ImageHelp

Grincheux · December 12, 2015, 04:10:13 PM

The MapAndLoad function has a parameter telling the file could be opened in writing or reading mode

QuoteReadOnly [in]
The access mode. If this value is TRUE, the file is mapped for read-access only. If the value is FALSE, the file is mapped for read and write access.

The UnMapAndLoad does this :

QuoteUnMapAndLoad function must be used to deallocate all resources that are allocated by a previous call to MapAndLoad. This function also writes a new checksum value into the image before the file is closed. This ensures that if a file is changed, it can be successfully loaded by the system loader.

If the file is loading for reading the function cannot write in it?

I don't understand.

Code Select

ProcessFile				PROC	__lpszFileName:LPSTR
						LOCAL	_LoadedImage:Ptr LOADED_IMAGE

						INVOKE	MapAndLoad,__lpszFileName,NULL,ADDR _LoadedImage,TRUE,TRUE

						test	eax,eax
						jz	@Error

							INVOKE	UnMapAndLoad,ADDR _LoadedImage
							ret

;	**********************************************************************************
						ALIGN	16
;	**********************************************************************************

@Error :

						INVOKE	FatalError,NULL,NULL,ADDR szCannotMapFile

						ret
ProcessFile				ENDP

It crashes when I call UnMapAndLoad it seems there is no reason ? I would appreciate your advices.

dedndave · December 12, 2015, 04:18:02 PM

i am just guessing here....

Code Select

LOCAL _LoadedImage:Ptr LOADED_IMAGE

because it's a "Ptr", rather than a structure, insufficient space is allocated on the stack
so - other stuff is overwritten
what you reall want is

Code Select

LOCAL _LoadedImage:LOADED_IMAGE

_LoadedImage is now a LOADED_IMAGE structure

Grincheux · December 12, 2015, 04:19:45 PM

A beguinner error...
Merci

dedndave · December 12, 2015, 04:20:29 PM

otherwise, things are looking good :t

Grincheux · December 13, 2015, 04:47:35 AM

http://www.phrio.biz/download/$File.exe

When I call MapAndLoad the program crashes if there are local variables.
When I have no local variables, all is OK!

It seems that the stack is corrupted after the call. There are 20 bytes of errors.

Code Select


ProcessFile            PROC   __lpszFileName:LPSTR
                  LOCAL   _lpFileHeader:Ptr IMAGE_NT_HEADERS32
                  LOCAL   _lpSections:Ptr IMAGE_SECTION_HEADER
                  LOCAL   _lpLastRvaSection:Ptr IMAGE_SECTION_HEADER
                  LOCAL   _lpDataDirectory:Ptr IMAGE_DATA_DIRECTORY

                  INVOKE   MapAndLoad,__lpszFileName,NULL,ADDR LoadedImage,TRUE,TRUE

                  mov      lpLoadedImage,eax

                  test   eax,eax
                  jz      @Error
DEBUG
                     mov      edx,[eax].LOADED_IMAGE.FileHeader
                     mov      _lpFileHeader,edx

                     mov      edx,[eax].LOADED_IMAGE.Sections
                     mov      _lpSections,edx

                     mov      edx,[eax].LOADED_IMAGE.LastRvaSection
                     mov      _lpLastRvaSection,edx

                     mov      edx,[eax].LOADED_IMAGE.SizeOfImage
                     add      edx,SIZEOF IMAGE_NT_HEADERS32
                     mov      _lpDataDirectory,edx

DEBUG
;   Rechercher la table des IMPORTS

;   Rechercher la section CODE

                     INVOKE   UnMapAndLoad,lpLoadedImage

                     ret

;   **********************************************************************************
                  ALIGN   16
;   **********************************************************************************

@Error_1 :

                  INVOKE   UnMapAndLoad,lpLoadedImage

@Error :

                  INVOKE   FatalError,NULL,NULL,ADDR szCannotMapFile

                  ret
ProcessFile            ENDP

Quote
Unhandled exception at 0x00401EB3 in File.exe: 0xC0000005: Access violation reading location 0x0000000D.

00401E90 push ebp
00401E91 mov ebp,esp
00401E93 add esp,0FFFFFFF0h
00401E96 push 1
00401E98 push 1
00401E9A push 404744h
00401E9F push 0
00401EA1 push dword ptr [ebp+8]
00401EA4 call 00401126 ; MapAndLoad
00401EA9 mov dword ptr ds:[00404770h],eax
00401EAE test eax,eax
00401EB0 je 00401EFB
00401EB2 int 3 ; DEBUG
00401EB3 mov edx,dword ptr [eax+0Ch] ; C R A S H
00401EB6 mov dword ptr [ebp-4],edx
00401EB9 mov edx,dword ptr [eax+18h]
00401EBC mov dword ptr [ebp-8],edx
00401EBF mov edx,dword ptr [eax+10h]
00401EC2 mov dword ptr [ebp-0Ch],edx
00401EC5 mov edx,dword ptr [eax+28h]
00401EC8 add edx,0F8h
00401ECE mov dword ptr [ebp-10h],edx
00401ED1 int 3 ; DEBUG

dedndave · December 13, 2015, 05:32:17 AM

same as last time
when you use "Ptr xxxx", it means it is a pointer type
address, or address placeholder
addresses in 32-bit programs are 32-bits in size

when you see an argument that is a Ptr, it means they want you to pass the address of that data type
so, to pass a PRECT, for example (pointer to a RECT structure)

Code Select

    LOCAL    rcSomeName    :RECT

    INVOKE  GetWindowRect,hWnd,addr rcSomeName

the ADDR operator means "pass the address of"
for local variables, the assembler performs the following....

Code Select

    lea     eax,rcSomeName
    INVOKE  GetWindowRect,hWnd,eax

Grincheux · December 13, 2015, 07:18:21 AM

I don't understand.

QuoteLPLOADED_IMAGE TYPEDEF PTR LOADED_IMAGE
LoadedImage LOADED_IMAGE <>
lpLoadedImageLPLOADED_IMAGE ?

dedndave · December 13, 2015, 07:36:33 AM

when the MSDN page describes an argument as a pointer to <something>
that means you create <something>, and pass the address to the function

if you want a Ptr to a LOADED_IMAGE structure,
create the structure, then pass the address of the structure to the function

dedndave · December 13, 2015, 07:38:29 AM

Code Select

LPLOADED_IMAGE TYPEDEF PTR LOADED_IMAGE

C is a strong-typed language
don't get bogged down in trying to create all these pointer types
in these cases, i usually refer to it as an LPVOID, which is TYPEDEF'ed in windows.inc as a DWORD :P

dedndave · December 13, 2015, 07:39:35 AM

Code Select

    local   lis     :LOADED_IMAGE

    INVOKE  Something,addr lis

dedndave · December 13, 2015, 07:41:39 AM

Code Select

                  LOCAL   _lpFileHeader:Ptr IMAGE_NT_HEADERS32
                  LOCAL   _lpSections:Ptr IMAGE_SECTION_HEADER
                  LOCAL   _lpLastRvaSection:Ptr IMAGE_SECTION_HEADER
                  LOCAL   _lpDataDirectory:Ptr IMAGE_DATA_DIRECTORY

Code Select

                  LOCAL   _FileHeader     :IMAGE_NT_HEADERS32
                  LOCAL   _Sections       :IMAGE_SECTION_HEADER
                  LOCAL   _LastRvaSection :IMAGE_SECTION_HEADER
                  LOCAL   _DataDirectory  :IMAGE_DATA_DIRECTORY

:t

TWell · December 13, 2015, 07:58:41 AM

Quote from: Grincheux on December 13, 2015, 07:18:21 AM
I don't understand.

QuoteLPLOADED_IMAGE TYPEDEF PTR LOADED_IMAGE
LoadedImage LOADED_IMAGE <>
lpLoadedImageLPLOADED_IMAGE ?

LoadedImage LOADED_IMAGE <> is a struct
lpLoadedImageLPLOADED_IMAGE ? is pointer to a struct

Code Select

ProcessFile            PROC   __lpszFileName:LPSTR
                  LOCAL   LoadedImage :LOADED_IMAGE ; space for that struct
                  LOCAL   _lpFileHeader:Ptr IMAGE_NT_HEADERS32
                  LOCAL   _lpSections:Ptr IMAGE_SECTION_HEADER
                  LOCAL   _lpLastRvaSection:Ptr IMAGE_SECTION_HEADER
                  LOCAL   _lpDataDirectory:Ptr IMAGE_DATA_DIRECTORY

                  INVOKE   MapAndLoad,__lpszFileName,NULL,ADDR LoadedImage,TRUE,TRUE

Grincheux · December 13, 2015, 08:07:25 AM

The error was that I used the value returned by MapAndLoad as a pointer on an IMAGE_LOAD structure

The MASM Forum

News:

ImageHelp

Grincheux

dedndave

Grincheux

dedndave

Grincheux

dedndave

Grincheux

dedndave

dedndave

dedndave

dedndave

TWell

Grincheux