Hello,

I am a bit new at assembly and I have side tracked myself into wondering how you call a function in a windows dll, (kernel32.dll for example) that only exports itself with an ordinal number.

Functions with only ordinal numbers don't seem to show up in the various inc files. Apparently if I call the function dynamically GetProcAdddress will cope with ordinal numbers as well as names.
I learnt this from http://spiff.tripnet.se/~iczelion/tut17.html and http://msdn.microsoft.com/library/en-us/dllproc/dll_0f8z.asp?frame=true

But what if I want to call the function statically.
Posted on 2001-12-19 16:04:04 by DiaZ
Use GetProcAddress to get its location in memory, then push the parameters onto the stack (in right-to-left order), then do a CALL to the address returned by GetProcAddress.

When you say you want to call it "statically", i assume that you mean you want to hardcode the address of the exported function into your app, that is not a good idea. Dlls have a base address they get loaded at, but they can be loaded at a new address if something is already occupying that address space (although i don't know if this also applies to critical dlls like kernel32).
Posted on 2001-12-19 21:02:46 by sluggy
Maybe I have got the wrong end of the stick, and maybe what I am thinking about isn't possible, but I imagined using the inculdelib directive to statically link into my program a function from
some.dll via some.lib. i.e. "includelib some.lib" Or can't you do this ??

I realize you need to have the approprate .lib file for the .dll file, but in the case of kernel32.dll for example this is no problem.
Posted on 2001-12-20 09:04:43 by DiaZ
I see what you mean. If the dll has been statically linked, use GetModuleHandle to get the handle to the dll before calling GetProcAddress. Check out the doco for GetModuleHandle here.
Posted on 2001-12-20 14:53:51 by sluggy
Ok, makes sence.

But the contrast still seems wrong. If the dll/lib has been statically linked then to call a function that has a name you simply call its name to use it. But if it hasn't got a name you have to go through GetModuleHandle and then GetProcAddress. This just seems wrong if there no easier way to call a function that only has an ordinal number. Not that GetModuleHandle - GetProcAddress is hard, but you must admit its more code than a simple call, and it also seems needless, couldn't a statically linked function with no name be called by "call ordinal_xxx". It seems to me that the .inc files are missing this ?? surely the ordinals exist in the .lib files
Posted on 2001-12-20 15:12:08 by DiaZ
Posted on 2001-12-20 15:24:29 by bitRAKE
Once again maybe I have got it all wrong. I have downloaded the zip file you mentioned, and I can kind of make it work. I can get a .def file that contains even none named functions, but how do I get an .inc file, or don't I need it ???
Posted on 2001-12-21 19:11:31 by DiaZ
DiaZ,

Some months ago i coded a program that uses GetProcAddress function to use functions of Kernel32.dll. Have a look at it.
Posted on 2001-12-22 15:43:33 by CodeLover
i am sorry, i did not tell you the password is mvrysqpye

:stupid:
Posted on 2001-12-22 16:27:39 by CodeLover
DiaZ, use the DEF file to create a LIB and then use the names provided in the DEF file (ex. KERNEL32_ORD_0058) to call the function in your programs, then just linking in the LIB file is enough. Google to learn more about DEF files - maybe over at M$?
It creates DEF file which can be used by LIB.exe (resp. LINK -LIB) for generating MS LIB file. Note that names are undecorated: no ExitProcess@4 but ExitProcess. DEF file also contains unnamed exports (functions exported by ordinal number only) - they have name: PEfile_ORD_XXXX, example: SHELL32_ORD_0200.
Creating DEF file:
iDEF C:\WINNT\SYSTEM32\NTOSKRNL.EXE
Creating LIB file:
LINK -LIB -MACHINE:IX86 -DEF:NTOSKRNL.DEF
Posted on 2001-12-22 21:12:52 by bitRAKE
Hey CodeLover,

are you sure that you aren't trying to sell someone else's code as yours? i had a look at "your" residentkeys program, it's nearly a complete copy of my program!

i mean, thanks for this:
"Thanks to Iczelion, nokturnal and nop-erator, both
gave me the source code from where i took the ideas to program this. "

....but it should be "...where i took the whole source to program this.", don't you think so, too?

-nop
Posted on 2001-12-26 05:23:03 by NOP-erator
NOP-erator,

nun sei doch nicht so streng! Es ist immerhin Weihnachten, Fest der Vergebung.
Posted on 2001-12-26 07:14:47 by japheth
Still haven't had a chance to try BitRakes suggestion, it's Christmas and I have much drinking to do and much merryment to make. However it does sound like the answer. I will do a bit of reseach into def files when I get a chance to.

Thanks for the help, and I will report back when I have given it a go.
Posted on 2001-12-26 07:48:01 by DiaZ
No, NOP-erator.

I can tell you that i your code helped too much, but i didn't copy it. I studied it for several days and then i started making my own code. Of course that your code gave me great ideas and i can say it was very helpful to know which functions to invoke and the right moment to do it. But i changed some things, like making it a dialog, making it to save what you type on a .dll file, fixing a bug that your program have (when you press ctrl-alt-del it stops receiving keyboard messages).

I must say that i didn't copy it, your code was helpful but i created my own program. Again, i tell you thanks a lot for your help. Anyway, i coded this program some months ago, so go to the thread Memory residence. I posted it on November 13, what means that i worked with it for some weeks and I coded it by myself. And don't react like that, because i have also seen other keylogger source code and i can tell you that all of them look pretty similar, cos these are short programs, where you use more API functions than assembly mnemonics. Again, i tell you i coded it by myself, fresh of your code, but i started from zero and i can say i coded it.
Posted on 2001-12-26 11:12:35 by CodeLover
no problem CodeLover. it doesn't matter anymore, let us be friends. :grin:

nop
Posted on 2001-12-26 12:17:00 by NOP-erator
I am happy you didn't want to continue this stupid discussion. As you said, let's be friends. ;)
Posted on 2001-12-26 15:20:35 by CodeLover