flat assembler
Message board for the users of flat assembler.

Index > Macroinstructions > somewhat complex masm struct

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
I have tried converting this kind of complex(for me atleast) structs from KmdKit for masm by Four-F

(I selected this structure out of many alikes because this one does have most of the things that I dont know how to do in fasm)
Code:
_IRP STRUCT                             ; sizeof = 70h
        _Type                           WORD    ?                                               ; 00h  (original field name Type)
        _Size                           WORD    ?                                               ; 02h  (original field name Size)
        MdlAddress                      PVOID           ?                                       ; 04h PMDL
        Flags                           DWORD           ?                                       ; 08h
        UNION AssociatedIrp
                MasterIrp               PVOID           ?                                       ; 0Ch PIRP
                IrpCount                DWORD           ?                                       ; 0Ch 
                SystemBuffer    PVOID           ?                                       ; 0Ch 
        ENDS    ; AssociatedIrp
        ThreadListEntry         LIST_ENTRY      <>                                      ; 10h
        IoStatus                        IO_STATUS_BLOCK <>                              ; 18h
        RequestorMode           BYTE            ?                                       ; 20h KPROCESSOR_MODE
        PendingReturned         BYTE            ?                                       ; 21h  BOOLEAN
        StackCount                      BYTE            ?                                       ; 22h
        CurrentLocation         BYTE            ?                                       ; 23h
        Cancel                          BYTE            ?                                       ; 24h  BOOLEAN
        CancelIrql                      BYTE            ?                                       ; 25h  KIRQL
        ApcEnvironment          BYTE            ?                                       ; 26h
        AllocationFlags         BYTE            ?                                       ; 27h
        UserIosb                        PIO_STATUS_BLOCK        ?                       ; 28h
        UserEvent                       PKEVENT                         ?                       ; 2Ch
        UNION Overlay                                                                           ; 30h
                STRUCT AsynchronousParameters                                   ; 30h
                        UserApcRoutine  PVOID   ?                                       ; 30h PIO_APC_ROUTINE
                        UserApcContext  PVOID   ?                                       ; 34h
                ENDS    ; AsynchronousParameters
                AllocationSize          LARGE_INTEGER   <>                      ; 30h
        ENDS    ; Overlay
        CancelRoutine           PVOID           ?                                       ; 38h PDRIVER_CANCEL
        UserBuffer                      PVOID           ?                                       ; 3Ch
        UNION Tail                                                                                      ; 40h
                STRUCT Overlay                                                                  ; 40h
                        UNION
                                DeviceQueueEntry        KDEVICE_QUEUE_ENTRY     <>              ; 40h
                                STRUCT
                                        DriverContext   PVOID   4 dup(?)                        ; 40h
                                ENDS
                        ENDS
                        Thread                          PVOID   ?                               ; 50h PETHREAD
                        AuxiliaryBuffer         PCHAR   ?                               ; 54h
                        STRUCT
                                ListEntry               LIST_ENTRY      <>                      ; 58h
                                UNION
                                        CurrentStackLocation    PVOID   ?       ; 60h PTR IO_STACK_LOCATION
                                        PacketType                              DWORD   ?       ; 60h
                                ENDS
                        ENDS
                        OriginalFileObject      PFILE_OBJECT    ?               ; 64h
                ENDS    ; Overlay
                Apc             KAPC    <>                                                              ; 40h
                CompletionKey   PVOID   ?                                               ; 40h
        ENDS    ;Tail
_IRP ENDS    


and what is that typedef, because for me it looks like just PIRP equ rd 1 works, right?

edit: posted a bit cleaned up struct, no comments and emptylines... and for those who dont see what so 'complex' there is, look at named unions, and structs inside structs...

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 20 Apr 2006, 20:40
View user's profile Send private message MSN Messenger Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
i think you should also post declarations of inner structures, no?
Post 20 Apr 2006, 21:07
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
vid wrote:
i think you should also post declarations of inner structures, no?



that was just example, and beleive me, almost every structure references to another... i'd have to post like 10pages of structs to get it all here Very Happy

http://www.freewebs.com/four-f/ for full kit with all includes

btw. im not asking for anyone to get me struct that compiles, just to show what kind of compromises i need to do to get it working... (tho, i would be more than happy if someone decides to help me converting KmdKit for fasm Very Happy)

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 20 Apr 2006, 21:22
View user's profile Send private message MSN Messenger Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2
What the heck man ... you come back and don't even tell me?
Post 21 Apr 2006, 01:10
View user's profile Send private message Reply with quote
madmatt



Joined: 07 Oct 2003
Posts: 1045
Location: Michigan, USA
madmatt
Here is my stab at the conversion. You'll need to convert all the sub-structs If you havn't already. Some of them look like kernel structs.
Here it is.

Code:
struct  _IRP ; sizeof = 70h
        _Type dw ?      ; 00h  (original field name Type)
        _Size dw ?      ; 02h  (original field name Size)
        MdlAddress dd ? ; 04h PMDL
        Flags dd ?      ; 08h
        union AssociatedIrp
                MasterIrp dd ? ; 0Ch PIRP
                IrpCount  dd ? ; 0Ch
                SystemBuffer dd ? ; 0Ch
        ends    ; AssociatedIrp
        ThreadListEntry LIST_ENTRY ; 10h
        IoStatus IO_STATUS_BLOCK   ; 18h
        RequestorMode db ?         ; 20h KPROCESSOR_MODE
        PendingReturned db ?       ; 21h  BOOLEAN
        StackCount db ?            ; 22h
        CurrentLocation db ?       ; 23h
        Cancel db ?                ; 24h  BOOLEAN
        CancelIrql db ?            ; 25h  KIRQL
        ApcEnvironment db ? ; 26h
        AllocationFlags db ? ; 27h
        UserIosb  PIO_STATUS_BLOCK ; 28h
        UserEvent  PKEVENT ; 2Ch
        union Overlay ; 30h
                struct AsynchronousParameters ; 30h
                        UserApcRoutine dd ? ; 30h PIO_APC_ROUTINE
                        UserApcContext dd ? ; 34h
                ends    ; AsynchronousParameters
                AllocationSize dq ? ;(LARGE_INTEGER) 30h
        ends    ; Overlay
        CancelRoutine dd ? ; 38h PDRIVER_CANCEL
        UserBuffer dd ? ; 3Ch
        union Tail ; 40h
                struct Overlay ; 40h
                        union
                                DeviceQueueEntry KDEVICE_QUEUE_ENTRY ; 40h
                                struct
                                        DriverContext dd 4 dup(?) ; 40h
                                ends
                        ends
                        Thread dd ? ; 50h PETHREAD
                        AuxiliaryBuffer dd ? ; 54h
                        struct
                                ListEntry LIST_ENTRY ; 58h
                                union
                                        CurrentStackLocation dd ? ; 60h PTR IO_STACK_LOCATION
                                        PacketType dd ? ; 60h
                                ends
                        ends
                        OriginalFileObject PFILE_OBJECT ; 64h
                ends    ; Overlay
                Apc KAPC ; 40h
                CompletionKey dd ? ; 40h
        ends    ;Tail
ends    
Post 21 Apr 2006, 02:14
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
shism2 wrote:
What the heck man ... you come back and don't even tell me?


after i came back(in 15days like i told you) i hanged on msn for days Sad didnt see you there Neutral and ive been active on boards also and even replied your topics, and been wondering that why are you so silent |:

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 21 Apr 2006, 02:25
View user's profile Send private message MSN Messenger Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
madmatt wrote:
Here is my stab at the conversion. You'll need to convert all the sub-structs If you havn't already. Some of them look like kernel structs.
Here it is.


yep they are Smile

does named unions work? i thought they didnt Sad

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 21 Apr 2006, 02:27
View user's profile Send private message MSN Messenger Reply with quote
madmatt



Joined: 07 Oct 2003
Posts: 1045
Location: Michigan, USA
madmatt
Your right. named union or named sub-structs don't work.
And, here we go again:

Code:
struct  _IRP ; sizeof = 70h
        _Type dw ?      ; 00h  (original field name Type)
        _Size dw ?      ; 02h  (original field name Size)
        MdlAddress dd ? ; 04h PMDL
        Flags dd ?      ; 08h
        union
                MasterIrp dd ? ; 0Ch PIRP
                IrpCount  dd ? ; 0Ch
                SystemBuffer dd ? ; 0Ch
        ends    ; AssociatedIrp
        ThreadListEntry LIST_ENTRY ; 10h
        IoStatus IO_STATUS_BLOCK   ; 18h
        RequestorMode db ?         ; 20h KPROCESSOR_MODE
        PendingReturned db ?       ; 21h  BOOLEAN
        StackCount db ?            ; 22h
        CurrentLocation db ?       ; 23h
        Cancel db ?                ; 24h  BOOLEAN
        CancelIrql db ?            ; 25h  KIRQL
        ApcEnvironment db ? ; 26h
        AllocationFlags db ? ; 27h
        UserIosb  PIO_STATUS_BLOCK ; 28h
        UserEvent  PKEVENT ; 2Ch
        union ; 30h
                struct ; 30h
                        UserApcRoutine dd ? ; 30h PIO_APC_ROUTINE
                        UserApcContext dd ? ; 34h
                ends    ; AsynchronousParameters
                AllocationSize dq ? ;(LARGE_INTEGER) 30h
        ends    ; Overlay
        CancelRoutine dd ? ; 38h PDRIVER_CANCEL
        UserBuffer dd ? ; 3Ch
        union ; 40h
                struct ; 40h
                        union
                                DeviceQueueEntry KDEVICE_QUEUE_ENTRY ; 40h
                                struct
                                        DriverContext dd 4 dup(?) ; 40h
                                ends
                        ends
                        Thread dd ? ; 50h PETHREAD
                        AuxiliaryBuffer dd ? ; 54h
                        struct
                                ListEntry LIST_ENTRY ; 58h
                                union
                                        CurrentStackLocation dd ? ; 60h PTR IO_STACK_LOCATION
                                        PacketType dd ? ; 60h
                                ends
                        ends
                        OriginalFileObject PFILE_OBJECT ; 64h
                ends    ; Overlay
                Apc KAPC ; 40h
                CompletionKey dd ? ; 40h
        ends    ;Tail
ends    
Post 21 Apr 2006, 06:19
View user's profile Send private message Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2140
Location: Estonia
Madis731
Very Happy I love your enthusiasm - you remind me of Steven Segal in a movie - he won't get *good* aswers from a bad guy so he gives one more go Smile , saying: "Here we go again!".

and here you GO - the testcase:

Code:
include 'macro/struct.inc'

struct LIST_ENTRY ;Seems funny that structs are named as constants
        dummy rd 1
ends

struct IO_STATUS_BLOCK
        dummy rd 1
ends

struct PIO_STATUS_BLOCK
        dummy rd 1
ends

struct PKEVENT
        dummy rd 1
ends

struct KDEVICE_QUEUE_ENTRY
        dummy rd 1
ends

struct PFILE_OBJECT
        dummy rd 1
ends

struct KAPC
        dummy rd 1
ends

struct  _IRP ; sizeof = 70h
        _Type dw ?      ; 00h  (original field name Type)
        _Size dw ?      ; 02h  (original field name Size)
        MdlAddress dd ? ; 04h PMDL
        Flags dd ?      ; 08h
        union
                MasterIrp dd ? ; 0Ch PIRP
                IrpCount  dd ? ; 0Ch
                SystemBuffer dd ? ; 0Ch
        ends    ; AssociatedIrp
        ThreadListEntry LIST_ENTRY ; 10h
        IoStatus IO_STATUS_BLOCK   ; 18h
        RequestorMode db ?         ; 20h KPROCESSOR_MODE
        PendingReturned db ?       ; 21h  BOOLEAN
        StackCount db ?            ; 22h
        CurrentLocation db ?       ; 23h
        Cancel db ?                ; 24h  BOOLEAN
        CancelIrql db ?            ; 25h  KIRQL
        ApcEnvironment db ? ; 26h
        AllocationFlags db ? ; 27h
        UserIosb  PIO_STATUS_BLOCK ; 28h
        UserEvent  PKEVENT ; 2Ch
        union ; 30h
                struct ; 30h
                        UserApcRoutine dd ? ; 30h PIO_APC_ROUTINE
                        UserApcContext dd ? ; 34h
                ends    ; AsynchronousParameters
                AllocationSize dq ? ;(LARGE_INTEGER) 30h
        ends    ; Overlay
        CancelRoutine dd ? ; 38h PDRIVER_CANCEL
        UserBuffer dd ? ; 3Ch
        union ; 40h
                struct ; 40h
                        union
                                DeviceQueueEntry KDEVICE_QUEUE_ENTRY ; 40h
                                struct
                                        DriverContext dd 4 dup(?) ; 40h
                                ends
                        ends
                        Thread dd ? ; 50h PETHREAD
                        AuxiliaryBuffer dd ? ; 54h
                        struct
                                ListEntry LIST_ENTRY ; 58h
                                union
                                        CurrentStackLocation dd ? ; 60h PTR IO_STACK_LOCATION
                                        PacketType dd ? ; 60h
                                ends
                        ends
                        OriginalFileObject PFILE_OBJECT ; 64h
                ends    ; Overlay
                Apc KAPC ; 40h
                CompletionKey dd ? ; 40h
        ends    ;Tail
ends
    
Post 21 Apr 2006, 07:17
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
Thank you both for helpful replies Very Happy
Post 21 Apr 2006, 09:33
View user's profile Send private message MSN Messenger Reply with quote
madmatt



Joined: 07 Oct 2003
Posts: 1045
Location: Michigan, USA
madmatt
Laughing Twisted Evil
Post 21 Apr 2006, 11:59
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
i thought it would be better not to open up a new thread...

this time its complex macro Very Happy
i have absolutely no idea how to convert that... i did take a look at EXITM in masm.hlp without really understanding anything Sad
Code:
CTL_CODE MACRO DeviceType:=<0>, Function:=<0>, Method:=<0>, Access:=<0>
        EXITM %(((DeviceType) SHL 16) OR ((Access) SHL 14) OR ((Function) SHL 2) OR (Method))
ENDM    

it is used like this:
Code:
FILE_DEVICE_UNKNOWN             equ 00000022h
METHOD_BUFFERED                 equ 0
FILE_READ_ACCESS                equ 1   ; file & pipe
FILE_WRITE_ACCESS               equ 2   ; file & pipe

SOMETHING equ CTL_CODE(FILE_DEVICE_UNKNOWN, 800h, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)    



edit: i thought that i could use something like this:
Code:
SOMETHING equ (FILE_DEVICE_UNKNOWN shl 16) or ((FILE_READ_ACCESS or FILE_WRITE_ACCESS) shl 14) or (800h shl 14) or METHOD_BUFFERED
    


would that work identically to macro?

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 21 Apr 2006, 23:47
View user's profile Send private message MSN Messenger Reply with quote
madmatt



Joined: 07 Oct 2003
Posts: 1045
Location: Michigan, USA
madmatt
Found the C-version of the macro, this will make it easier for me to convert:
Code:
#define CTL_CODE( DeviceType, Function, Method, Access ) (                 \
    ((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) \
)    


And now the FASM version
Code:
macro CTL_CODE, DeviceType, Function, Method, Access {
   VALUE = (DeviceType shl 16) or (Access shl 14) or (Function shl 2) or (Method)
}
mov  [var], VALUE    
Post 22 Apr 2006, 00:54
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
(again,) Thanks alot Smile


edit:

eh, AGAIN I ran into something I cant solve myself...

Code:
    ULONG sum=0;
    PULONG p=(PULONG)buf;
    int i;
    for (i=0;i<(int)(size/sizeof(ULONG));i++) sum+=p[i];
    for (int j=0;j<(int)(size%sizeof(ULONG));j++) sum+=*((UCHAR*)&p[i]+j);    

size and buf are arguments for proc...

i tried using .while but sum+=whatever got me confused, i++ = inc [i],
right?
is % = mod?
Post 22 Apr 2006, 06:26
View user's profile Send private message MSN Messenger Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
okasvi wrote:
i tried using .while but sum+=whatever got me confused, i++ = inc [i],
right?
is % = mod?


sum+=whatever is the same as add sum, whatever, but of course, you use registers. Or, if you prefer, it's the same as sum=sum+whatever

i++ is inc [i], right. but shouldn't you use registers?

% is mod, correct Wink
Post 22 Apr 2006, 09:28
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
The_Grey_Beast wrote:
okasvi wrote:
i tried using .while but sum+=whatever got me confused, i++ = inc [i],
right?
is % = mod?


sum+=whatever is the same as add sum, whatever, but of course, you use registers. Or, if you prefer, it's the same as sum=sum+whatever

i++ is inc [i], right. but shouldn't you use registers?

% is mod, correct Wink


inc [i] etc. is just for easier understanding, i mean to see which one is which etc.
i try to use regs..



edit: doesnt look good, im still tired as i just woke up:
Code:
        push    [buf]
        pop             esi ;p
        xor             ecx, ecx ; i
        mov             edx, [_size]
        mov             eax, 4
        div             edx ;size/4, im lost with div Sad
        xor             eax, eax ; sum
        .while ecx < edx
                add             eax, [esi+ecx] ;eh?
                inc             ecx
        .endw
    

im not even sure if im dividing correctly Shocked

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 22 Apr 2006, 11:17
View user's profile Send private message MSN Messenger Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Hey, you can use shr instead of div since 4 is a power of 2 (2^2 = 4). so you can simply use shr edx, 2 and remove that mov eax, 4 line Wink
Post 22 Apr 2006, 12:12
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
thanks for good tip Smile

edit: but would that work otherwise like supposed? (for first for()'s part...)
Post 22 Apr 2006, 12:21
View user's profile Send private message MSN Messenger Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
why not? it's correct.

personally, in C I usually don't use arrays, but rather something like "p+i", since it is more clear (i like to think low-level). Wink

tip for modulo: Modulus by power of 2 is also simple. For example, you want to do modulus with 4. You can use the "and" operator, like: "and size, 4-1". You have to put the -1, since that's how it works (note, only on powers of 2). of course, replace "size" with the register.

in fact, modulus by power of 2 is: "a mod b = a and (b-1)", where b is a power of 2 number Smile
Post 22 Apr 2006, 13:07
View user's profile Send private message Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2140
Location: Estonia
Madis731
Hei,
Code:
;    ULONG sum=0;
;    PULONG p=(PULONG)buf;
;    int i;
;    for (i=0;i<(int)(size/sizeof(ULONG));i++) sum+=p[i];
;    for (int j=0;j<(int)(size%sizeof(ULONG));j++) sum+=*((UCHAR*)&p[i]+j);
        xor     eax,eax         ; sum
        mov     esi,[buf]       ; p
        xor     ecx,ecx         ; i
    round1:
        cmp     ecx,[_size]
        jnc     exitround1
        add     eax,[esi+ecx]

        xor     edx,edx         ; lets use edx as j
        mov     edi,[_size]
        and     edi,11b         ; s%4
        push    esi             ; We reassign esi because
        lea     esi,[esi+ecx]   ; [esi+ecx+edx] is not allowed Sad
        round2:
                cmp     edx,edi
                jnc     exitround2
                movzx   ebx,byte[esi+edx]
                add     eax,ebx
                add     edx,1
                jmp     round2
        exitround2:
        pop     esi

        add     ecx,4           ; usually a DWORD so =4
        jmp     round1
    exitround1:

buf             dd another_buffer
another_buffer  rd 100          ; Very Happy
_size           dd 4*100
    

or should it be:
Code:
        xor     eax,eax         ; sum
        mov     esi,[buf]       ; p
        xor     ecx,ecx         ; i
    round1:
        cmp     ecx,[_size]
        jnc     exitround1
        add     eax,[esi+ecx]
        add     ecx,4           ; usually a DWORD so =4
        jmp     round1
    exitround1:

        xor     edx,edx         ; lets use edx as j
        mov     edi,[_size]
        and     edi,11b         ; s%4
        lea     esi,[esi+ecx]   ; We reassign esi because
                                ; [esi+ecx+edx] is not allowed Sad
    round2:
        cmp     edx,edi
        jnc     exitround2
        lea     ebx,[esi+edx]   ;This version is when *(UCHAR*) is a pointer
        add     eax,ebx
        add     edx,1
        jmp     round2
    exitround2:


buf             dd another_buffer
another_buffer  rd 100          ; Very Happy
_size           dd 4*100
    


PS Would anyone be kind enough to decrypt this easy-to-read Smile C-code for me:
sum+=*((UCHAR*)&p[i]+j);

I can see that if the size is not multiple of four like 7, they need to take care of the rest 3 bytes one-by-one. But the others add DWORDs, this one adds bytes Neutral why is this useful?

&p[i] is the address of the buffer+index, but which takes place first, the "+"-sign, or the character pointer. And why is this additional pointer needed?


Last edited by Madis731 on 22 Apr 2006, 14:34; edited 1 time in total
Post 22 Apr 2006, 13:48
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.