
include     \masm32\include\ntdll.inc
include     \masm32\include\masm32.inc

includelib  \masm32\lib\kernel32.lib
includelib  \masm32\lib\user32.lib
includelib  \masm32\lib\ntdll.lib
includelib  \masm32\lib\masm32.lib

.data

str1        db 'Executable signature = %s',0

.data?

buffer      db 16 dup(?)

.code

start:

    invoke  GetModuleHandle,0

    invoke  RtlImageNtHeader,eax
    lea     edx,IMAGE_NT_HEADERS.Signature[eax]

    invoke  wsprintf,ADDR buffer,\
            ADDR str1,edx
           
    invoke  StdOut,ADDR buffer

    invoke  ExitProcess,0

END start

aw27

#3
September 02, 2019, 05:28:13 AM
Syscall is not used in x86, it is only used in x64.
https://j00ru.vexillium.org/syscalls/nt/64/

Since nobody uses anymore x86 operating systems, here is an example for Windows 10 x64:

Code Select


option casemap :None

includelib \masm32\lib64\kernel32.lib
ExitProcess proto :dword
includelib \masm32\lib64\msvcrt.lib
printf proto :ptr, :vararg

_SYSTEM_BASIC_INFORMATION struct 8
    Reserved1 byte 24 dup (?)
    Reserved2 qword 4 dup (?)
    NumberOfProcessors sbyte ?
_SYSTEM_BASIC_INFORMATION ends

.data
format0 db "Number of processors: %d retlen: 0x%x retval: 0x%x",13,10,0

.code

main proc
LOCAL basicinfo :  _SYSTEM_BASIC_INFORMATION
LOCAL retlen : qword
sub rsp, 28h

mov retlen,0
lea r9, retlen
mov r8, sizeof basicinfo
lea rdx, basicinfo
mov r10, 0
mov eax, 36h ; NtQuerySystemInformation. Windows 10 until 1903=0x0036, Windows 7=0x0033, Windows 8.1=0x0035

syscall

lea rcx, format0
mov dl, basicinfo.NumberOfProcessors
mov r8, retlen
mov r9d, eax
call printf
mov rcx,0
call ExitProcess

main endp

end



Output:
Number of processors: 12 retlen: 0x40 retval: 0x0

For Windows x86 operating systems we can use Sysenter (or int 2eh). The procedure is slighly different and is left here as an exercise for anyone to try, if they wish.
Print
Go Up Pages1
User actions