Accessing IMAGE_NT_HEADERS with POASM

[petrik]

I am trying to get the following proc (partly courtesy of Iczelion's tutorials) to assemble with poasm:

GetImportTable  PROC    USES ESI
    mov esi,NTHeaderOffset ;pointer to IMAGE_NT_HEADERS structure
    mov eax,[esi+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[SIZEOF IMAGE_DATA_DIRECTORY].VirtualAddress] ;(Import Symbols)
    mov ImportTableRVA,eax
    invoke RVAToOffset,eax
    add eax,pFileOffset
    mov ImportSection,eax
    ret
GetImportTable  ENDP

Poasm keeps throwing up 3 errors:    1. Expected ']'    2. Invalid use of 'VirtualAddress'    3. Invalid use of ']'
I have tried using:

assume esi: ptr IMAGE_NT_HEADERS
mov eax,[esi].OptionalHeader.DataDirectory[SIZEOF IMAGE_DATA_DIRECTORY].VirtualAddress

but poasm throws up another error:    'Invalid use of assume'.
What am I doing wrong?
I would be most grateful for any help. Thank you.

[Vortex]

Hi petrik,

Poasm does not support the ASSUME statement.

Here is how I code :

Code Select Expand

mov     edx,IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.VirtualAddress[1*8][esi] ; get the RVA of the import section
mov     impsec,edx
mov     edx,IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.VirtualAddress[5*8][esi] ; get the RVA of the relocation section

Try this one :

Code Select Expand

mov     eax,IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.VirtualAddress[SIZEOF IMAGE_DATA_DIRECTORY][esi] ;(Import Symbols)

[petrik]

Thank you Vortex for your advice.
I have tried the coding method as you have written but poasm still gives me the same 2 errors about expected ']' and invalid use of ']'; no VirtualAddress error though.
I have tried various further coding combinations without success.
mov edx,[esi+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.VirtualAddress] assembles ok.
mov edx,[esi].IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.VirtualAddress assembles ok.
It would appear that poasm doesn't like the [5*8] or [1*8] or [sizeof IMAGE_DATA_DIRECTORY].
Any more thoughts?

[Vortex]

Hi petrik,

First of all, please accept my apologies. I posted a Masm code portion above. Here is the solution I propose :

Code Select Expand


; Code assembled with Pelles Macro Assembler, Version 6.00.4

.386
.model flat,stdcall
option casemap:none

include     AccessStruct.inc

ExitProcess PROTO :DWORD

includelib  \PellesC\lib\win\kernel32.lib

.data?

testStruct  IMAGE_NT_HEADERS <?>

.code

start:

    call    main

    invoke  ExitProcess,0

main PROC USES esi

    mov     esi,OFFSET testStruct

    mov     eax,[esi+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.VirtualAddress+SIZEOF IMAGE_DATA_DIRECTORY]

            ; = MOV EAX,DWORD PTR DS:[ESI+80] : Output of OllyDbg
    ret

main ENDP

END start


It looks like that Poasm cannot handle some structure notations like Masm. Would you please try the syntax above?

Once again, my apologies.

Vortex

[petrik]

Thank you Vortex.
With that simple change from ...VirtualAddress[5*8] to ...VirtualAddress+(5*8) poasm assembles ok.
With gratitude.  :bg

petrik

PS Absolutely no apologies necessary.