Journals

CodeBreakers Journal
Assembly Programming Journal

Journal Issues

Vol.1, No.1, 2007
Issue 9 (1998-2001)
Issue 8 (1998-2001)
Issue 7 (1998-2001)
Issue 6 (1998-2001)
Issue 5 (1998-2001)
Issue 4 (1998-2001)
Issue 3 (1998-2001)
Issue 2 (1998-2001)
Issue 1 (1998-2001)

Statistics

Members: 1927
News: 293
Web Links: 1
Visitors: 3931886

Who's Online

We have 1 guest online
Damn Vulnerable LinuxDamn Vulnerable Linux (DVL) is a Linux-based (modified Damn Small Linux) tool for IT-Security & IT-Anti- Security and Attack & Defense. [CLICK HERE FOR MORE INFOS! ]

Featured Conference Video

T16-Recon2006-Joe_Stewart-OllyBonE.gif OllyBone - Semi-Automatic Unpacking on IA-32. View the conference video here!
Home arrow About/Disclaimer
Win32 ASM: The Basics
User Rating: / 2
PoorBest 
Written by Iczelion   


MASM 6.1x comes with two essential tools: ml.exe and link.exe. ml.exe is the assembler. It takes in the assembly source code (.asm) and produces an object file (.obj) . An object file is an intermediate file between the source code and the executable file. It needs some address fixups which are the services provided by link.exe. Link.exe makes an object file into an executable file by several means such as adding the codes from other modules to the object files or providing the address fixups, addingr esouces, etc.

 

 

 

The required tools: 

        -Microsoft Macro Assembler 6.1x : MASM support of Win32 programming
starts from version 6.1. The latest version is 6.13 which
is a patch to previous version of 6.11. Win98 DDK includes MASM
6.11d which you can download from Microsoft at
{http://www.microsoft.com/hwdev/ddk/download/win98ddk.exe}
But be warned, this monstrosity is huge, 18.5 MB in size. MASM 6.13
patch can also be downloaded from
{ftp://ftp.microsoft.com/softlib/mslfiles/ml613.exe}
-Microsoft import libraries : You can use the import libraries from
Visual C++. Some are included in Win98 DDK.
-Win32 API Reference : You can download it from Borland's site:
{ftp://ftp.borland.com/pub/delphi/techpubs/delphi2/win32.zip}

Here's a brief description of the assembly process.

MASM 6.1x comes with two essential tools: ml.exe and link.exe. ml.exe is the assembler. It takes in the assembly source code (.asm) and produces an object file (.obj) . An object file is an intermediate file between the source code and the executable file. It needs some address fixups which are the services provided by link.exe. Link.exe makes an object file into an executable file by several means such as adding the codes from other modules to the object files or providing the address fixups, addingr esouces, etc.

For example: 

        ml skeleton.asm    ---> this produces skeleton.obj
link skeleton.obj  ---> this produces skeleton.exe

The above lines are simplification of course. In the real world, you must add several switches to ml.exe and link.exe to customize your application. Also there will be several files you must link with the object file in order to create your application.

Win32 programs run in protected mode which is available since 80286. But 80286 is now history. So we only have to concern ourselves with 80386 and its descendants. Windows run each Win32 program in separated virtual space. That means each Win32 program will have its own 4 GB address space. Each program is alone in its address space. This is in contrast to the situation in Win16. All Win16 programs can see each other. Not so in Win32. This feature helps reduce the chance of one program writing over other program's code/data.

Memory model is also drastically different from the old days of the 16-bit world. Under Win32, we need not be concerned with memory model or segment anymore! There's only one memory model: Flat memory model. There's no more 64K segments. The memory is a large continuous space of 4 GB. That also means you don't have to play with segment registers. You can use any segment register to address any point in the memory space. That's a GREAT help to programmers. This is what makes Win32 assembly programming as easy as C.

We will examine a miminal skeleton of a Win32 assembly program. We'll add more flesh to it later. Here's the skeleton program. If you don't understand some of the codes, don't panic. I'll explain each of them later.

.386
.MODEL Flat, STDCALL
.DATA

<Your initialized data>
......
.DATA?

<Your uninitialized data>
......
.CONST

<Your constants>
......
.CODE

<label>
<Your code>
.....
end <label>
That's all! Let's analyze this skeleton program.

.386
This is an assembler directive, telling the assembler to use 80386 instruction set. You can also use .486, .586 but the safest bet is to stick to .386.

.MODEL FLAT, STDCALL
.MODEL is an assembler directive that specifies memory model of your program. Under Win32, there's only on model, FLAT model. STDCALL tells MASM about parameter passing convention. Parameter passing convention specifies the order of parameter passing, left-to-right or right-to-left, and also who will balance the stack frame after the function call.

Under Win16, there are two types of calling convention, C and PASCAL C calling convention passes parameters to the function from right to left, that is , the rightmost parameter is pushed on the stack first. The caller is responsible for balancing the stack frame after the call. For example, in order to call a function named foo(int first_param, int second_param, int third_param) in C calling convention the asm codes will look like this: 

     push  [third_param]               ; Push the third parameter
push  [second_param]              ; Followed by the second
push  [first_param]               ; And the first
call    foo
add    sp, 12                     ; The caller balances the stack frame

PASCAL calling convention is the reverse of C calling convention. It pushes parameters on the stack from left to right and the callee is responsible for the stack balancing after the call.

Win16 adopts PASCAL convention because it produces smaller codes. C convention is useful when you don't know how many parameters will be passed to the function as in the case of wsprintf(). In the case of wsprintf(), the function has no way to determine beforehand how many parameters will be pushed on the stack, so it cannot balance the stack correctly. The caller is the one who knows how many bytes are pushed on the stack so it's right and proper that it's also the one who balances the stack frame after the call.

STDCALL is the hybrid of C and PASCAL convention. It pushes parameters on the stack from right to left but the callee is responsible for stack balancing after the call. Win32 platform use STDCALL exclusively. Except in one case: wsprintf(). You must use C calling convention with wsprintf().

.DATA
.DATA?
.CONST
.CODE
All four directives are what are called sections. You don't have segments in Win32 anymore, remember? But you can divide your entire address space into logical sections. The start of one section denotes the end of the previous section. There are two groups of section: data and code. Data sections are divided into 3 categories:

  • .DATA This section contains initialized data of your program.
  • .DATA? This section contains uninitialized data of your program. Sometimes you just want to preallocate some memory but doesn't want to initialize it. This section exists for that purpose.
  • .CONST This section contains declaration of constants used by your program. Constants in this section can never be modified in your program. They are just constant.

You don't have to use all three sections in your program. Declare only the section(s) you want to use.

There's only one section for code: .CODE. This is where your codes reside. Example:

<label>
end <label>

...where <label> is any arbitrary label is used to specify the extent of your code. Both labels must be identical. All your codes must reside between <label> and end <label>