My Win64 Dll code:
proc Install
sub rsp, 20h
...
mov rcx,WH_CALLWNDPROC
mov rdx,MessageHookProc
mov r8,[HInstance]
xor r9,r9
call [SetWindowsHookEx]
mov [MessageHook],rax
test rax,rax
jz .free
mov rcx,WH_SHELL
mov rdx,ShellHookProc
mov r8,[HInstance]
xor r9,r9
call [SetWindowsHookEx]
mov [ShellHook],rax
test rax,rax
jnz .exit
.free:
call FreeHooks
xor rax,rax
.exit:
add rsp, 20h
ret
endp
proc Uninstall
sub rsp, 20h
call FreeHooks
add rsp, 20h
ret
endp
proc FreeHooks
mov rcx,[MessageHook]
test rcx,rcx
jz @f
call [UnhookWindowsHookEx]
mov [MessageHook],0
@@:
mov rcx,[ShellHook]
test rcx,rcx
jz @f
call [UnhookWindowsHookEx]
mov [ShellHook],0
@@:
ret
endp
Questions:
1. I must handle rsp in FreeHooks too? ie:
proc FreeHooks
sub rsp, 20h
...
add rsp, 20h
ret
endp
2. Can i safe replace "call FreeHooks" by "jmp FreeHooks" (IDA reports "sp-analysis failed" for Install in this case)?
Index
> Windows > Win64 newbie questions
