News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

API function address

Started by redskull, January 16, 2006, 05:03:57 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

redskull

January 16, 2006, 05:03:57 PM
This question is really to satisfy my own curious nature, but I was wondering how exactly the assembler figures out the right addresses to call functions with.  The following is how what I think I understanding:

1. When you assembler "invoke FunctionName, Parameter1, Parameter2", you get something like "push Paratmeter2, push Parameter 1, call somenumberaddress".
2. The include library contains contains information about the number of parameters you pass to it for error checking with invoke
3. The include file has the function declarations, so the assembler knows where in the file certain functions are.
4. When transfering control to a windows function. theres a myriad of call gates and jumps to DLLs which jump to level 0 functions interal to the windows kernal, etc etc.
5. Someone said that the function call still internally uses an Interrupt and IVT to actually call the function.

I guess my real question is, when the assembler generates a CALL instruction to a windows API function, how does it know the address?

alan
Strange women, lying in ponds, distributing swords, is no basis for a system of government

Tedd

#1
January 16, 2006, 05:30:02 PM
It doesn't :bdg

It (usually) generates a call to a jmp, which jumps to the pointer to the function stored in the import table (as part of the PE file).
The correct address is written into the input table (by the OS) when the PE file is loaded, ready for executing.
It can also be done without the jmp, by loading the function pointer into a register and calling that.

Rough example:
Code Select
#code#
  .
  .
call _jmp_messageboxa
.
.


_jmp_messageboxa:
    jmp [offset_messageboxa]

------------------------------------

#import_section#

;imports from kernel32.dll
blah  dd ?
blah2 dd ?

;imports from user32.dll
offset_messageboxa dd ?    ;;filled in by the PE loader when the file is loaded, but before it starts running
No snowflake in an avalanche feels responsible.

ThoughtCriminal

#2
January 18, 2006, 06:41:32 AM
Turning off incremental linking will in most cases remove the jump table. Generating code like this:


invoke LoadLibrary,[edi]+pLibName

    FF 15 00 20 40 00 call        dword ptr [__imp__LoadLibraryA@4 (402000h)]

Looking in my debugger:

00402000 = 7C801D77

So address 402000h stores a pointer to 7C801D77h, the entry point for LoadLibraryA.
Print
Go Up Pages1
User actions