Translating Invoke With GetProcAddress

dedndave · August 22, 2010, 05:15:50 PM

maybe i am wrong, but i thought kernel32 was already loaded - and didn't require being Free'ed

Edgar ? Erol ?
somebody back me up - lol

donkey · August 22, 2010, 05:36:22 PM

Quote from: dedndave on August 22, 2010, 04:13:25 PM
well - according to msdn
but, i just made an exe - it looks like a proc, to me :P

Deadly - ignore my previous post - lol

http://msdn.microsoft.com/en-us/library/aa366920%28VS.85%29.aspx

QuoteThis macro is defined as the RtlZeroMemory macro. For more information, see Winbase.h and Winnt.h.

the sentance, alone, makes no sense :lol

Though it exists as an export in ntdll, it is generally not used directly, in C++ it is a macro wrapping the memset function. Actually I think all of the Rtl memory macros are just wrappers for various C library functions even though they are available as part of the native API.

Quote from: dedndave on August 22, 2010, 05:15:50 PM
maybe i am wrong, but i thought kernel32 was already loaded - and didn't require being Free'ed

Edgar ? Erol ?
somebody back me up - lol

Works either way, you can just use invoke GetModuleHandle, "kernel32.dll" and do not free the handle it returns. You can use LoadLibrary as well though in that case freeing the handle is necessary since the reference count was incremented. Kernel32 is always loaded and always loaded first.

Twister · August 22, 2010, 08:28:44 PM

Kernel32 is always loaded up, dave. you were right, and I was wrong. I thought it said "msvcrt.dll"; that is why I said you use GetModuleHandle incorrectly. It was a mistake on my part dave.

I would also like to add that ntdll.dll is always the first library to be loaded.

MichaelW · August 22, 2010, 11:23:15 PM

"Kernel32 is always loaded" seems to me to imply that this happens automatically for any EXE. If I assemble and link this source as a console app:

Code Select


    .486
    .model flat, stdcall
    option casemap :none
    include \masm32\include\kernel32.inc
    includelib \masm32\lib\kernel32.lib
    .data
        xx dd 0
    .code
    ;invoke ExitProcess, 0
start:
    lea ebx, xx
    mov ecx, 100000000
    .WHILE ecx
        xchg eax, [ebx]
        dec ecx
    .ENDW
    ret
end start

I get an EXE with no imports, and which when run does not open a console. If I uncomment the statement that invokes ExitProcess, then the EXE shows one import, and runs normally.

Edit: The attachment contains both versions.

Twister · August 22, 2010, 11:37:56 PM

MichaelW,

Kernel32 is always loaded with an executable file. Could you upload your assembled program here? I just recently deleted my MASM32 package, so I can't assemble it myself.

dedndave · August 22, 2010, 11:47:28 PM

Michael
it seems to me that any win32 app has ExitProcess, unless it never exits :P
i don't know how you'd write any kind of an app without using some kernel32 proc
but, i suppose the linker doesn't pull it in unless it is called
if you wanted to write ROMable code, for example (although - not supposed to do that per license - lol)
i have used older versions of MASM/LINK to create ROMable code - just haven't had a need to, recently
it is a bit odd that no console is created
it seems logical that the kernel would be responsible for loading the EXE and determining how to run it

MichaelW · August 22, 2010, 11:49:36 PM

Quote from: GTX on August 22, 2010, 11:37:56 PM
Kernel32 is always loaded.

How do you know this? Why does my test app run only if it contains a reference to a kernel32.dll function? Why does my test app run only if a dump of the EXE shows the name kernel32.dll?

Twister · August 22, 2010, 11:59:49 PM

Here is a program with no include or includelib directives used.

Code Select

Debugger: process C:\Users\GTX\Desktop\wild_berries.exe has started
Debugger: loaded C:\Windows\system32\ntdll.dll
Debugger: loaded C:\Windows\system32\kernel32.dll
Debugger: loaded C:\Windows\system32\KernelBase.dll
Debugger: loaded C:\Windows\system32\apphelp.dll
Debugger: unloaded C:\Windows\system32\apphelp.dll

ecube · August 23, 2010, 12:01:54 AM

MichaelW kernel32.dll and ntdll.dll are automatically loaded in every processes address space, and I don't think you "have" to import a function from kernel32 for it to run but rather have atleast 1 import period.

Code Select


start:
invoke MessageBox,0,NULL,NULL,MB_OK
ret
end start

should compile and run fine(even though it may crash at the end)

Twister · August 23, 2010, 12:04:14 AM

I don't think you can put a null for the caption string for the MessageBox Function. I think it requires you to put it, or it will error.

ecube · August 23, 2010, 12:08:49 AM

Quote from: GTX on August 23, 2010, 12:04:14 AM
I don't think you can put a null for the caption string for the MessageBox Function. I think it requires you to put it, or it will error.

you can, I just tested the above, works fine and no kernel32 imports obviously, only user32

donkey · August 23, 2010, 12:11:59 AM

Quote from: MichaelW on August 22, 2010, 11:49:36 PM
Quote from: GTX on August 22, 2010, 11:37:56 PM
Kernel32 is always loaded.

How do you know this? Why does my test app run only if it contains a reference to a kernel32.dll function? Why does my test app run only if a dump of the EXE shows the name kernel32.dll?

Well, I guess it should say Kernel32 is always loaded in Win32/64 programs. Only ntdll.dll is always loaded regardless of the platform, saw it in Raymond Chen's blog once but can't find it now. Anyway since the source of the discussion is a call to GetProcAddress, you can be 100% sure that Kernel32 is already loaded since that function is in that library.

Edgar

MichaelW · August 23, 2010, 12:14:50 AM

Quote from: E^cube on August 23, 2010, 12:01:54 AM
MichaelW kernel32.dll and ntdll.dll are automatically loaded in every processes address space, and I don't think you "have" to import a function from kernel32 for it to run but rather have at least 1 import period.

Yes, thank you. A single reference to a user32.dll function is sufficient for my test app to run normally, without the dump showing the name kernel32.dll.

donkey · August 23, 2010, 12:30:31 AM

Quote from: MichaelW on August 23, 2010, 12:14:50 AM
Quote from: E^cube on August 23, 2010, 12:01:54 AM
MichaelW kernel32.dll and ntdll.dll are automatically loaded in every processes address space, and I don't think you "have" to import a function from kernel32 for it to run but rather have at least 1 import period.

Yes, thank you. A single reference to a user32.dll function is sufficient for my test app to run normally, without the dump showing the name kernel32.dll.

Ran the following program:

Code Select

.data

.code
Start:
invoke user32.dll:MessageBoxA,0,"hello",0,0
ret

The following load order was displayed in my GoP program:

1: NTDLL.DLL
2: KERNEL32.DLL
...
25: USER32.DLL
etc...

I think you would be hard pressed to find any function that does not have at least one dependency in Kernel32.

Twister · August 23, 2010, 12:59:43 AM

If you have Windows 7 32-bit this will run for you. Sorry everyone else. :P

^ I would make it more global, but hutch would kill me.

It uses absolutely no imports.

News:

Translating Invoke With GetProcAddress

ecube

ecube