Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page How to inline x64 asm in vs2017 ?
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-21-2018, 00:33
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
  
Join Date: May 2013
Location: Algeria
Posts: 84
Rept. Given: 47
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 24
Thanks Rcvd at 108 Times in 56 Posts
Insid3Code Reputation: 60
Hi Vic,
Are you already tested your snippets ?
Attached, both snippets (allocate/align) and binaries (one crash the other works fine)

I don't know if you can download the attachment from this topic, here external link:
PHP Code:
http://www.mediafire.com/file/s9dd88iel47s7h8/poc.rar 
Compiled and tested (MSVC 2017 15.7.3)
Attached Files
File Type: rar poc.rar (2.3 KB, 5 views)
__________________
Computer Forensics
Reply With Quote
The Following 3 Users Say Thank You to Insid3Code For This Useful Post:
Agmcz (07-22-2018), niculaita (07-21-2018), vic4key (07-21-2018)
  #2  
Old 07-21-2018, 05:05
ionioni ionioni is offline
Friend
  
Join Date: Jul 2016
Posts: 80
Rept. Given: 8
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 124
Thanks Rcvd at 154 Times in 49 Posts
ionioni Reputation: 3
Quote:
Originally Posted by vic4key View Post
ADD RSP, 40 ; Cleanup the stack... ; Not needed. The LEAVE instruction did it.
Quote:
Originally Posted by Insid3Code View Post
Hi Vic,
Are you already tested your snippets ?
Attached, both snippets (allocate/align) and binaries (one crash the other works fine)

I don't know if you can download the attachment from this topic, here external link:
PHP Code:
http://www.mediafire.com/file/s9dd88iel47s7h8/poc.rar 
Compiled and tested (MSVC 2017 15.7.3)
leave is short for
mov rsp, rbp
pop rbp
lose "add rsp, ..."
Reply With Quote
The Following 2 Users Say Thank You to ionioni For This Useful Post:
niculaita (07-21-2018), vic4key (07-21-2018)
  #3  
Old 07-21-2018, 06:51
chants chants is offline
VIP
  
Join Date: Jul 2016
Posts: 826
Rept. Given: 47
Rept. Rcvd 50 Times in 31 Posts
Thanks Given: 737
Thanks Rcvd at 1,140 Times in 529 Posts
chants Reputation: 51
This discussion is majorly lacking a hugely important point:
Calling convention in x64 always uses the RCX, RDX, R8, R9 registers for passing the first 4 arguments (anything up to 64 bit values or pointers), while additionally to those 4 registers, RAX, R10 and R11 are considered volatile. The return value is in the RAX or possibly for a 128-bit return value would be in the RAX:RDX.

This is opposed to x86 where the prior scheme is closest to fastcall which used the ECX and EDX for argument passing before resorting to the stack with additionally the EAX volatile. However in cdecl (caller clean-up stack) calling convention, arguments are all passed on the stack, EAX, ECX and EDX are considered volatile, and the return value in EAX or EAX:EDX. syscall is the same except without the 3 registers being considered volatile. stdcall is also almost the same except the callee cleans up the stack.

If mixing C with external asm, it would be extremely wise to be familiar with all these details.

For more details which are too lengthly to include, refer to:
Quote:
https://en.wikipedia.org/wiki/X86_calling_conventions
Reply With Quote
The Following 2 Users Say Thank You to chants For This Useful Post:
niculaita (07-21-2018), vic4key (07-21-2018)
  #4  
Old 07-21-2018, 12:57
vic4key's Avatar
vic4key vic4key is offline
Family
  
Join Date: Apr 2010
Posts: 62
Rept. Given: 5
Rept. Rcvd 24 Times in 10 Posts
Thanks Given: 63
Thanks Rcvd at 98 Times in 23 Posts
vic4key Reputation: 24
Yes, right. In x64 arch, we always need to allocate the space for which called "shadow space". So, the above code should be:

Code:
F1 PROC
  PUSH RBP
  MOV RBP, RSP
  SUB RSP, 0x30 ; Just need to add this instruction.
  LEA RCX, TXT_F1
  CALL puts
  LEAVE
  RET
F1 ENDP
Thank you, guys.
Last edited by vic4key; 07-23-2018 at 00:39.
Reply With Quote
The Following User Says Thank You to vic4key For This Useful Post:
niculaita (07-21-2018)
  #5  
Old 07-21-2018, 14:39
chants chants is offline
VIP
  
Join Date: Jul 2016
Posts: 826
Rept. Given: 47
Rept. Rcvd 50 Times in 31 Posts
Thanks Given: 737
Thanks Rcvd at 1,140 Times in 529 Posts
chants Reputation: 51
It should be:

Code:
F1 PROC
  PUSH RBP
  MOV RBP, RSP
  SUB RSP, 32 ; Allocate space on the stack 32 for shadow space 
  AND RSP, -16 ; Align on 16 bytes
  LEA RCX, TXT_F1
  CALL puts
  LEAVE
  RET
F1 ENDP
Reply With Quote
The Following 2 Users Say Thank You to chants For This Useful Post:
niculaita (07-21-2018), vic4key (07-21-2018)
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
inline patche hp3 Source Code 3 06-04-2021 14:48
X64 inline asm Fyyre x64 OS 48 08-10-2014 16:50
Inline Patching MaRKuS-DJM General Discussion 1 01-24-2004 23:03


All times are GMT +8. The time now is 21:03.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )