call a function through a pointer

[zhaper]

Hi,

the instruction with opcode FF 15 00 00 00 00 where 00 00 00 00 is
address of a pointer to a function, e.g.:
call IAT_ExitProcess ; IAT_ExitProcess is a variable inside PE's
Import Address Table

how do I assemble something like this if I know the address (00 00 00
00)?

Thank you!

[Petr Kobalíček]

Hi Zhaper,

In my perspective of with, the PE import adress table is some array (I
never worked with that thus sorry for possible misunderstanding) so
you can use call which reads the memory location, true?

For example imagine code like this:

struct A
{
void* pointerToFunctionA;
void* pointerToFunctionB;
... etc.
};

A a;

The you can create call something like that:

mov ecx, address of a
call [ecx + offset of the function]

if you know the address of a function in run-time (it's highly
probably that you know it) then you can simply do:

Assembler a;
a.call(imm(address));

or:

Compiler r;
c.call(imm(address));

// imm create an immediate operand.

Is this what you talked about?

Best regards
Petr Kobalicek

[zhaper]

Hi,

thank you for the fast reply. The PE IAT was just an example to show
what I want to do. In reality I don't have to work with tables, let's
assume
that I only know the address of a variable holding a pointer to a
function.

I'd like to call it without manually reading the contents of the
pointer (i.e.
moving the pointer value to a register) and then doing "call eax" for
example. This instruction does exist because my C compiler generates
it, so I was wondering if you have plans to support it. If not, I'll
somehow
add it to my local copy of AsmJit, shouldn't be too hard.

Best regards,
Tomislav

[Petr Kobalíček]

Hi,

in that case you can use the ptr(), for example:

Assembler a;
a.call(ptr(eax));

or

Assembler a;
a.call(ptr_abs((void*)(sysint_t)0x12345678));

if you know the address of the table / memory location where the
function is stored. It matches the intel syntax, for example:

call [eax]
call [0x12345678]

Best regards
Petr Kobalicek

[zhaper]

Thanks!

a.call(ptr_abs((void*)(sysint_t)0x12345678));

that's what I was looking for!

Keep up the good work!

[zhaper]

One more thing if you have some time to help me.. I need to push/mov/
etc address of a label, is this doable? I've been trying quite a few
things, but don't seem to be able to find the right syntax and
couldn't find it in the documentation.

Thanks.

[Petr Kobalíček]

This kind of operation is currently not available in the AsmJit, but
the workaround is to use lea instruction, for example:

Label L_1 = a.newLabel();
a.lea(eax, ptr(L_1));

Will load the address of L_1 into the eax. I will add direct support
into the TODO list, it's usable.

It is also possible to embed the label address into the assembler
stream, for example:

a.embedLabel(L_1);

Hope that helps
Petr Kobalicek

[zhaper]

Ok, thank you, glad to know you'll be working on it - the lea
workaround is currently not an option in my project, so hopefully
you'll implement this feature into the library. I'll try the
embedLabel solution, but the real implementation would be much more
helpful.

P.S. I'm working on a x86/x64 code obfuscation tool that disassembles
existing code and assembles each instruction into many 'obfuscated'
series of instructions which as a whole give the same result as the
original instruction - your library is extremely helpful for this.

Best regards,
Tomislav