Text only | Text with Images

The MASM Forum Archive 2004 to 2012

General Forums => The Campus => Topic started by: redskull on January 16, 2006, 05:03:57 PM

Title: API function address
Post by: redskull on January 16, 2006, 05:03:57 PM
This question is really to satisfy my own curious nature, but I was wondering how exactly the assembler figures out the right addresses to call functions with.  The following is how what I think I understanding:

1. When you assembler "invoke FunctionName, Parameter1, Parameter2", you get something like "push Paratmeter2, push Parameter 1, call somenumberaddress".
2. The include library contains contains information about the number of parameters you pass to it for error checking with invoke
3. The include file has the function declarations, so the assembler knows where in the file certain functions are.
4. When transfering control to a windows function. theres a myriad of call gates and jumps to DLLs which jump to level 0 functions interal to the windows kernal, etc etc.
5. Someone said that the function call still internally uses an Interrupt and IVT to actually call the function.

I guess my real question is, when the assembler generates a CALL instruction to a windows API function, how does it know the address?

alan
Title: Re: API function address
Post by: Tedd on January 16, 2006, 05:30:02 PM
It doesn't :bdg

It (usually) generates a call to a jmp, which jumps to the pointer to the function stored in the import table (as part of the PE file).
The correct address is written into the input table (by the OS) when the PE file is loaded, ready for executing.
It can also be done without the jmp, by loading the function pointer into a register and calling that.

Rough example:
Code Select
#code#
  .
  .
call _jmp_messageboxa
.
.


_jmp_messageboxa:
    jmp [offset_messageboxa]

------------------------------------

#import_section#

;imports from kernel32.dll
blah  dd ?
blah2 dd ?

;imports from user32.dll
offset_messageboxa dd ?    ;;filled in by the PE loader when the file is loaded, but before it starts running
Title: Re: API function address
Post by: ThoughtCriminal on January 18, 2006, 06:41:32 AM
Turning off incremental linking will in most cases remove the jump table. Generating code like this:


invoke LoadLibrary,[edi]+pLibName

    FF 15 00 20 40 00 call        dword ptr [__imp__LoadLibraryA@4 (402000h)]

Looking in my debugger:

00402000 = 7C801D77

So address 402000h stores a pointer to 7C801D77h, the entry point for LoadLibraryA.
Text only | Text with Images