flat assembler
Message board for the users of flat assembler.

Index > Windows > did someone said user32 = stdcall?

Author
Thread Post new topic Reply to topic
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 02 Mar 2008, 19:22
bullshit, over 30 hours spend rewriting my code over and over.
wsprintfA/wsprintfW are CDECL, know that.

they should put info about calling standard in that table at the bottom of page (msdn)
Post 02 Mar 2008, 19:22
View user's profile Send private message Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 02 Mar 2008, 19:55
I should say, thank's for the angry comment about microsoft's documentation, do you need help with something?
Post 02 Mar 2008, 19:55
View user's profile Send private message Visit poster's website Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 02 Mar 2008, 20:28
actually, yes...
I used SetWindowsHookEx to grab messages. With WH_KEYBOARD it works good. But WH_KEYBOARD_LL it block all messages and delay them very bad.
Code:
format pe dll
section '.code' code readable executable writeable
entry $
cmp dword [esp+8],1
jnz exit
push 0
push dword [esp+8]
push hookproc
push 13
call [SetWindowsHookExA]
push 0x40
push 0x1000
push 8
push 0
call [VirtualAlloc]
mov [buff],eax
call [AllocConsole]
exit:
retn 12
hookproc:
push dword [esp+8]
push f
push buff
call [wsprintfA]
add esp,12
push -11
call [GetStdHandle]
push 0
push 0
push 1
push buff
push eax
call [WriteFile]
pop ebx
push dword [esp+12]
push dword [esp+8]
push dword [esp+4]
push 0
call [CallNextHookEx]
jmp ebx
buff dd 0
f db '%c',0
section '.idata' import readable
dd 0,0,0,RVA user32_name,RVA user32_table
dd 0,0,0,RVA kernel32_name,RVA kernel32_table
dd 0,0,0,0,0
user32_table:
SetWindowsHookExA dd RVA _SetWindowsHookExA
wsprintfA dd RVA _wsprintfA
CallNextHookEx dd RVA _CallNextHookEx
dd 0
kernel32_table:
AllocConsole dd RVA _AllocConsole
WriteFile dd RVA _WriteFile
GetStdHandle dd RVA _GetStdHandle
VirtualAlloc dd RVA _VirtualAlloc
dd 0
user32_name db 'user32.dll',0
kernel32_name db 'kernel32.dll',0
_SetWindowsHookExA db 0,0,'SetWindowsHookExA',0
_AllocConsole db 0,0,'AllocConsole',0
_WriteFile db 0,0,'WriteFile',0
_GetStdHandle db 0,0,'GetStdHandle',0
_VirtualAlloc db 0,0,'VirtualAlloc',0
_wsprintfA db 0,0,'wsprintfA',0
_CallNextHookEx db 0,0,'CallNextHookEx',0
section '.reloc' fixups discardable    

propably i made some mistake, im tired now =/
Post 02 Mar 2008, 20:28
View user's profile Send private message Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 02 Mar 2008, 20:38
Goodnight Smile
Post 02 Mar 2008, 20:38
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 02 Mar 2008, 22:19
With a little bit of logic, you'd know the wsprintf just can't be STDCALL. And why should MSDN/PlatformSDK document the calling convention? That's what you have the header files for.
Post 02 Mar 2008, 22:19
View user's profile Send private message Visit poster's website Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 03 Mar 2008, 10:12
why not?
for each format object additional 4 bytes are substracting from esp at the end...
Post 03 Mar 2008, 10:12
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 03 Mar 2008, 10:18
asmrox wrote:
they should put info about calling standard in that table at the bottom of page (msdn)
Um, they do mention it.
Win32 SDK wrote:
Note Unlike other Windows functions, wsprintf uses the C calling convention (_cdecl), rather than the Pascal calling convention. As a result, it is the responsibility of the calling process to pop arguments off the stack, and arguments are pushed on the stack from right to left. In C-language modules, the C compiler performs this task.
asmrox, in reference to 'the wsprintf just can't be STDCALL' wrote:
why not?
for each format object additional 4 bytes are substracting from esp at the end...
Yeah, I suppose one could, but you know how programmers are, they sometimes push either too many or not enough parameters (or change the string and forget to adjust the parameters) and then the whole system crashes. And besides, what calling standard would it come under? Remember they are using a HLL compiler so it would be mighty hard for them to implement.
Post 03 Mar 2008, 10:18
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 03 Mar 2008, 19:55
Quote:
for each format object additional 4 bytes are substracting from esp at the end...

i've done this in FASMLIB. And it is quite much more complicated than you realize. Not a good idea at all for HLL.
Post 03 Mar 2008, 19:55
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 03 Mar 2008, 20:57
re: asmrox

In answer to your question, your code is running slow because the _LL hookproc is meant for time critical code you have some very slow api's running in it.

To correct your slowdown problem put your call to CallNextHookEx at the beginning of your hookproc. Make sure you preserve the return value. IF this doesn't correct your problem you can try pushing the new characters to a queue and have a separate thread process that queue continually. Although you'd need a concurrent queue implementation (i think i posted one for x86-64 somewhere on this board)

Once you make it write to a file instead of the console your keylogger will be complete. Very Happy
Post 03 Mar 2008, 20:57
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 05 Mar 2008, 12:34
why my programs almost never work as they should =/
Debugging dll is very hard to me, so i must depend on my knowladge.
maybe i have more cdecl functions?
everything looks fine to me, laod procedutr, hook procedure, even adding 12 to esp after returning to kernel32 (Dllmain and hookproc has both 12 bytes, cant be both same time).

I would prefer to do this by hooking GetMessage, but i had do overwrite it in 2 places (it take pointer to structure). And maybe i do that, cuz this microsoft hooking api doesnt work.

Code:
format pe dll
section '.code' code readable executable
hookproc:
push dword [esp+12]
push dword [esp+12]
push dword [esp+12]
push 0
call [CallNextHookEx]
push dword [esp+8]
push f
push [buff]
call [wsprintfA]
add esp,12
push 0
push d
push 1
push [buff]
push [input]
call [WriteFile]
exit:
retn 12
entry $
cmp dword [esp+8],1
jnz exit
call [AllocConsole]
push -11
call [GetStdHandle]
mov [input],eax
push 0
push dword [esp+8]
push hookproc
push 2
call [SetWindowsHookExA]
push 0x40
push 0x1000
push 8
push 0
call [VirtualAlloc]
mov [buff],eax
jmp exit
section '.data' data readable writeable
f db '%c',0
input dd 0
d dd 0
buff dd 0
section '.idata' import readable
dd 0,0,0,RVA kernel32_name,RVA kernel32_table
dd 0,0,0,RVA user32_name,RVA user32_table
dd 0,0,0,0,0
kernel32_table:
GetStdHandle dd RVA _GetStdHandle
AllocConsole dd RVA _AllocConsole
WriteFile dd RVA _WriteFile
VirtualAlloc dd RVA _VirtualAlloc
dd 0
user32_table:
SetWindowsHookExA dd RVA _SetWindowsHookExA
CallNextHookEx dd RVA _CallNextHookEx
wsprintfA dd RVA _wsprintfA
dd 0
kernel32_name db 'kernel32.dll',0
user32_name db 'user32.dll',0
_GetStdHandle db 0,0,'GetStdHandle',0
_AllocConsole db 0,0,'AllocConsole',0
_WriteFile db 0,0,'WriteFile',0
_VirtualAlloc db 0,0,'VirtualAlloc',0
_SetWindowsHookExA db 0,0,'SetWindowsHookExA',0
_CallNextHookEx db 0,0,'CallNextHookEx',0
_wsprintfA db 0,0,'wsprintfA',0
section '.reloc' fixups discardable    
Post 05 Mar 2008, 12:34
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 05 Mar 2008, 12:48
asmrox: You don't seem to save the handle of the hook procedure returned from SetWindowsHookExA. I think you need the handle when you call CallNextHookEx.
Post 05 Mar 2008, 12:48
View user's profile Send private message Visit poster's website Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 05 Mar 2008, 12:53
i always forget about pushad/popad in dll... however i didnt used ebx/ebp/esi/edi or esp.
I added whis handle, but its ignored in 2k3+
TYhis time it works, but print me double characters for each message (4 with unpress)
without CallNextHookEx works fine
Code:
format pe dll
section '.code' code readable executable
hookproc:
push dword [esp+12]
push dword [esp+12]
push dword [esp+12]
push [handle]
call [CallNextHookEx]
push dword [esp+8]
push f
push [buff]
call [wsprintfA]
add esp,12
push 0
push d
push 1
push [buff]
push [input]
call [WriteFile]
exit:
retn 12
entry $
pushad
cmp dword [esp+40],1
jnz exit
call [AllocConsole]
push -11
call [GetStdHandle]
mov [input],eax
push 0
push dword [esp+40]
push hookproc
push 2
call [SetWindowsHookExA]
mov [handle],eax
push 0x40
push 0x1000
push 8
push 0
call [VirtualAlloc]
mov [buff],eax
popad
jmp exit
section '.data' data readable writeable
f db '%c',0
input dd 0
d dd 0
buff dd 0
handle dd 0
section '.idata' import readable
dd 0,0,0,RVA kernel32_name,RVA kernel32_table
dd 0,0,0,RVA user32_name,RVA user32_table
dd 0,0,0,0,0
kernel32_table:
GetStdHandle dd RVA _GetStdHandle
AllocConsole dd RVA _AllocConsole
WriteFile dd RVA _WriteFile
VirtualAlloc dd RVA _VirtualAlloc
dd 0
user32_table:
SetWindowsHookExA dd RVA _SetWindowsHookExA
CallNextHookEx dd RVA _CallNextHookEx
wsprintfA dd RVA _wsprintfA
dd 0
kernel32_name db 'kernel32.dll',0
user32_name db 'user32.dll',0
_GetStdHandle db 0,0,'GetStdHandle',0
_AllocConsole db 0,0,'AllocConsole',0
_WriteFile db 0,0,'WriteFile',0
_VirtualAlloc db 0,0,'VirtualAlloc',0
_SetWindowsHookExA db 0,0,'SetWindowsHookExA',0
_CallNextHookEx db 0,0,'CallNextHookEx',0
_wsprintfA db 0,0,'wsprintfA',0
section '.reloc' fixups discardable    
Post 05 Mar 2008, 12:53
View user's profile Send private message Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 07 Mar 2008, 16:30
1) Your DLLMain, right now because of POPAD its return value is unknown. You should follow the spec.

2) You don't preserve the return from your CallNextHookEx function

3) [esp+8] is the wparam which corresponds to the WM_ message so why are you trying to get a character %c out of this?

I think you want for the wsprintfA ...
mov ecx,[esp+12]
push dword[ecx] ;=the virtual keycode 1byte

HK_KEYBOARD_LL callback
http://msdn2.microsoft.com/en-us/library/ms644985(VS.85).aspx
lparam struc
http://msdn2.microsoft.com/en-us/library/ms644967(VS.85).aspx

***** ALSO *****
-Uncommented magic numbers (IE: push 0x????)
-Ambiguous procedure structure (IE: entry $, push [esp+12] 3x, etc)
-Not indenting and not even putting a blank line between functions
Will make people NOT WANT to look at your code and by thus doing not help you.
Post 07 Mar 2008, 16:30
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.