flat assembler
Message board for the users of flat assembler.

Index > Windows > Win64 Global Hook Problem

Author
Thread Post new topic Reply to topic
TimK



Joined: 14 Feb 2010
Posts: 20
TimK
Why this code crashes Windows?:
Code:
format PE64 GUI 5.0 DLL

...

proc MessageHookProc nCode:DWORD,wParam:QWORD,lParam:QWORD

  invoke  CallNextHookEx, [MessageHook],ecx,rdx,r8

  ret
endp

...

;invoke SetWindowsHookEx, WH_CALLWNDPROC,MessageHookProc,[HInstance],0
;MessageHook dq 0
    

But this works?:
Code:
proc MessageHookProc nCode:DWORD,wParam:QWORD,lParam:QWORD

  mov [nCode],ecx
  mov [wParam],rdx
  mov [lParam],r8

  invoke  CallNextHookEx, [MessageHook],[nCode],[wParam],[lParam]

  ret
endp    
Post 18 Feb 2010, 03:02
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17343
Location: In your JS exploiting you and your system
revolution
Check out the fastcall standard and then compare that to the registers you have used. Now look at the invoke macro code and see what code is generated.

The fastcall macro works forward through the parameters so you can't put them in that order because the values are overwritten before they are used. It is a 'gotcha' in the macros.

If you look at the generated code you should see this:
Code:
;    fastcall function,[value],rcx,rdx,r8
        sub     rsp,0x20
    mov     rcx,[value]
 mov     rdx,rcx
     mov     r8,rdx
      mov     r9,r8
       call    [function]    
Post 18 Feb 2010, 05:35
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17343
Location: In your JS exploiting you and your system
revolution
NOTE: this particular problem can be solved by working backwards through the parameters. But it would still not be a general solution. Best would be if the macros gave an error when a register is used as source data after being overwritten.
Post 18 Feb 2010, 05:47
View user's profile Send private message Visit poster's website Reply with quote
TimK



Joined: 14 Feb 2010
Posts: 20
TimK
That is, temporary storage is required anyway, even without invoke... Thanks!
Post 18 Feb 2010, 06:04
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17343
Location: In your JS exploiting you and your system
revolution
TimK wrote:
That is, temporary storage is required anyway, even without invoke...
No, you can do it without temporary storage.
Code:
;   fastcall function,[value],rcx,rdx,r8
        sub     rsp,0x20
    mov     r9,r8
       mov     r8,rdx
      mov     rdx,rcx
     mov     rcx,[value]
 call    [function]    
But the current macro won't do that for you. You have to do it manually.
Post 18 Feb 2010, 06:11
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.