Hello World in Windows 64 bit console

Index > Windows > Hello World in Windows 64 bit console

Author

Thread

Cerebrum

Joined: 21 May 2020
Posts: 6

Cerebrum 22 May 2020, 06:54

Hello,

in the following Hello World program:
1. Is this the simplest? Why do we need the ".idata" section and the kernel_table?
2. What is going on with the

Code:

mov     rcx,rax

command? AFAIK rax is not set anywhere.
3. Why the

Code:

mov     ecx,eax ;why???
call    [ExitProcess]

Code:

format pe64 console
entry start

STD_OUTPUT_HANDLE       = -11

section '.text' code readable executable

start:
        sub     rsp,8*7         ; reserve stack for API use and make stack dqword aligned
        mov     rcx,STD_OUTPUT_HANDLE
        call    [GetStdHandle]
        mov     rcx,rax
        lea     rdx,[message]
        mov     r8d,message_length
        lea     r9,[rsp+4*8]
        mov     qword[rsp+4*8],0
        call    [WriteFile]
        mov     ecx,eax
        call    [ExitProcess]

section '.data' data readable writeable

message         db 'Hello World!',0
message_length  = $ - message

section '.idata' import data readable writeable

        dd      0,0,0,RVA kernel_name,RVA kernel_table
        dd      0,0,0,0,0

kernel_table:
        ExitProcess     dq RVA _ExitProcess
        GetStdHandle    dq RVA _GetStdHandle
        WriteFile       dq RVA _WriteFile
                        dq 0

kernel_name     db 'KERNEL32.DLL',0
user_name       db 'USER32.DLL',0

_ExitProcess    db 0,0,'ExitProcess',0
_GetStdHandle   db 0,0,'GetStdHandle',0
_WriteFile      db 0,0,'WriteFile',0

[/list]

22 May 2020, 06:54

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20617
Location: In your JS exploiting you and your system

revolution 22 May 2020, 06:58

1. The idata section is to link to the system DLLs and allow the code to talk to the OS.

2. All calls to the system APIs return either their success/failure in RAX, or the returned value in RAX. In this case GetStdHandle return the handle in RAX.

3. Same reason, RAX is set by the previous call to WriteFile.

22 May 2020, 06:58

Cerebrum

Joined: 21 May 2020
Posts: 6

Cerebrum 22 May 2020, 07:21

Why do we reserve 8*7 bytes?

Code:

sub     rsp,8*7         ; reserve stack for API use and make stack dqword aligned

2. Ok, the return code is in RAX, but why are we moving it to RCX?

3. Why are we using EAX (32 bit) here and not RAX? We are programming for 64 bit.

22 May 2020, 07:21

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20617
Location: In your JS exploiting you and your system

revolution 22 May 2020, 07:29

1. The FASTCALL convention in 64-bit Windows requires the code to reserve stack space for the API calls.

2. RCX, RDX, R8 and R9 are the inputs to the following API call to WriteFile. This is also defined by the FASTCALL convention.

3. If we don't expect RAX to have anything but zeros in the high part then we can use the 32-bit registers instead. They get automatically zero extended by the CPU.

22 May 2020, 07:29

Cerebrum

Joined: 21 May 2020
Posts: 6

Cerebrum 22 May 2020, 07:44

1. And why exactly 8*7 bytes?

22 May 2020, 07:44

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20617
Location: In your JS exploiting you and your system

revolution 22 May 2020, 07:52

Each stack slot is 8 bytes.

The first is to align the stack to a multiple of 16. A FASTCALL requirement.

The next 6 are space for up to 6 parameters passed to the API calls. WriteFile needs 5 parameters, and we have to align to the next multiple of 16 by allocating 6 slots.

22 May 2020, 07:52

Cerebrum

Joined: 21 May 2020
Posts: 6

Cerebrum 22 May 2020, 08:03

8*7 is not a multiple of 16. Or are you including the return address, in which case we have 8*8 in total?
But if the return address is part of it and WriteFile needs only 5 parameters, then 8*5 (+ return address) will also be a multiple of 16, no?

22 May 2020, 08:03

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20617
Location: In your JS exploiting you and your system

revolution 22 May 2020, 08:06

When the program is started the stack is not aligned, so we have to use one stack slot to align it.

After that all allocations are in multiples of two slots to keep the stack aligned.

So that makes 6+1 == 7 slots needed. If you only allocated 8*6 then the stack remains unaligned and you risk the program failing inside the API call due to misalignment.

22 May 2020, 08:06

Cerebrum

Joined: 21 May 2020
Posts: 6

Cerebrum 22 May 2020, 08:09

How do you know that the stack is not aligned when the program starts?

22 May 2020, 08:09

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20617
Location: In your JS exploiting you and your system

revolution 22 May 2020, 08:12

Cerebrum wrote:

How do you know that the stack is not aligned when the program starts?

Because the FASTCALL convention guarantees this for us.

22 May 2020, 08:12

Cerebrum

Joined: 21 May 2020
Posts: 6

Cerebrum 22 May 2020, 08:15

Where can I find documentation on WriteFile(which parameters are expected where and what is returned)?

22 May 2020, 08:15

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20617
Location: In your JS exploiting you and your system

revolution 22 May 2020, 08:28

Cerebrum wrote:

Where can I find documentation on WriteFile(which parameters are expected where and what is returned)?

https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-writefile

22 May 2020, 08:28

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum