Index
> Macroinstructions > append to struc? |
| Author |
|
I'm trying to figure out how to build import tables.
|
baldr 19 Jun 2010, 01:02
mindcooler,
Something like this? Code: list equ macro append lib, [funcs] { common match _list, list \{ restore list list equ _list, lib, <funcs> \} match , list \{ restore list list equ lib, <funcs> \} } macro process_list [lib, funcs] { dd lib#.ilt, 0, 0, lib#.name, lib#.iat common dd 5 dup 0 forward lib#.ilt: irp func, funcs \{ dd func\#.name \} dd 0 forward lib#.iat: irp func, funcs \{ func dd func\#.name \} dd 0 forward lib#.name db `lib, 0 forward irp func, funcs \{ align 2 func\#.name dw 0 db \`func, 0 \} } append kernel32, LoadLibraryA, GetProcAddress, ExitProcess append user32, MessageBoxA match _list, list { process_list _list } db "Addresses:" align 4 dd LoadLibraryA, GetProcAddress, ExitProcess, MessageBoxA |
|||
19 Jun 2010, 01:02 |
|
|
mindcooler 19 Jun 2010, 17:59
baldr wrote: macro append lib, [funcs] { Does this just concatenate the arguments to one long string ( macro process_list [lib, funcs] {list equ kernel32, LoadLibraryA, GetProcAddress, ExitProcess, user32, MessageBoxA)? If so, how does the process macro know what is a lib and what is a func? Quote: macro process_list [lib, funcs] Edit: Is "," matched as a separator token? _________________ This is a block of text that can be added to posts you make. |
|||
|
19 Jun 2010, 17:59 |
|
|
baldr 19 Jun 2010, 18:24
mindcooler,
It does. The idea is to collect lib/import tuples and unroll them into import directory. match is crucial because of FASM order of processing: equs aren't expanded when they are part of macro arguments. Refresh your knowledge here. Macro arguments can be complex (i.e. contain <> subunits). First non-literal (i.e. not preceded by «=») comma separates match template from the rest (to be matched against template). Last edited by baldr on 19 Jun 2010, 18:56; edited 1 time in total |
|||
|
19 Jun 2010, 18:24 |
|
|
mindcooler 19 Jun 2010, 18:55
I see it now, the functions are grouped with <> to preserve ',', and is then expanded with irp.
|
|||
|
19 Jun 2010, 18:55 |
|
|
baldr 19 Jun 2010, 18:59
mindcooler,
Iterated, right.  |
|||
|
19 Jun 2010, 18:59 |
|
|
mindcooler 19 Jun 2010, 20:54
With the help of your example I made this:
Code: imports equ \ kernel32,<Sleep,WriteConsoleA,GetStdHandle>,\ user32,<MessageBoxA> idata: macro create_imports [dll,functions] { dd 0,0,0,dll#.name,dll#.iat common dd 5 dup 0 idata.size = $-idata forward dll#.iat: irp function,functions \{ function: dd function\#.name \} dd 0 forward dll#.name: db `dll#'.dll',0 forward irp function, functions \{ align 2 function\#.name: dw 0 db \`function,0 \} } match _imports,imports { create_imports _imports } Which boils down to Code: idata: dd 0,0,0,kernel32.name,kernel32.iat dd 0,0,0,user32.name,user32.iat dd 5 dup 0 idata.size=$-idata kernel32.iat: Sleep:dd Sleep.name WriteConsoleA:dd WriteConsoleA.name GetStdHandle:dd GetStdHandle.name dd 0 user32.iat: MessageBoxA:dd MessageBoxA.name dd 0 kernel32.name:db 'kernel32.dll',0 user32.name:db 'user32.dll',0 align 2 Sleep.name:dw 0 db 'Sleep',0 align 2 WriteConsoleA.name:dw 0 db 'WriteConsoleA',0 align 2 GetStdHandle.name:dw 0 db 'GetStdHandle',0 align 2 MessageBoxA.name:dw 0 db 'MessageBoxA',0 _________________ This is a block of text that can be added to posts you make. |
|||
|
19 Jun 2010, 20:54 |
|
|
baldr 20 Jun 2010, 10:43
mindcooler,
.DLL file extension is quite common for DLLs, how about .BPL (Borland), .WCX (Total Commander plug-in) or .WLL (IDA core)? Import directory needs only file name, why don't use it as reference to DLL? I'm not 100% sure but it can be without default ".DLL" suffix (probably it's NT-specific, export forwarding appears to store only base name without extension in forwarder string). Another enhancement is to eliminate duplicates in imports. Not an easy task though.
match instant-macro probably could be modified to accept [] grouping in pattern, then we won't need separate create_imports macro (of little use by itself, except in your example you may invoke it directly, because of static import list). |
|||
|
20 Jun 2010, 10:43 |
|
|
mindcooler 20 Jun 2010, 20:07
baldr wrote: .DLL file extension is quite common for DLLs, how about .BPL (Borland), .WCX (Total Commander plug-in) or .WLL (IDA core)? Import directory needs only file name, why don't use it as reference to DLL? I'm not 100% sure but it can be without default ".DLL" suffix (probably it's NT-specific, export forwarding appears to store only base name without extension in forwarder string). Well what do you know, it works without extension! baldr wrote: Another enhancement is to eliminate duplicates in imports. Not an easy task though. It is probably a rare case, atleast for me. You could solve it with name mangling, but I like it clean. baldr wrote:
I did away with the appended list, as I don't need to append it anymore. Code: idata: import kernel32,<Sleep,WriteConsoleA> _________________ This is a block of text that can be added to posts you make. |
|||
|
20 Jun 2010, 20:07 |
|
< Last Thread | Next Thread > |
Forum Rules:
|