Académique Documents
Professionnel Documents
Culture Documents
by
Qark and Quantum [VLAD]
Using a debugger like Turbo Debugger 32bit found in Tasm 4.0, other
function values can be found.
Calling Conventions
Windows 95 was written in C++ and Assembler, mainly C++. And although
C calling conventions are just as easy to implement, Microsoft didn't
use them. All API under Win95 are called using the Pascal Calling
Convention. For example, an API as listed in Visual C++ help files:
FARPROC GetProcAddress(
HMODULE hModule, // handle to DLL module
LPCSTR lpszProc // name of function
);
At first it would be thought that all you would need to do is push the
handle followed by a pointer to the name of the function and call the
API - but no. Due to Pascal Calling Convention, the parameters need
to be pushed in reverse order:
push offset lpszProc
push dword ptr [hModule]
call GetProcAddress
Using a debugger like Turbo Debugger 32bit we can trace the call (one
step) and follow it to the kernel call as stated above. This will
allow us to get the function number and we can do away with the need
for an entry in the import table.
Notes
Tools
There are many good books available that supply low level Windows 95
information. "Unauthorized Windows 95", although not a particularly
useful book (it speaks more of DOS/Windows interaction), supplies
utilities on disk and on their WWW site that are far superior to the
ones that we wrote to research Win95 infection.