invoke HELP

asmcoder · August 30, 2013, 07:22:23 PM

Inline_NtQueryDirectoryFile_New proc FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,FileInformation,FileInformationLength,FileInformationClass,ReturnSingleEntry,FileName,RestartScan
	push RestartScan
	push FileName
	push ReturnSingleEntry
	push FileInformationClass
	push FileInformationLength
	push FileInformation
	push IoStatusBlock
	push ApcContext
	push ApcRoutine
	push Event
	push FileHandle
	call Inline_NtQueryDirectoryFile_HookZone
	
	ret
Inline_NtQueryDirectoryFile_New endp


OPTION PROLOGUE:NONE
OPTION EPILOGUE:NONE	
Inline_NtQueryDirectoryFile_HookZone proc

	db 10 dup (90h)
	jmp NtQueryDirectoryFile_JmpBack
	
Inline_NtQueryDirectoryFile_HookZone endp
OPTION PROLOGUE:PROLOGUEDEF
OPTION EPILOGUE:EPILOGUEDEF

as you see above,
i pushed some args and call Inline_NtQueryDirectoryFile_HookZone.
is there a way to use invoke instead ?

regards.

jj2007 · August 30, 2013, 07:43:39 PM

If you want to hide a system folder (C example here), why programmatically? You can do that easily in Explorer, just right-click on the folder and check the "hidden" box...

asmcoder · August 30, 2013, 10:11:59 PM

Thanks jj, i know macro can implement it , but i never wrote macros, don't know how to do it...

dedndave · August 30, 2013, 10:21:23 PM

you need a PROTOtype to use INVOKE
we usually place them very near the beginning of source, perhaps in an INClude file
but, here is a simple example...

Code Select

;assemble as a console app

;###############################################################################################

        .XCREF
        .NoList
        INCLUDE    \Masm32\Include\Masm32rt.inc
        .List

;###############################################################################################

GetStrLen PROTO :LPSTR

;###############################################################################################

        .DATA

szSomeStr db 'Some String',0

;***********************************************************************************************

        .DATA?

;###############################################################################################

        .CODE

;***********************************************************************************************

_main   PROC

        INVOKE  GetStrLen,offset szSomeStr
        print   ustr$(eax)

        print   chr$(13,10)
        inkey
        INVOKE  ExitProcess,0

_main   ENDP

;***********************************************************************************************

GetStrLen PROC USES EDI lpszString:LPSTR

        xor     eax,eax
        mov     edi,lpszString
        or      ecx,-1
        repnz   scasb
        or      eax,-2
        sub     eax,ecx
        ret

GetStrLen ENDP

;###############################################################################################

        END     _main

asmcoder · August 30, 2013, 11:04:27 PM

Quote from: dedndave on August 30, 2013, 10:21:23 PM
you need a PROTOtype to use INVOKE
we usually place them very near the beginning of source, perhaps in an INClude file
but, here is a simple example...

Code Select Expand
;assemble as a console app ;############################################################################################### .XCREF .NoList INCLUDE \Masm32\Include\Masm32rt.inc .List ;############################################################################################### GetStrLen PROTO :LPSTR ;############################################################################################### .DATA szSomeStr db 'Some String',0 ;*********************************************************************************************** .DATA? ;############################################################################################### .CODE ;*********************************************************************************************** _main PROC INVOKE GetStrLen,offset szSomeStr print ustr$(eax) print chr$(13,10) inkey INVOKE ExitProcess,0 _main ENDP ;*********************************************************************************************** GetStrLen PROC USES EDI lpszString:LPSTR xor eax,eax mov edi,lpszString or ecx,-1 repnz scasb or eax,-2 sub eax,ecx ret GetStrLen ENDP ;############################################################################################### END _main

Thanks, i know must have a proto type for invoke . but what i need is to invoke a 'label' , not a proc.

asmcoder · August 30, 2013, 11:10:25 PM

for example , in c ,we can :

Code Select


typedef NTSTATUS (*NtQueryDirectoryFile)(
	IN  HANDLE FileHandle,
	IN  HANDLE Event OPTIONAL,
	IN  PIO_APC_ROUTINE ApcRoutine OPTIONAL,
	IN  PVOID ApcContext OPTIONAL,
	OUT PIO_STATUS_BLOCK IoStatusBlock,
	OUT PVOID FileInformation,
	IN  ULONG Length,
	IN  FILE_INFORMATION_CLASS FileInformationClass,
	IN  BOOLEAN ReturnSingleEntry,
	IN  PUNICODE_STRING FileName OPTIONAL,
	IN  BOOLEAN RestartScan
	);
NtQueryDirectoryFile OldNtQueryDirectoryFile;

	OldNtQueryDirectoryFile = (NtQueryDirectoryFile)NtQueryDirectoryFileHookZone;
	status = OldNtQueryDirectoryFile(FileHandle,\
		                             Event,
		                             ApcRoutine,
		                             ApcContext,
		                             IoStatusBlock,
		                             FileInformation,
		                             FileInformationLength,
		                             FileInformationClass,
		                             ReturnSingleEntry,
		                             FileName,
		                             RestartScan);

OldNtQueryDirectoryFile is a dword saved an address . how can i do this in asm using invoke or macro ?

dedndave · August 30, 2013, 11:30:10 PM

i got this method from qWord (forum member)
lpfnGetStrLen is now a variable of the type PGETSTRLEN that can be directly INVOKE'd

you could create a half dozen or so and reuse the types
so, you'd have types with 1, 2, 3, 4, 5, 6 parms, etc

Code Select

;assemble as a console app

;###############################################################################################

        .XCREF
        .NoList
        INCLUDE    \Masm32\Include\Masm32rt.inc
        .List

;###############################################################################################

GETSTRLEN  TYPEDEF PROTO :LPSTR
PGETSTRLEN TYPEDEF Ptr GETSTRLEN

;###############################################################################################

        .DATA
        ALIGN   4

lpfnGetStrLen PGETSTRLEN GetStrLen
szSomeStr     db         'Some String',0

;***********************************************************************************************

        .DATA?

;###############################################################################################

        .CODE

;***********************************************************************************************

_main   PROC

        INVOKE  lpfnGetStrLen,offset szSomeStr
        print   ustr$(eax)

        print   chr$(13,10)
        inkey
        INVOKE  ExitProcess,0

_main   ENDP

;***********************************************************************************************

GetStrLen PROC USES EDI lpszString:LPSTR

        xor     eax,eax
        mov     edi,lpszString
        or      ecx,-1
        repnz   scasb
        or      eax,-2
        sub     eax,ecx
        ret

GetStrLen ENDP

;###############################################################################################

        END     _main

asmcoder · August 30, 2013, 11:45:54 PM

Quote from: dedndave on August 30, 2013, 11:30:10 PM
i got this method from qWord (forum member)
lpfnGetStrLen is now a variable of the type PGETSTRLEN that can be directly INVOKE'd

you could create a half dozen or so and reuse the types
so, you'd have types with 1, 2, 3, 4, 5, 6 parms, etc

Code Select Expand
;assemble as a console app ;############################################################################################### .XCREF .NoList INCLUDE \Masm32\Include\Masm32rt.inc .List ;############################################################################################### GETSTRLEN TYPEDEF PROTO :LPSTR PGETSTRLEN TYPEDEF Ptr GETSTRLEN ;############################################################################################### .DATA ALIGN 4 lpfnGetStrLen PGETSTRLEN GetStrLen szSomeStr db 'Some String',0 ;*********************************************************************************************** .DATA? ;############################################################################################### .CODE ;*********************************************************************************************** _main PROC INVOKE lpfnGetStrLen,offset szSomeStr print ustr$(eax) print chr$(13,10) inkey INVOKE ExitProcess,0 _main ENDP ;*********************************************************************************************** GetStrLen PROC USES EDI lpszString:LPSTR xor eax,eax mov edi,lpszString or ecx,-1 repnz scasb or eax,-2 sub eax,ecx ret GetStrLen ENDP ;############################################################################################### END _main

That's Great! Thanks! using the method i did it !

Code Select

_NtQueryDirectoryFile typedef proto :dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword

PNtQueryDirectoryFile TYPEDEF Ptr _NtQueryDirectoryFile

Inline_NtQueryDirectoryFile_New proc FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,FileInformation,FileInformationLength,FileInformationClass,ReturnSingleEntry,FileName,RestartScan
	LOCAL @status ,@name_offset,@name_size_offset  ,@curr ,@prev 
	LOCAL @oldFunc:PNtQueryDirectoryFile
	
	mov @oldFunc,Inline_NtQueryDirectoryFile_HookZone
	invoke @oldFunc,FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,FileInformation,FileInformationLength,FileInformationClass,ReturnSingleEntry,FileName,RestartScan

The MASM Forum

News:

invoke HELP

asmcoder

jj2007

asmcoder

dedndave

asmcoder

asmcoder

dedndave

asmcoder