The MapAndLoad function has a parameter telling the file could be opened in writing or reading mode
QuoteReadOnly [in]
The access mode. If this value is TRUE, the file is mapped for read-access only. If the value is FALSE, the file is mapped for read and write access.
The UnMapAndLoad does this :
QuoteUnMapAndLoad function must be used to deallocate all resources that are allocated by a previous call to MapAndLoad (https://msdn.microsoft.com/en-us/library/windows/desktop/ms680353(v=vs.85).aspx). This function also writes a new checksum value into the image before the file is closed. This ensures that if a file is changed, it can be successfully loaded by the system loader.
If the file is loading for reading the function cannot write in it?
I don't understand.
ProcessFile PROC __lpszFileName:LPSTR
LOCAL _LoadedImage:Ptr LOADED_IMAGE
INVOKE MapAndLoad,__lpszFileName,NULL,ADDR _LoadedImage,TRUE,TRUE
test eax,eax
jz @Error
INVOKE UnMapAndLoad,ADDR _LoadedImage
ret
; **********************************************************************************
ALIGN 16
; **********************************************************************************
@Error :
INVOKE FatalError,NULL,NULL,ADDR szCannotMapFile
ret
ProcessFile ENDP
It crashes when I call UnMapAndLoad it seems there is no reason ? I would appreciate your advices.
i am just guessing here....
LOCAL _LoadedImage:Ptr LOADED_IMAGE
because it's a "Ptr", rather than a structure, insufficient space is allocated on the stack
so - other stuff is overwritten
what you reall want is
LOCAL _LoadedImage:LOADED_IMAGE
_LoadedImage is now a LOADED_IMAGE structure
A beguinner error...
Merci :greenclp:
otherwise, things are looking good :t
http://www.phrio.biz/download/$File.exe (http://www.phrio.biz/download/$File.exe)
When I call
MapAndLoad the program crashes if there are local variables.When I have no local variables, all is OK!It seems that the stack is corrupted after the call. There are 20 bytes of errors.
ProcessFile PROC __lpszFileName:LPSTR
LOCAL _lpFileHeader:Ptr IMAGE_NT_HEADERS32
LOCAL _lpSections:Ptr IMAGE_SECTION_HEADER
LOCAL _lpLastRvaSection:Ptr IMAGE_SECTION_HEADER
LOCAL _lpDataDirectory:Ptr IMAGE_DATA_DIRECTORY
INVOKE MapAndLoad,__lpszFileName,NULL,ADDR LoadedImage,TRUE,TRUE
mov lpLoadedImage,eax
test eax,eax
jz @Error
DEBUG
mov edx,[eax].LOADED_IMAGE.FileHeader
mov _lpFileHeader,edx
mov edx,[eax].LOADED_IMAGE.Sections
mov _lpSections,edx
mov edx,[eax].LOADED_IMAGE.LastRvaSection
mov _lpLastRvaSection,edx
mov edx,[eax].LOADED_IMAGE.SizeOfImage
add edx,SIZEOF IMAGE_NT_HEADERS32
mov _lpDataDirectory,edx
DEBUG
; Rechercher la table des IMPORTS
; Rechercher la section CODE
INVOKE UnMapAndLoad,lpLoadedImage
ret
; **********************************************************************************
ALIGN 16
; **********************************************************************************
@Error_1 :
INVOKE UnMapAndLoad,lpLoadedImage
@Error :
INVOKE FatalError,NULL,NULL,ADDR szCannotMapFile
ret
ProcessFile ENDP
Quote
Unhandled exception at 0x00401EB3 in File.exe: 0xC0000005: Access violation reading location 0x0000000D.
00401E90 push ebp
00401E91 mov ebp,esp
00401E93 add esp,0FFFFFFF0h
00401E96 push 1
00401E98 push 1
00401E9A push 404744h
00401E9F push 0
00401EA1 push dword ptr [ebp+8]
00401EA4 call 00401126 ; MapAndLoad
00401EA9 mov dword ptr ds:[00404770h],eax
00401EAE test eax,eax
00401EB0 je 00401EFB
00401EB2 int 3 ; DEBUG
00401EB3 mov edx,dword ptr [eax+0Ch] ; C R A S H
00401EB6 mov dword ptr [ebp-4],edx
00401EB9 mov edx,dword ptr [eax+18h]
00401EBC mov dword ptr [ebp-8],edx
00401EBF mov edx,dword ptr [eax+10h]
00401EC2 mov dword ptr [ebp-0Ch],edx
00401EC5 mov edx,dword ptr [eax+28h]
00401EC8 add edx,0F8h
00401ECE mov dword ptr [ebp-10h],edx
00401ED1 int 3 ; DEBUG
same as last time
when you use "Ptr xxxx", it means it is a pointer type
address, or address placeholder
addresses in 32-bit programs are 32-bits in size
when you see an argument that is a Ptr, it means they want you to pass the address of that data type
so, to pass a PRECT, for example (pointer to a RECT structure)
LOCAL rcSomeName :RECT
INVOKE GetWindowRect,hWnd,addr rcSomeName
the ADDR operator means "pass the address of"
for local variables, the assembler performs the following....
lea eax,rcSomeName
INVOKE GetWindowRect,hWnd,eax
I don't understand.
QuoteLPLOADED_IMAGE TYPEDEF PTR LOADED_IMAGE
LoadedImage LOADED_IMAGE <>
lpLoadedImageLPLOADED_IMAGE ?
when the MSDN page describes an argument as a pointer to <something>
that means you create <something>, and pass the address to the function
if you want a Ptr to a LOADED_IMAGE structure,
create the structure, then pass the address of the structure to the function
LPLOADED_IMAGE TYPEDEF PTR LOADED_IMAGE
C is a strong-typed language
don't get bogged down in trying to create all these pointer types
in these cases, i usually refer to it as an LPVOID, which is TYPEDEF'ed in windows.inc as a DWORD :P
local lis :LOADED_IMAGE
INVOKE Something,addr lis
LOCAL _lpFileHeader:Ptr IMAGE_NT_HEADERS32
LOCAL _lpSections:Ptr IMAGE_SECTION_HEADER
LOCAL _lpLastRvaSection:Ptr IMAGE_SECTION_HEADER
LOCAL _lpDataDirectory:Ptr IMAGE_DATA_DIRECTORY
LOCAL _FileHeader :IMAGE_NT_HEADERS32
LOCAL _Sections :IMAGE_SECTION_HEADER
LOCAL _LastRvaSection :IMAGE_SECTION_HEADER
LOCAL _DataDirectory :IMAGE_DATA_DIRECTORY
:t
Quote from: Grincheux on December 13, 2015, 07:18:21 AM
I don't understand.
QuoteLPLOADED_IMAGE TYPEDEF PTR LOADED_IMAGE
LoadedImage LOADED_IMAGE <>
lpLoadedImageLPLOADED_IMAGE ?
LoadedImage LOADED_IMAGE <> is a struct
lpLoadedImageLPLOADED_IMAGE ? is pointer to a struct
ProcessFile PROC __lpszFileName:LPSTR
LOCAL LoadedImage :LOADED_IMAGE ; space for that struct
LOCAL _lpFileHeader:Ptr IMAGE_NT_HEADERS32
LOCAL _lpSections:Ptr IMAGE_SECTION_HEADER
LOCAL _lpLastRvaSection:Ptr IMAGE_SECTION_HEADER
LOCAL _lpDataDirectory:Ptr IMAGE_DATA_DIRECTORY
INVOKE MapAndLoad,__lpszFileName,NULL,ADDR LoadedImage,TRUE,TRUE
The error was that I used the value returned by MapAndLoad as a pointer on an IMAGE_LOAD structure