[nullptr]

The jumps are hard coded for 32 bit.
It would be better if the code took into account the different size of a pointer, that way compilation for 32bit and 64 bit should be able to use the same code.
e.g.
Instead of:

Code: Select all

extern "C" __declspec(naked) void __stdcall __E__0__()
{
	__asm
	{
		jmp p[0 * 4];
	}
}

You'd have:

Code: Select all

extern "C" __declspec(naked) void __stdcall __E__0__()
{
	__asm
	{
		jmp p[0 * sizeof(ULONG_PTR)];
	}
}

[evelyette]

Hi,

I've just discovered that the Visual Studio can't even compile 64-bit DLL if it has an naked attribute; apparently the DLL I've produced was 32-bit DLL; now the settings are right, since I've checked the Linker command-line options include /MACHINE:X64. I'm getting the following errors while compiling:

Severity Code Description Project File Line Suppression State
Error C2065 'jmp': undeclared identifier dnsapi C:\Users\windbg\Desktop\dnsapi\dnsapi\dnsapi.cpp 551
Error C2485 'naked': unrecognized extended attribute dnsapi C:\Users\windbg\Desktop\dnsapi\dnsapi\dnsapi.cpp 250

The following link: https://msdn.microsoft.com/en-us/library/h5w10wxs.aspx, says that naked attribute is not supported on X64:

For functions declared with the naked attribute, the compiler generates code without prolog and epilog code. You can use this feature to write your own prolog/epilog code sequences using inline assembler code. Naked functions are particularly useful in writing virtual device drivers. Note that the naked attribute is only valid on x86 and ARM, and is not available on x64.

What can I use to replace the naked attribute, I'm a little hesitant at actually providing and overwriting the parameters or every single dnsapi.dll functions, since that would be a lot of work and would also include the functions I'm not interested in; I'm only interested in the DNSQuery function for now (maybe later I'll add two or three more functions, but that's it).

Any ideas, how do you compile and use 64-bit proxy DLLs?

[Brock]

Unfortunately, Microsoft decided to remove the keywords __asm and naked in x64 and Itanium c/c++ compilers. The point of the naked keyword was to have the compiler omit a function prolog and epilog so you could build/write them yourself, which is perfect since you can write assembly from the top down and don't have to worry about the compiler working any magic behind the scenes (e.g: optimizations) and it allows the assembly coder to have more control. Your best bet would be to either write it all in 64-bit assembly (an array of x64 instructions inside a PAGE_EXECUTE_READWRITE block of memory) or possibly abuse some intrinsics such as _AddressOfReturnAddress located inside intrin.h. This might be easier than having to link in an external .asm file. You can read more about that here http://www.ntcore.com/files/vista_x64.htm It's actually what the author has done himself

P.S: When I need to write inline x64 asm I use a newer version of Delphi which allows for it (XE2+)

Example

function GetCurrentSessionId(): DWORD;
asm
{$IFDEF CPUX86}
xor eax, eax
mov eax, [fs: $18]
mov eax, [eax + $30]
mov eax, [eax + $1D4]
{$ELSE}
xor rax, rax
mov rax, gs:[rax + $30]
mov rax, [rax + $60]
mov rax, [rax + $2C0]
{$ENDIF}
end;

Kind of nice to still have this support :D Best of luck to you

[evelyette]

Thank you for this, I'll try to implement it as document at http://www.ntcore.com/files/vista_x64.htm and will report back.

[Microwave89]

As I also needed true inline assembly in a new project I used GCC for it. Before doing so I tried to sign up for the students Intel C++ compiler, since allegedly it is capable of x86-64 inine assembly too, but I did not receive any further answer after trying to make them add my university to their list of approved email domains so I could sign up in the first place.

I also attempted to abuse intrinsics for my task but I did not succeed.


Best regards,

Microwave89

[evelyette]

As I also needed true inline assembly in a new project I used GCC for it.

Hi, were you able to make everything work with GCC? Are you talking about Windows operation system? If so, can you describe the process, so others can benefit from it; I'm sure it's an interesting thing.

Best,

Dejan

[Microwave89]

I did not test it completely (with multiple hooks active) yet but syntax-wise it looks promising.
I will lose some words about it after the weekend since unfortunately I have to work for the university project now...
Or even better, I'll put it online then so you have everything you need such as different modules, headers, source files, and kind of makefiles.

GCC toolchain (actually G++ though I'm writing only plain C code) was installed on Windows 10 10586, 64-bits of course.

Best regards,

Microwave89

[evelyette]

I did not test it completely (with multiple hooks active) yet but syntax-wise it looks promising.
I will lose some words about it after the weekend since unfortunately I have to work for the university project now...
Or even better, I'll put it online then so you have everything you need such as different modules, headers, source files, and kind of makefiles.

GCC toolchain (actually G++ though I'm writing only plain C code) was installed on Windows 10 10586, 64-bits of course.

Hi,

Sounds great, looking forward to looking through the source;

Best