flat assembler
Message board for the users of flat assembler.

Home Search Register
Log in to check your private messages Log in

Index > Windows > Working with Structures
Author
Thread Post new topic Reply to topic
kilobyte



Joined: 07 Jun 2008
Posts: 15
kilobyte
hey guys i have a new question.

I was wondering if it is possible to superimpose a structure template over a block of memory. Say for example I have a PE file mapped in memory at location 00200000, and this is in EDI; could i do something like:

Code:
mov eax,dword [edi.IMAGE_DOS_HEADER.e_lfanew]

Dos Header structure.

Code:
; DOS Header
struct IMAGE_DOS_HEADER
    e_magic     dw ?            ;Magic number 
    e_cblp      dw ?            ;Bytes on last page of file
    e_cp        dw ?            ;Pages in file
    e_crlc      dw ?            ;Relocations
    e_cparhdr   dw ?            ;Size of header in paragraphs
    e_minalloc  dw ?            ;Minimum extra paragraphs needed
    e_maxalloc  dw ?            ;Maximum extra paragraphs needed
    e_ss        dw ?            ;Initial (relative) SS value
    e_sp        dw ?            ;Initial SP value
    e_csum      dw ?            ;Checksum
    e_ip        dw ?            ;Initial IP value
    e_cs        dw ?            ;Initial (relative) CS value
    e_lfarlc    dw ?            ;File address of relocation table
    e_ovno      dw ?            ;Overlay
    e_res       dw 4 dup(?)     ;Reserved words
    e_oemid     dw ?            ;OEM identifier (for e_oeminfo)
    e_oeminfo   dw ?            ;OEM information; e_oemid specific
    e_res2      dw 10 dup(?)    ;Reserved words
    e_lfanew    dd ?            ;File address of new exe header
ends


I tried looking in the manuals for some examples but couldn't see any so don't really no if that is possible. If not is there a way of achieving similar functionality. Thanks in advance
Post 24 Jun 2009, 07:19
View user's profile Send private message Reply with quote
IronFelix



Joined: 09 Dec 2004
Posts: 141
Location: Russia, Murmansk region
IronFelix
Code:
mov eax, [edi + IMAGE_DOS_HEADER.e_lfanew]
Post 24 Jun 2009, 08:03
View user's profile Send private message Reply with quote
kilobyte



Joined: 07 Jun 2008
Posts: 15
kilobyte
Right thanks IronFelix, that makes my life easier now. Just for clarification and for the bettering of my understanding, I'm going to try to explain what i believe is happening.

say for example I have the structure declaration

Code:
struct mystruct
    fieldA dd ?
    fieldB dd ?
ends


and have a base address of allocated memory in edi, that has the layout of mystruct. Is the reason as to why were able to access specific fields in memory because of the fact that mystruct.fieldA is a label/address? (i doubt that this is correct) hmm or is it that were getting the offest of fieldA in relation to mystruct in which we use as an index added to 'edi' to provide the location of that field (in this case fieldA) in memory. So would that mean that

Code:
mov eax,[edi+mystruct.fieldB]


mystruct.fieldB would = 4, as that is the offset at which it is located in mystruct.
hmm...well that makes more sense to me, correct me if I'm wrong. Also would this be the same for structures with structures in side of them aswell?
Post 24 Jun 2009, 09:14
View user's profile Send private message Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
hopcode
Hallo kilobyte, i have not understood well what you require, but
for example:
Code:
struct mystruct
  fieldA dd ?
  fieldB dd ?
  fieldC db 8 dup (?)
ends
; instantiate it in the .data section
 onestruct mystruct

Code:
mov edx,onestruct
mov [onestruct.fieldB],1024      ; is the same as mov [edx+mystruct.fieldB],1024
mov ecx,[edx+mystruct.fieldB] ; ecx wil be 1024
mov ecx,mystruct.fieldB           ; ecx will be = 4, offset of fieldB
mov ecx,mystruct.fieldC.size     ; ecx will be = 8 size of the fieldC
mov ecx,mystruct.fieldC           ; ecx will be = 8 , offset of fieldC

if you have put for example in edx a valid return value from HeapAlloc, you could access the mem layout in the form
Code:
mov ecx,[edx+mystruct.fieldB]
mov [edx+mystruct.fieldB],2048


or using virtual:
Code:
virtual at edx
  memstruct mystruct
end virtual

; then... zeroing the fieldC
;
mov [memstruct.fieldB],1024
lea edi,[memstruct.fieldC]
mov ecx,mystruct.fieldC.size
xor eax,eax
rep stosb

NOTE:
to use .size you need redefining (if not already redefined), for the case,
the db macro as follow:
Code:
struc db [data]    {
      common
      . db data
   .size = $ - .
}

Regards,
hopcode
Post 24 Jun 2009, 10:47
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Main index Download Documentation Examples Message board

Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.