flat assembler
Message board for the users of flat assembler.

Index > Windows > FasmWideHook

Author
Thread Post new topic Reply to topic
iic2



Joined: 26 Jun 2008
Posts: 123
iic2
To revolution and all...

First use GlobalClick.exe with the masm dll. It is already ready to go...

Notice how your window receive messages even when it is outside your window. Open any file and get 3 entry ...

Than use the FasmDLL with --- add edx, sizeof.MOUSEHOOKSTRUCT
== it's off overflow

Than use the FasmDLL with --- add edx, [M_HOOK_STRUCT]
== Right setting but lost focus when click is out side your window...

Hope someone can help fix it. I can't seem to get anything to work.


Thanks in advance


Description:
Download
Filename: FasmWideHook.zip
Filesize: 6.87 KB
Downloaded: 111 Time(s)

Post 17 Sep 2008, 10:56
View user's profile Send private message Reply with quote
shoorick



Joined: 25 Feb 2005
Posts: 1608
Location: Ukraine
shoorick
check this. generally, i have no idea what
Code:
add  edx, MOUSEHOOKSTRUCT[edx]    
means, so i just comment this line in fasm variant and it works for me same as masm Wink

------------------------
btw, i would suggest you to preserve ebx to avoid inexpective crash on w2k


Description:
Download
Filename: FasmDLL.zip
Filesize: 2.36 KB
Downloaded: 97 Time(s)


_________________
UNICODE forever!


Last edited by shoorick on 17 Sep 2008, 11:58; edited 1 time in total
Post 17 Sep 2008, 11:50
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system
revolution
If you want to exactly duplicate the MASM code then use this:
Code:
add  edx, [sizeof.MOUSEHOOKSTRUCT + edx]    
It looks wrong to me but since you say the MASM code works then the above will make fasm do the same.
Post 17 Sep 2008, 11:51
View user's profile Send private message Visit poster's website Reply with quote
iic2



Joined: 26 Jun 2008
Posts: 123
iic2
Quote:
... comment this line in fasm variant and ...

XPsp2 and 3 ... It only work as usual, only when your window receive a mouse click. When clicked out-side your window it get nothing. Are you sure you did'nt get the same results when using the FASM DLL.

Comenting it out in the MASM DLL in-fact DID work and was GLOBAL. Comenting it out in the FASM DLL DID NOT work as expected. Could you check again and let me know first chance you get. I'll be working on this new lead in the mean time.

Thanks shoorick
Quote:
add edx, [sizeof.MOUSEHOOKSTRUCT + edx] ..

revolution, I tried that and it only works if your window get the click. That is and was the end results of most of my attempts.
Quote:
...but since you say the MASM code works then the above...

It's doing something interesting because I played with that code for weeks before trying to translate to FASM.


Now I see the code deserve even more serious investigation. But I never knew that line was not needed in MASM until now. There's a reason and both provides a great Global Hook with near No CPU usages. But we need it in FASM. So one of these two ideas here got to work for FASM.

OK, check this out. Notice that FASM has to use a POINTER to
the STRUCT. Is this true? If not what can I do because I bet this is the root of the problem.
M_HOOK_STRUCT MOUSEHOOKSTRUCT <>

Below was my original syntax that did not work, but by right it should have.
; mov edx,[lParam]
;add edx, [M_HOOK_STRUCT + edx]

OR.. maybe, something in the FASM struct macro may have cause a miss somewhere for this type of un-known case. As you see in the MasmDll sample code it don't even use a pointer to a structure... I just realized, whenever you write a dll in MASM that use structures, I can't remember ever having to have to use any pointers. I can't quit now. There got to be a work around. Here is the link where I learn how to work around similar MASM code being translated to POASM.. Maybe someone can figure out what I missed since FASM is now the case. It's in there somewhere. H E L P !!!


http://www.masm32.com/board/index.php?topic=5426.0
Post 17 Sep 2008, 15:30
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system
revolution
iic2: Are you sure you have included all the code? Because when I disassemble both DLLs I get the same code, there is no difference.
Post 17 Sep 2008, 15:46
View user's profile Send private message Visit poster's website Reply with quote
iic2



Joined: 26 Jun 2008
Posts: 123
iic2
[quote="iic2"]!00% ... I spend weeks of testing to insure a match. I don't think i missed a beat. Look at what your disassemble may have proved.

The only difference is one is the set-up for the FASM DLL and the one is for MASM DLL. The EXE use both depending on which one you place in the folder with the EXE. The way the Structure is call is the ONLY big difference.

See what I mean. MASM is a Global hook and FASM is a Local hook when the both should be global. I bet it got something to do with the FASM STRUCT macro or something minor got to be changed in the FASM DLL setup. It took a lot of work just to get FASM DLL set-up because there is nothing like it that I could find anywhere when it come to Global in FASM and it's the type that don't eat-up CPU. A dream DLL.

But than again shoorick may have something for us by morning. I hope he did not miss-calculate (overlooked clicking out-side the box for checking) That is soooo easy not to remember. I hope I don't have to go high level FASM.

How did you cmp the disassemble, with a tool or by site.

I wish I knew how to use SoftIce or Olly because this is not the norm of a DLL and MASM got something that realize this code to be Global and others do not. Or maybe the way it is declared in the EXE don't work for FASM... And if these are not the case than it prove the computer can lie or FASM has a flaw or MS figured out a way to block special ASM code not of masm syntax or it's just that I a suspicious person who have not figured out the FASM way.


Same Folder With ALL Sources


Description:
Download
Filename: FasmWideHook.zip
Filesize: 6.87 KB
Downloaded: 106 Time(s)

Post 17 Sep 2008, 17:28
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system
revolution
I don't see the difference, functionally the same. The left side is the fasm file. What did I miss?

[edit]Removed the attachment, it is no longer needed.[/edit]


Last edited by revolution on 22 Dec 2008, 00:45; edited 1 time in total
Post 17 Sep 2008, 19:15
View user's profile Send private message Visit poster's website Reply with quote
iic2



Joined: 26 Jun 2008
Posts: 123
iic2
My screen is too small. Can you separate the pages and zip them up in bitmaps or the whole text files. Is this Olly. I think I can get that far with Olly and will try it and see what I get and compare with yours as i go. I will do basic IDA and all else I know by this evening. It don't seem as difficult as i thought now that Isee the expect results to view. I guest it took a good butt kicking to make me pay attention and learn faster. I am so worn out. I got to sleep for a few hours. Thank you very very much revolution
Post 17 Sep 2008, 19:41
View user's profile Send private message Reply with quote
iic2



Joined: 26 Jun 2008
Posts: 123
iic2
I could not sleep so I been moving on with some Jim Beam in the belly and got 50 ways in. So wake up everybody Smile

I don't know how to get those result using olly for a dll. It tell me no no and I can't even open the file. I did enlarged your bitmap and every thing did match perfectly. But using Dependency Walker results do not match and maybe other tools will show the same. Hope someone can shed some lite on this. For now it seem FASM need to build in more juice when it comes to DLL's .. can't this be right fix now? or what can we do about it to make the file work ?
...................................................
GLOBAL MASM.DLL
Time Stamp 7:47PM
Size 2,560 1024 smaller Free mem to use
unknown. 512 made since
Attributes A
Machine Intel x86
Subsystem Win32 GUI
Debug No
BASE 0x10000000 Seem to a mean Real Dll**
File Version 0.0.0.0
Product Verson 0.0.0.0
Image Version 0.0
Linker Version 5.12
OS Verson 4.0 Why MASM get 4 Pack ?
Subsystem 4.0
...................................................

Seems Cheated FASM.DLL
Time Stamp 5:41a
Size 3,584 Fasm is 1024 bigger
Attributes A
Machine Intel x86
Subsystem Win32 GUI
Debug No
BASE 0x00400000 Seem lto mean EXE **
to receive LESS Msg **
File Version 0.0.0.0 0.0.0.0
Product Verson 0.0.0.0 0.0.0.0
Image Version 0.0 0.0
Linker Version 1.67 build-in Linker or Assem ?
OS Verson 1.0 Why others get 1 Beer
Subsystem 4.0 4.0


Description:
Download
Filename: Dependency Walker.txt
Filesize: 1.52 KB
Downloaded: 91 Time(s)

Post 18 Sep 2008, 03:02
View user's profile Send private message Reply with quote
shoorick



Joined: 25 Feb 2005
Posts: 1608
Location: Ukraine
shoorick
before i will search the bug i have to understand something.
i do understand this:
PUSH [MOUSEHOOKSTRUCT.pt.x+edx]
- it is pushing into stack member pt.x of MOUSEHOOKSTRUCT, pointed by edx

and i do not understand this:
add edx, MOUSEHOOKSTRUCT[edx]
- before this operation edx has pointer to MOUSEHOOKSTRUCT structure, sent via lParam. what has to be beyond this structure and have to be added? what expected in edx then? if there is hopefully 0 - just nothing will happend. if not - what then?

if you will answer me - i'll look there again Wink
Post 18 Sep 2008, 07:00
View user's profile Send private message Visit poster's website Reply with quote
shoorick



Joined: 25 Feb 2005
Posts: 1608
Location: Ukraine
shoorick
before i will think about global/local difference here is your masm dll without that strange line, working same as previous


Description:
Download
Filename: MasmDLL.zip
Filesize: 4 KB
Downloaded: 110 Time(s)


_________________
UNICODE forever!
Post 18 Sep 2008, 07:06
View user's profile Send private message Visit poster's website Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
** If you want to use base 10000000h instead of default 400000h then use
Code:
format PE GUI 4.0 DLL  at 10000000h    
Post 18 Sep 2008, 08:45
View user's profile Send private message Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
iic2: see if this helps
Code:
format PE GUI 4.0 DLL
entry DllEntry

WM_MOUSEHOOK equ WM_USER+6

include 'win32a.inc'

section '.text' code readable executable

proc DllEntry hInst, reason, rsev
        mov  eax,[hInst]
        mov  [hInstance],eax
        mov  eax,1
        ret
endp

proc MouseProc  nCode,wParam,lParam

        PUSH [lParam]
        PUSH [wParam]
        PUSH [nCode]
        PUSH [hHook]
        call [CallNextHookEx]

        mov  edx,[lParam]    ;lparam is our pointer to a MOUSEHOOKSTRUCT
        ;add  edx,[edx+14h]  ;dwExtraInfo, is it really needed?
        mov  ebx,[wParam]
        cmp  ebx,WM_LBUTTONDOWN
        je   _GotDown
        jmp  @f
_GotDown:
        PUSH dword [edx+4]   ;Y pos
        PUSH dword [edx]     ;X pos
        PUSH WM_MOUSEHOOK
        PUSH [hWnd]
        CALL [PostMessage]
@@:
        cmp  ebx, WM_LBUTTONUP
        je   _GotUP
        jmp  @f
_GotUP:
        PUSH dword [edx+4]   ;Y pos
        PUSH dword [edx]     ;X pos
        PUSH WM_MOUSEHOOK
        PUSH [hWnd]
        CALL [PostMessage]
@@:
        xor  edx,edx  ; assume edx:nothing
        xor  eax,eax
        ret
        
endp

proc InstallHook hwnd

        push [hwnd]
        pop  [hWnd]
        PUSH 0
        PUSH [hInstance]
        PUSH MouseProc
        PUSH WH_MOUSE
        CALL [SetWindowsHookEx]
        mov  [hHook],eax
        ret
endp

proc UninstallHook

        PUSH [hHook]
        CALL [UnhookWindowsHookEx]
        ret
endp

section '.data' data readable writeable shareable   ;very important to have shareable
                                                    ;otherwise no global operation !

        hInstance       dd 0    ;Dll's module handle
        hHook           dd 0    ;Hook handle
        hWnd            dd 0

section '.idata' import data readable

  library user32,'user32.dll'
  include '\api\user32.inc'

section '.edata' export data readable

  export 'GlobalDll.DLL',\
         InstallHook,'InstallHook',\
         UninstallHook,'UninstallHook',\
         MouseProc,'MouseProc'

section '.reloc' fixups data discardable    
Post 18 Sep 2008, 14:10
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system
revolution
Alphonso wrote:
Code:
section '.data' data readable writeable shareable   ;very important to have shareable
                                                    ;otherwise no global operation !     
Hey good, is that the reason? Nice find.

And this:
Code:
        ;add  edx,[edx+14h]  ;dwExtraInfo, is it really needed?    
It is not the dwExtraInfo field (+10h) it is reading beyond the end of the array, it is undefined data and could be any old junk left there from something else.
Post 18 Sep 2008, 14:18
View user's profile Send private message Visit poster's website Reply with quote
iic2



Joined: 26 Jun 2008
Posts: 123
iic2
The Key:
Quote:
it is reading beyond the end of the array

shoorick, I forgot what this was for until now:

mov edx,[lParam]
add edx, MOUSEHOOKSTRUCT[edx]

It is needed if you want to retrieve the 3rd entry based off a DOUBLE-CLICK. When the user click any SHORT-CUT LINK to open a file your app will know. .. If you remove it you only get the standard information for BUTTONDOWN/BUTTONUP.

This was my goal from the beginning... While fighting this FASM DLL, I forgot that toooo. Embarassed

add edx,[edx+14h]

Alphonso file is way much better and i bet it's faster Smile

Thanks again everybody
Post 18 Sep 2008, 23:11
View user's profile Send private message Reply with quote
iic2



Joined: 26 Jun 2008
Posts: 123
iic2
I should have bow out as plan. I just knew if I continue I would throw things off. I sent out all the warning. I finally realize that line was (MAY) not be needed. For the pass few years before trying FASM I always translate MASM examples to POASM code and that was my way of translating an assume statement (that may never needed to be there in the first place). You see my desperation to achieve this in the link i posted way above. But again, I can almost swear I once saw the reason for it in the pass.

Anyway, I'm just happy you guy help to get it working properly in FASM and I learn more than I dream about behind all of it. This is a shock for me. Now I got to re-write everything I did in FASM and it's going to be FUN.

bye
Post 19 Sep 2008, 05:28
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.