News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Translating Invoke With GetProcAddress

Started by DeadlyVermilion, August 22, 2010, 02:08:51 PM

Previous topic - Next topic

dedndave

maybe i am wrong, but i thought kernel32 was already loaded - and didn't require being Free'ed

Edgar ?  Erol ?
somebody back me up - lol

donkey

Quote from: dedndave on August 22, 2010, 04:13:25 PM
well - according to msdn
but, i just made an exe - it looks like a proc, to me   :P

Deadly - ignore my previous post - lol

http://msdn.microsoft.com/en-us/library/aa366920%28VS.85%29.aspx

QuoteThis macro is defined as the RtlZeroMemory macro. For more information, see Winbase.h and Winnt.h.

the sentance, alone, makes no sense   :lol

Though it exists as an export in ntdll, it is generally not used directly, in C++  it is a macro wrapping the memset function. Actually I think all of the Rtl memory macros are just wrappers for various C library functions even though they are available as part of the native API.

Quote from: dedndave on August 22, 2010, 05:15:50 PM
maybe i am wrong, but i thought kernel32 was already loaded - and didn't require being Free'ed

Edgar ?  Erol ?
somebody back me up - lol

Works either way, you can just use invoke GetModuleHandle, "kernel32.dll" and do not free the handle it returns. You can use LoadLibrary as well though in that case freeing the handle is necessary since the reference count was incremented. Kernel32 is always loaded and always loaded first.
"Ahhh, what an awful dream. Ones and zeroes everywhere...[shudder] and I thought I saw a two." -- Bender
"It was just a dream, Bender. There's no such thing as two". -- Fry
-- Futurama

Donkey's Stable

Twister

#17
Kernel32 is always loaded up, dave. you were right, and I was wrong. I thought it said "msvcrt.dll"; that is why I said you use GetModuleHandle incorrectly. It was a mistake on my part dave.

I would also like to add that ntdll.dll is always the first library to be loaded.

MichaelW

"Kernel32 is always loaded" seems to me to imply that this happens automatically for any EXE. If I assemble and link this source as a console app:

    .486
    .model flat, stdcall
    option casemap :none
    include \masm32\include\kernel32.inc
    includelib \masm32\lib\kernel32.lib
    .data
        xx dd 0
    .code
    ;invoke ExitProcess, 0
start:
    lea ebx, xx
    mov ecx, 100000000
    .WHILE ecx
        xchg eax, [ebx]
        dec ecx
    .ENDW
    ret
end start


I get an EXE with no imports, and which when run does not open a console. If I uncomment the statement that invokes ExitProcess, then the EXE shows one import, and runs normally.

Edit: The attachment contains both versions.

eschew obfuscation

Twister

MichaelW,

Kernel32 is always loaded with an executable file.  Could you upload your assembled program here?  I just recently deleted my MASM32 package, so I can't assemble it myself.

dedndave

Michael
it seems to me that any win32 app has ExitProcess, unless it never exits   :P
i don't know how you'd write any kind of an app without using some kernel32 proc
but, i suppose the linker doesn't pull it in unless it is called
if you wanted to write ROMable code, for example (although - not supposed to do that per license - lol)
i have used older versions of MASM/LINK to create ROMable code - just haven't had a need to, recently
it is a bit odd that no console is created
it seems logical that the kernel would be responsible for loading the EXE and determining how to run it

MichaelW

Quote from: GTX on August 22, 2010, 11:37:56 PM
Kernel32 is always loaded.

How do you know this? Why does my test app run only if it contains a reference to a kernel32.dll function? Why does my test app run only if a dump of the EXE shows the name kernel32.dll?
eschew obfuscation

Twister

Here is a program with no include or includelib directives used.

Debugger: process C:\Users\GTX\Desktop\wild_berries.exe has started
Debugger: loaded C:\Windows\system32\ntdll.dll
Debugger: loaded C:\Windows\system32\kernel32.dll
Debugger: loaded C:\Windows\system32\KernelBase.dll
Debugger: loaded C:\Windows\system32\apphelp.dll
Debugger: unloaded C:\Windows\system32\apphelp.dll

ecube

MichaelW kernel32.dll and ntdll.dll are automatically loaded in every processes address space, and I don't think you "have" to import a function from kernel32 for it to run but rather have atleast 1 import period.


start:
invoke MessageBox,0,NULL,NULL,MB_OK
ret
end start


should compile and run fine(even though it  may crash at the end)

Twister

I don't think you can put a null for the caption string for the MessageBox Function. I think it requires you to put it, or it will error.

ecube

Quote from: GTX on August 23, 2010, 12:04:14 AM
I don't think you can put a null for the caption string for the MessageBox Function. I think it requires you to put it, or it will error.

you can, I just tested the above, works fine and no kernel32 imports obviously, only user32

donkey

Quote from: MichaelW on August 22, 2010, 11:49:36 PM
Quote from: GTX on August 22, 2010, 11:37:56 PM
Kernel32 is always loaded.

How do you know this? Why does my test app run only if it contains a reference to a kernel32.dll function? Why does my test app run only if a dump of the EXE shows the name kernel32.dll?


Well, I guess it should say Kernel32 is always loaded in Win32/64 programs. Only ntdll.dll is always loaded regardless of the platform, saw it in Raymond Chen's blog once but can't find it now. Anyway since the source of the discussion is a call to GetProcAddress, you can be 100% sure that Kernel32 is already loaded since that function is in that library.

Edgar
"Ahhh, what an awful dream. Ones and zeroes everywhere...[shudder] and I thought I saw a two." -- Bender
"It was just a dream, Bender. There's no such thing as two". -- Fry
-- Futurama

Donkey's Stable

MichaelW

Quote from: E^cube on August 23, 2010, 12:01:54 AM
MichaelW kernel32.dll and ntdll.dll are automatically loaded in every processes address space, and I don't think you "have" to import a function from kernel32 for it to run but rather have at least 1 import period.

Yes, thank you. A single reference to a user32.dll function is sufficient for my test app to run normally, without the dump showing the name kernel32.dll.
eschew obfuscation

donkey

Quote from: MichaelW on August 23, 2010, 12:14:50 AM
Quote from: E^cube on August 23, 2010, 12:01:54 AM
MichaelW kernel32.dll and ntdll.dll are automatically loaded in every processes address space, and I don't think you "have" to import a function from kernel32 for it to run but rather have at least 1 import period.

Yes, thank you. A single reference to a user32.dll function is sufficient for my test app to run normally, without the dump showing the name kernel32.dll.


Ran the following program:

.data

.code
Start:
invoke user32.dll:MessageBoxA,0,"hello",0,0
ret




The following load order was displayed in my GoP program:

1: NTDLL.DLL
2: KERNEL32.DLL
...
25: USER32.DLL
etc...


I think you would be hard pressed to find any function that does not have at least one dependency in Kernel32.
"Ahhh, what an awful dream. Ones and zeroes everywhere...[shudder] and I thought I saw a two." -- Bender
"It was just a dream, Bender. There's no such thing as two". -- Fry
-- Futurama

Donkey's Stable

Twister

If you have Windows 7 32-bit this will run for you. Sorry everyone else. :P

^ I would make it more global, but hutch would kill me.

It uses absolutely no imports.