C++ SysCall asm unresolved externals

Question

I am trying to call NtReadVirtualMemory via a syscall in asm. I am doing this for a few different reasons but it is not to important. So I define the function like so in my main header file:

extern "C" NTSTATUS SysWPM(HANDLE ProcessHandle, PVOID BaseAddress,
PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten);

The parameters I believe are correct

I then created an ASM file in the project. I only know enough about it to try and complete this task because it's a very small part of it. Supposedly you do not need to include this asm file anywhere so I left that. Here it is:

.code

SysWPM proc

    mov r10, rcx
    mov eac, 37h
    syscall
    ret

SysWPM endp

end

Now however when I compile, I get the unresolved external error. I believe this is because I need to define it within this ASM file but I am not sure how to go about doing it. What am I doing wrong/what should I do.

Thought it may be useful to mention I am on Windows 7 and the actual syscall index is 37 as shown in this table:

table

Here is the exact error for those asking:

1>Main.obj : error LNK2019: unresolved external symbol _SysWPM referenced in function _main
1>c:\users\Reece\documents\visual studio 2015\Projects\cs-ext\Debug\cs-ext.exe : fatal error LNK1120: 1 unresolved externals

Still getting the error with the commented solution:

_SysWPM@20 proc

    mov r10, rcx
    mov eax, 37h ;
    syscall
    ret

_SysWPM@20 endp

extern "C" NTSTATUS NTAPI SysWPM(HANDLE ProcessHandle, PVOID BaseAddress,
PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten);

This isn't how you do it. You don't use the `syscall` instruction in your own code. You just use a regular `call` to a function exported by NtDll.dll. — Cody Gray - on strike, Jan 23 '17 at 20:06
Make sure you export it from your asm file (e.g. `PUBLIC SysWPM` or `SysWPM proc PUBLIC`), and that you use the proper naming convention. — Jester, Jan 23 '17 at 20:06
Thats exactly what I don't want to do. I am creating a program that uses no direct WINAPI calls or anything like that. If I wanted to get the function I'd have to use GetModuleHandle or i'd have to manually search for it which I do not want to do — Reece, Jan 23 '17 at 20:07
`eac` this is your unresolved external ? `mov eac, 37h` when need `mov eax, 37h`. however you sure 37h ? you need got index in runtime, but never hardcode — RbMm, Jan 23 '17 at 20:07
Uhm... no. Just link against the respective library, ntdll.lib and ntdllp.lib. Besides, the error message showed you the **exact** symbol the linker is looking for. Just rename your ASM procedure name. — IInspectable, Jan 23 '17 at 20:08
Can you explain what the point is in writing a *Windows application* that does not make calls to *Windows APIs*? — Cody Gray - on strike, Jan 23 '17 at 20:08
WINAPI functions hooked, want to work it so I don't use it and get logged — Reece, Jan 23 '17 at 20:09
Apart from exporting you might need to prefix the name with an underscore as in the error message, or possibly declare it as `proc C` — Jester, Jan 23 '17 at 20:13
@Reece - are you sure ? `symbol _SysWPM referenced in function _main` - this is x86 mangling for __cdecl — RbMm, Jan 23 '17 at 20:36
if you got `error LNK2001: unresolved external symbol _SysWPM` - 1) you compile and linking x86 code !!! 2) you declare `SysWPM` as `__cdecl` (default) when I say from begin - it must be `__stdcall` (`NTAPI`) - this I view even remote, when you can not view this local — RbMm, Jan 23 '17 at 20:53
If you are using VS, did you happen to add the MASM target to the project build dependencies so that it would assemble the ASM files? If you enable it after the fact you have to go back and mark your ASM file with an item type of "Microsoft Macro Assembler" rather than "Does not participate in build". If you create a new C++ app, MASM targets aren't enabled by default. They won't be assembled or linked. — Michael Petch, Jan 23 '17 at 23:30
If the above is possibly an issue, someone has some instructions on enabling what I was referring to at this link: https://translate.googleusercontent.com/translate_c?depth=1&hl=en&prev=search&rurl=translate.google.ca&sl=pt-BR&sp=nmt4&u=http://pt.stackoverflow.com/questions/157916/assembly-e-c-com-visual-studio-2015-e-masm-x86-64&usg=ALkJrhi0z3T8BjxwgOLDOEa7UX1qG9pxCQ — Michael Petch, Jan 23 '17 at 23:48

RbMm · Answer 1 · 2017-01-23T21:00:41.770

2

you need declare function in c/c++ as

extern "C" NTSTATUS NTAPI SysWPM(HANDLE ProcessHandle, PVOID BaseAddress,
PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten);

this is __stdcall function

and in asm for x86 (ml /c /Cp code32.asm -> code32.obj)

.686p

.MODEL flat

_TEXT segment

_SysWPM@20 proc
...
ret 20
_SysWPM@20 endp
_TEXT ends
end

for asm x64 (ml64 /c /Cp code64.asm -> code64.obj)

_TEXT segment 
SysWPM proc

    ...
   ret
SysWPM endp


_TEXT ENDS

END

edited Jan 23 '17 at 21:00

answered Jan 23 '17 at 20:13

RbMm

31,280
3
35
56

It is either 37 or 55 I will test both. I declared it how you said and am still getting the error – Reece Jan 23 '17 at 20:15
@Reece what error ? please exactly - I can not view this remote – RbMm Jan 23 '17 at 20:17
Unresolved External. I don't even think the ASM file is being compiled into the program – Reece Jan 23 '17 at 20:18
@Reece `Unresolved External` - what is exactly name !?! are you understand that you need show this – RbMm Jan 23 '17 at 20:20
@Reece wait, sorry, you build x86 or x64 ? - you naming for x86 but code is x64 – RbMm Jan 23 '17 at 20:22
x86. unresolved external symbol _SysWPM@20 referenced in function _main – Reece Jan 23 '17 at 20:23
@Reece but your asm is *x64* ? you compile it at all ?? – RbMm Jan 23 '17 at 20:24
2

*r10* and *rcx* certainly aren't x86 registers. – IInspectable Jan 23 '17 at 20:26
Sorry building as x64, makes no difference either way – Reece Jan 23 '17 at 20:27
@Reece - I make update, I was initially confused by `symbol _SysWPM referenced in function _main` - this is x86 mangling for __cdecl – RbMm Jan 23 '17 at 20:35
Tried that solution along with any command line options and still it gives me the unresolved external error on the function def. Changed debug to release by accident. Any command line options you showed are not recognised – Reece Jan 23 '17 at 20:37
@Reece - again repeat and last time - if you say error - please say **EXACTLY - WHAT IS ERROR** – RbMm Jan 23 '17 at 20:38
1>Main.obj : error LNK2001: unresolved external symbol _SysWPM – Reece Jan 23 '17 at 20:39
That is the EXACT errror – Reece Jan 23 '17 at 20:39
@IInspectable - `r10 and rcx certainly aren't x86 registers` - yes of course, I not look at asm code good enough . but `symbol _SysWPM referenced in function _main` - this is certainly x86 mangling for *cdecl* by this I and initially confused – RbMm Jan 23 '17 at 20:41
@Reece `unresolved external symbol _SysWPM referenced in function _main` - this ? again ask - you compile for x86 target ? if you declare `SysWPM` as I say - it will be `_SysWPM@20` for x86 and `SysWPM` for x64. but look like you not change own code in c file and link to x86 target – RbMm Jan 23 '17 at 20:44
Well where should I go about it know – Reece Jan 23 '17 at 20:45
@Reece - fantastic ! who is compile and linking ? I or you ? you even don't know are you linking for x86 or x64 ? and again - you not add `NTAPI` (or `__stdcall`) to `c` file !! – RbMm Jan 23 '17 at 20:47
@Reece - if you got `error LNK2001: unresolved external symbol _SysWPM` - 1) you compile and linking x86 code !!! 2) you declare `SysWPM` as `__cdecl` (default) when I say from begin - it must be `__stdcall` (`NTAPI`) - this I view even remote, what you can not view local – RbMm Jan 23 '17 at 20:51
@Reece - what you did ? and what error *after* this ? if still `unresolved external symbol _SysWPM ` - you are **nothing did** – RbMm Jan 23 '17 at 20:53

C++ SysCall asm unresolved externals

1 Answers1