flat assembler
Message board for the users of flat assembler.

Home Search Register
Log in to check your private messages Log in

Index > Windows > PE64: how can I start an exe with ShellExecuteA?
Author
Thread Post new topic Reply to topic
lucbert



Joined: 28 Feb 2018
Posts: 1
lucbert 28 Feb 2018, 13:32
Hello!

I was trying to modify PE64DEMO.ASM example code in order to obtain a program which:
- show a message box;
- launches an application (a powershell command);
- show another message box.

I'm stuck on the second step, because I can't understand how to feed ShellExecuteA function.

Can you help me?

I'm availble also to other solutions, possibly the simplest.

Here below the code I modified.

Thank you in advance.



Code:
format PE64 GUI
entry start



section '.text' code readable executable

  start:
        sub     rsp,8*7         ; reserve stack for API use and make stack dqword aligned

        mov     r9d,0
        lea     r8,[_capzion]
        lea     rdx,[_message]
        mov     rcx,0
        call    [MessageBoxA]


        mov     r9d,0
        lea     r8,[_action]
        lea     rdx,[_software]
        lea     rcx,[_param]
        lea     rcx,[_path]
        mov     rcx,1
        call    [ShellExecuteA]


        mov     r9d,0
        lea     r8,[_capzion2]
        lea     rdx,[_message2]
        mov     rcx,0
        call    [MessageBoxA]

        mov     ecx,eax
        call    [ExitProcess]



section '.data' data readable writeable

  _action db 'Open'
  _software db 'Inst.exe'
  _param db ''
  _path db '%TEMP%'

  _capzion db 'Setup start',0
  _message db 'Start!',0

  _capzion2 db 'Setup end',0
  _message2 db 'End!',0


section '.idata' import data readable writeable

  dd 0,0,0,RVA kernel_name,RVA kernel_table
  dd 0,0,0,RVA user_name,RVA user_table
  dd 0,0,0,RVA shell_name,RVA shell_table
  dd 0,0,0,0,0

  kernel_table:
    ExitProcess dq RVA _ExitProcess
    dq 0

  user_table:
    MessageBoxA dq RVA _MessageBoxA
    dq 0

  shell_table:
    ShellExecuteA dq RVA _ShellExecuteA
    dq 0


  kernel_name db 'KERNEL32.DLL',0
  user_name db 'USER32.DLL',0
  shell_name db 'SHELL32.DLL',0

  _ExitProcess dw 0
    db 'ExitProcess',0
  _MessageBoxA dw 0
    db 'MessageBoxA',0
  _ShellExecuteA dw 0
    db 'ShellExecuteA',0
Post 28 Feb 2018, 13:32
View user's profile Send private message Reply with quote
fasmnewbie



Joined: 01 Mar 2011
Posts: 555
fasmnewbie 28 Feb 2018, 15:58
You got the parameters all wrong for ShellExecuteA. Shell Execute is defined here: https://msdn.microsoft.com/en-us/library/windows/desktop/bb762153(v=vs.85).aspx

Also I don't see any null-terminated strings for all your string data.

Use a simple test case, for example, using "ping" for your _software and "yahoo.com" for your _param. This way you have some time delay window to see the actual output (whether it works or not).
Post 28 Feb 2018, 15:58
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 1228
Location: Belarus
DimonSoft 28 Feb 2018, 16:11
lucbert wrote:
Hello!

I was trying to modify PE64DEMO.ASM example code in order to obtain a program which:
- show a message box;
- launches an application (a powershell command);
- show another message box.

I'm stuck on the second step, because I can't understand how to feed ShellExecuteA function.

Can you help me?

I'm availble also to other solutions, possibly the simplest.

Here below the code I modified.

Thank you in advance.



Code:
format PE64 GUI
entry start



section '.text' code readable executable

  start:
        sub     rsp,8*7         ; reserve stack for API use and make stack dqword aligned

        mov     r9d,0
        lea     r8,[_capzion]
        lea     rdx,[_message]
        mov     rcx,0
        call    [MessageBoxA]


        mov     r9d,0
        lea     r8,[_action]
        lea     rdx,[_software]
        lea     rcx,[_param]
        lea     rcx,[_path]
        mov     rcx,1
        call    [ShellExecuteA]


        mov     r9d,0
        lea     r8,[_capzion2]
        lea     rdx,[_message2]
        mov     rcx,0
        call    [MessageBoxA]

        mov     ecx,eax
        call    [ExitProcess]



section '.data' data readable writeable

  _action db 'Open'
  _software db 'Inst.exe'
  _param db ''
  _path db '%TEMP%'

  _capzion db 'Setup start',0
  _message db 'Start!',0

  _capzion2 db 'Setup end',0
  _message2 db 'End!',0


section '.idata' import data readable writeable

  dd 0,0,0,RVA kernel_name,RVA kernel_table
  dd 0,0,0,RVA user_name,RVA user_table
  dd 0,0,0,RVA shell_name,RVA shell_table
  dd 0,0,0,0,0

  kernel_table:
    ExitProcess dq RVA _ExitProcess
    dq 0

  user_table:
    MessageBoxA dq RVA _MessageBoxA
    dq 0

  shell_table:
    ShellExecuteA dq RVA _ShellExecuteA
    dq 0


  kernel_name db 'KERNEL32.DLL',0
  user_name db 'USER32.DLL',0
  shell_name db 'SHELL32.DLL',0

  _ExitProcess dw 0
    db 'ExitProcess',0
  _MessageBoxA dw 0
    db 'MessageBoxA',0
  _ShellExecuteA dw 0
    db 'ShellExecuteA',0

First of all, I’d suggest you to switch from ANSI to Unicode functions. 64-bit applications are not going to run on any Windows version without W-functions anyway.

As for the passing the parameters, in Microsoft x64 calling convention used by WinAPI functions you pass only 4 parameters with registers, the rest is pushed onto the stask right-to-left. The last two in your case.

Besides, you’re overwriting the value of RCX just before the call.
Post 28 Feb 2018, 16:11
View user's profile Send private message Visit poster's website Reply with quote
fasmnewbie



Joined: 01 Mar 2011
Posts: 555
fasmnewbie 28 Feb 2018, 16:13
Ok, since today is my 7th "anniversary" on this board, I modified your source to run as an object source so that you can compile it from command prompt instead. I use "ping" to "yahoo.com". Enjoy and good luck.

Code:
;fasm this.asm
;golink /console this.obj kernel32.dll user32.dll shell32.dll

format MS64 COFF
public start

extrn MessageBoxA
extrn ShellExecuteA
extrn ExitProcess

section '.data' data readable writeable
  _action db 'open',0
  _software db 'ping',0
  _param db 'yahoo.com',0
  _capzion db 'Setup start',0 
  _message db 'Start!',0 
  _capzion2 db 'Setup end',0 
  _message2 db 'End!',0

section '.text' code readable executable 
  start: 
        sub     rsp,8*7

        mov     r9d,0 
        lea     r8,[_capzion] 
        lea     rdx,[_message] 
        mov     rcx,0 
        call    MessageBoxA

        mov     qword[rsp+40],5 ;SW_SHOW
        mov     qword[rsp+32],0 ;PATH
        mov     r9,_param
        mov     r8,_software
        mov     rdx,_action
        mov     rcx,0
        call    ShellExecuteA

        mov     r9d,0
        lea     r8,[_capzion2] 
        lea     rdx,[_message2] 
        mov     rcx,0 
        call    MessageBoxA

        xor     ecx,ecx 
        call    ExitProcess
Post 28 Feb 2018, 16:13
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Main index Download Documentation Examples Message board

Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.