Hi everyone,
I hope this is in the right place, but if not can someone let me know where better to post this and I'll ask a mod to delete it. I couldn't find the MASM For Idiots subforum :)
I'm trying to launch a process (notepad.exe as an example) with MASM. The problem is that I'm passing LpCommandLine as a pointer to a local variable as this is generated dynamically as you can see from the OllyDBG output .
CPU Stack
Address Value ASCII Comments
0018FC78 /00000000 ; |ApplicationName = NULL
0018FC7C |0018FC35 5ü� ; |CommandLine = "C:\WINDOWS\System32\notepad.exe"
0018FC80 |00000000 ; |pProcessSecurity = NULL
0018FC84 |00000000 ; |pThreadSecurity = NULL
0018FC88 |00000001 � ; |InheritHandles = TRUE
0018FC8C |00000000 ; |CreationFlags = 0
0018FC90 |00000000 ; |pEnvironment = NULL
0018FC94 |00000000 ; |CurrentDirectory = NULL
0018FC98 |0018FD08 �ý� ; |pStartupInfo = 0018FD08 -> STARTUPINFOA {Size=0, Reserved1=NULL, Desktop=NULL, Title=NULL, X=0, Y=0, Width=0, Height=0, XCountChars=0, YCountChars=0, FillAttribute=0, Flags=0, ShowWindow=SW_HIDE, Reserved2=0, Reserved3=NULL, hStdInput=NULL, hStdOutput=NU
0018FC9C |0018FCF8 øü� ; \pProcessInformation = 0018FCF8 -> PROCESS_INFORMATION {hProcess=NULL, hThread=NULL, ProcessID=0 (0.), ThreadID=0}
This fails with file not found. Watching using ProcMon it appears that the actual file it is trying to use is ÿÿÿpü� - which is obviously not a good thing.
Suspecting that I was passing the parameter incorrectly - under OllyDBG I manually edited the .code section of the exe to add C:\Windows\System32\Notepad.EXE after the end of the code and set the LpCommandLine parameter to point to that. Worked perfectly!
So I'm guessing the stack is getting messed around passing a local variable from one routine to the system routine of CreateProcessA.
How do I avoid this?
You would normally start another app with CreateProcess() or the older WinExec() which is not just a wrapper for CreateProcess().
Something like,
invoke WinExec,pFname,SW_SHOWNORMAL
Hi Hutch,
Thank you for taking the time to look at my thread and post a reply.
As usual (at least for me), once I have clarified all of my thoughts and distilled them into a post - something occurs to me :)
The problem is here :
0018FC7C |0018FC35 5ü� ; |CommandLine = "C:\WINDOWS\System32\notepad.exe"
You'll notice the referenced variable is on the stack but above ESP - hence it was being overwritten calling CreateProcess.
Moving it to a new variable located after ESP, and the problem has gone away!
Thanks again for having a look. Do I mark this as solved now? If so what is the correct procedure for doing that?
Nope, this is a forum of members, not a help desk. We help who we can and leave it there as reference for anyone else who may be interested.