Hello all,
I'm not sure how to ask this, but, how can I find out exactly what I'm Invoking when using Invoke? I understand that when I use
invoke CreateWindowEx [parameters]
that there'll be a lot of mov/push/pop going on, but where are the details?
Sorry in advance if this is a painfully stupid question. ;)
Hi Dromiceius,
Welcome on board. The trick is to write the code with a number of NOPS beore and after it then disassembler the code and find it from the multiple nops.
nop
nop
nop
invoke MyFunc,arg,num,etc ,,,,
nop
nop
nop
Disassemble it and look for the three nops. Between the first three and the second tree is exactly how invoke works as direct mnemonic code.
Or you can just ask for an listing by including the /Fl option on your assembly.
For example, invoke messagebox comes out in the listing as something like-
invoke MessageBox,0,addr AboutMsg,addr ProgName,0
00001112 6A 00 * push +000000000h
00001114 68 00000008 R * push OFFSET ProgName
00001119 68 00000020 R * push OFFSET AboutMsg
0000111E 6A 00 * push +000000000h
00001120 E8 00000000 E * call MessageBoxA
To cut down on the size of the listing, be sure to include a .nolist before your large library includes and a .listall afterward to turn the listing back on. e.g.
.nolist
include Windows.inc
uselib MACRO libname:req
include libname.inc
includelib libname.lib
ENDM
uselib user32
uselib kernel32
uselib shell32
uselib comctl32
uselib comdlg32
uselib gdi32
.listall
Understanding your question in a slightly different manner..
It's down to the "calling convention" of the function you're invoking.
For almost all windows api functions, the convention is simply to push the arguments on the stack (in 'reverse' order) and then call the function. The function will clean up the arguments off the stack on returning, and provide the result in eax.
All invoke does (in this case) is push the arguments and call the function. For C-style functions, it additionally cleans the stack up afterwards, as C functions don't do that for you on returning.
Quote from: hutch--Disassemble it and look for the three nops. Between the first three and the second tree is exactly how invoke works as direct mnemonic code.
Aha. I was expecting a "look in filename.ext" kind of response. I guess I can stop looking for it if it doesn't exist. Thanks for the reply.
Quote from: JimqOr you can just ask for an listing by including the /Fl option on your assembly.
For example, invoke messagebox comes out in the listing as something like-
Success! :cheekygreen:
Quote from: ToddIt's down to the "calling convention" of the function you're invoking.
For almost all windows api functions, the convention is simply to push the arguments on the stack (in 'reverse' order) and then call the function. The function will clean up the arguments off the stack on returning, and provide the result in eax.
All invoke does (in this case) is push the arguments and call the function. For C-style functions, it additionally cleans the stack up afterwards, as C functions don't do that for you on returning.
Right. That's pretty much what I wanted know about. Still glad I figured out how to use ML in a command line, though. :lol