Informations
You'll find here informations for coders. Send me Your informations, please!
W32ASAP
- running Win32 application as soon as after Windows Nt boot
Wow64
- in examples, not completed
MSPatching
- MS updating, coldpatching, hotpatching txt
Undoc
- various undocumented includes and libraries. Contribute!
Specifications
- ASMmagazines '89, intel386, pentium optimizations, dpmi, vcpi, xms, vds, lx, vxd-faq, old AD tricks.
SEHcomplet
- Everything You Always Wanted To Know About Seh.
Linker Reference
Dumpbin Reference
Editbin Reference
Lib Reference
SymInASM
- about creating and working with symbols, example included.
Intel PII manuals
- download Software Manual Vol 3 and 2.
EliASM2
- controlled compiling and linking; now with NASM partition
ImpByOrd
- example showing how to import by ordinal + other infos
Obsfucator
- several ways how to get 9x Obsfucator, updated
PView2K
- about Toolhelp32 and PSAPI in Windows 2000
Native
- essay about NTCALLs
Fast NTCALL
- "Fast System Call" implementation of NTCALL
Fast NTCALL (UKC version)
- "Fast System Call" implementation of NTCALL, by Iceman [UKC]
TlsInAsm
- special things in your PE
OldMB
- last part of old messageboard
Q: What I need for coding?
A: Experience and tools. For DOS and Win16 coding I recommend You Borland Turbo Assembler
v4.x (TASM.exe) and 5.x (TASM32.exe) with Turbo Linker (TLINK.exe), Ralph Brown's Interrupt
List and TechHelp or something similar. For Win32 coding I recommend You Microsoft Macro
Assembler (ML.exe), Incremental Linker (LINK.exe), some resource compiler (I use BRC32.exe),
resource to .obj convertor (CVTRES.exe), some resource editor (I use Borland Resource Workshop), Win32 API reference and Microsoft Developer Network and include files. Import libraries aren't necessary - You can create them. MAKE utility is not necessary. H2INC utility for converting C include files to ASM ones I don't use because I don't believe it. For writing programs You need an editor. I'm used to text modes, I used editor from DOS Navigator, now I'm writing in editor of FAR manager. I don't recommend You syntax highlight.
Q: How can I optimize file locations for easier compiling, linking ?
A: Have executables (with thier .dlls) in PATH variable. Have all (import) libraries in LIB
(sub)directory, have include files and macro files in INC (sub)directory. It's useful to create
following system variables:
SET INCLUDE=C:\MASM32\INCLUDE;C:\98DDK\INC\WIN98
SET LIB=C:\MASM32\LIB
You then don't need to specify path to include files or libraries on ML,LINK command lines or in
Your sources (in directives INCLUDE and INCLUDELIB).
It's useful to get help screens of used tools:
ML /? >ML.TXT
LINK /? >LINK.TXT
LINK -DUMP /? >DUMPBIN.TXT
LINK -EDIT /? >EDITBIN.TXT
LINK -LIB /? >LIB.TXT
Q: How can I make my assembly language more flexible?
A: Can you do the following things?
CALL [API] ;FF15 form of CALL instead of E8 form with JMP table at the end of .code section
MOV EAX, [API]
MOV [API], EBX
Yes You can tell me: Call GetModuleHandle and GetProcAddress and It's done ;)
Then I tell you: And when I need address of native API (e.g. KeTickCount, KeServiceDescriptorTable, ...) ?
Then You tell me: Write your program in Visual C++.
I found how to do them in Feb-6-1999. From this day you can see in my .EXEs both forms of calls.
One E8 call requires 5+6 bytes + 1 reloc item. Six E8 calls from various places of code require 6*5+6 bytes + 1 reloc item.
One FF15 call requires 6 bytes + 1 reloc item. Six FF15 calls from various places of code require 6*6 + 6 reloc items.
I will publish here the technology EliASM after I receive 1st email telling me how to play with APIs in assembly language.
So You have task! Please quickly!
Pedro was the 2nd who found the way. Applauses!
Q: What do you use instead of MAKE utility?
A: I'm writing my sources in the form of .BAT files as follows:
;@GOTO TRANSLATE
; here is my complete source
END
:TRANSLATE
@ECHO OFF
BRC32 -r Resource.rc
CVTRES /MACHINE:IX86 Resource.rc
ML /c /coff %0
LINK BATname.obj Resource.obj /..switches
DEL Resource.res
DEL Resource.obj
DEL BATname.obj
Then I simply run such a BATname.BAT
I know that old and orthodox people will always use .ASM with makefile.
Q: How to create import library?
A:
LINK -DUMP PExports.xxx /EXPORTS > PEwithExports.def
Edit .def to the form:
NAME PExports ;if xxx=exe
or
LIBRARY PExports ;if xxx=dll
or
NAME PExports.xxx ;if xxx<>exe and xxx<>exe e.g. xxx=sys
EXPORTS
Function0
Function1
...
FunctionLast
Editation is very easy when Your editor supports vertical blocks - simply select the column before
FunctionNames and erase it.
LINK -LIB /DEF:PExports /MACHINE:IX86
DEL PExports .exp
PExports.lib is import library
Q: How to link PE?
A:
LINK MyEXE.obj
.reloc section is added only when you use switch /FIXED:NONE
Q: How to link DLL?
A:
LINK MyDLL.obj /DLL
.reloc section is added automatically. Default image base is 0x10000000.
Q: How to link VxD?
A:
LINK MyVxD.obj /VXD /DEF:MyVxD.def
When You want to make dynamically loadable VxD add switch /EXETYPE:DYNAMIC.
Q: How to link Driver?
A:
LINK MySYS.obj MySYSres.obj /SUBSYSTEM:NATIVE /DRIVER /ALIGN:0X20 /BASE:0X10000
.reloc section is added automatically. You can try to make smaller file by adding switch
/MERGE:.rdata=.text.
Q: How to add checksum for PE file?
A:
At link time:
LINK MyPE.obj /RELEASE
Anytime:
LINK -EDIT MyPE.xxx /RELEASE
Q: How to change properties of PE sections?
A:At link time:
LINK MyPE.obj /MERGE:.text=SName /MERGE:.data=SName /SECTION:SName,ERW
1st switch renames .text section to SName, 2nd switch adds .data section to SName section and 3rd switch changes attributes of SName section to executable,readable and writable.
Anytime:
LINK -EDIT MyPE.xxx /SECTION:.text=SName,EWR
Q: How to change image base of PE?
A:At link time:
LINK MyPE.obj /BASE:MyBase
Anytime:
LINK -EDIT MyPE.xxx /REBASE:BASE=MyBase
MyBase is decimal number or hexadecimal number with prefix 0x.
Base for Win9x executables should be => 0x400000.
Base for WinNT executables is arbitrary. Usually from 0x1000000 to 0x3000000. Note that .EXEs in %SysRoot%\System32 directory have PE image bases alphabetically sorted: AddGrpw.exe 0x1000000, AddUsrw.exe 0x1020000, ... XCopy.exe 0x29F0000.
.reloc section is not explicitely needed.
Drivers should have base = 0x10000 (just for uniformity).
Q: How to change PE section alignment?
A:At link time:
LINK MyPE.obj /ALIGN:MyAlign
MyAlign is decimal number or hexadecimal number with prefix 0x.
Align for Win9x executables should be => 0x200.
Align for WinNT executables is arbitrary.
Q: How to get alignment=0x200 with LINK v6.0 (and higher versions) ?
A:Link 6.0 makes PEs with align=0x1000 to simplify work of the PE Loader.
Use LINK MyPE.obj /ALIGN:0x1000 to get file align=0x200, ignore warning message.
Q: Why LINK versions >5.0 produce files with some strange data in MZ part?
A:Yes, there are: MZ header, 16bit code, text:"This program.." followed by some dwords, last but one is "Rich", PE or LE header. What's the sense of those dwords? Microsoft knows. Do You too?
Q: How can I make my code running on NT ring-0?
Windows NT is normal operating system, so there is strong barrier between user (ring-3, below 0x80000000) and system code (above). The ONLY way is to write kernel-mode driver, "to register it" and to communicate with it. User-mode drivers (VDD, MM drivers) run on ring-3.
Q: How can I recognize normal OS?
Close all DOS and Win16 applications. Press debugger hotkey several times. If you'll never break in 16bit code Your OS is normal.
Q: What has changed between NT 4.0 SP0 and SP5 (for coder)?
ntoskrnl.exe exports following new APIs: ExAllocatePoolWithTagPriority, MmMapLockedPagesSpecifyCache, MmHighestUserAddress (former literal 7FFEFFFFH), MmUserProbeAddress (former literal 7FFF0000H), MmSystemRangeStart (former literal 80000000H). ntvdm.exe exports VDDFlushPrinters. Do not use those APIs for backward compatibility.
Q: Are there some other LINK switches?
Yes, they are less docummented. For example: /FULLBUILD, /OPTIDATA ,...
and /IGNORE:xxxx where xxxx is warning message number. It is usefull to suppress
warnings like 4078:"/ALIGN specified without /DRIVER or .VXD; image may not run" when You used /ALIGN,
4033:"converting object format from OMF to COFF" when linking VxD or 4078:"multiple "????" sections found with different attributes"
when merging PE sections.