Question about the snowing

NTDEV
1

question about the snowing ver 0.2 :

  1. Source from packet32.c :

OVERLAPPED Ovrlapped = {0, 0, 0, 0, 0 };
hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
if(hEvent == NULL) {
CloseHandle(lpAdapter->hFile);
} else {
Ovrlapped.hEvent = hEvent;

  1. Structure from modWINSOCK.bas (Created By: Kevin Wilson):

Public Type OVERLAPPED
Internal As Long 'ULONG_PTR
InternalHigh As Long 'ULONG_PTR
Offset As Long 'DWORD
OffsetHigh As Long 'DWORD
hEvent As Long 'HANDLE
End Type

  1. Listing from packet32.dll :

.108E: 53 push ebx
.108F: 53 push ebx
.1090: 6A01 push 001
.1092: 53 push ebx
.1093: 895C2424 mov [esp][00024],ebx
.1097: 895C2428 mov [esp][00028],ebx
.109B: 895C242C mov [esp][0002C],ebx
.109F: 895C2430 mov [esp][00030],ebx
.10A3: 895C2434 mov [esp][00034],ebx
.10A7: FF15C4400010 call CreateEventA ;KERNEL32.dll
.10AD: 3BC3 cmp eax,ebx
.10AF: 7515 jne .0100010C6 -------- (1)
.10B1: 8B0E mov ecx,[esi]
.10B3: 51 push ecx
.10B4: FF15D0400010 call CloseHandle ;KERNEL32.dll
.10BA: 8BC6 mov eax,esi
.10BC: 5F pop edi
.10BD: 5E pop esi
.10BE: 5D pop ebp
.10BF: 5B pop ebx
.10C0: 83C418 add esp,018 ;
.10C3: C20400 retn 00004 ;
.10C6: 89442424 mov [esp][00024],eax ???

if structure OVERLAPPED:

Internal - [esp][00024] it’s Ovrlapped.hEvent ?
InternalHigh - [esp][00028]
Offset - [esp][0002C]
OffsetHigh - [esp][00030]
hEvent - [esp][00034]

Why “mov [esp][00024],eax” if “Ovrlapped.hEvent = hEvent” ?

I don’t undestant this, help me, please

Andre

2

Because stacks expands down, not up.

----- Original Message -----
From: “Andre”
To: “NT Developers Interest List”
Sent: Thursday, August 01, 2002 12:53 PM
Subject: [ntdev] Question about the snowing

> question about the snowing ver 0.2 :
>
> 1) Source from packet32.c :
>
> OVERLAPPED Ovrlapped = {0, 0, 0, 0, 0 };
> hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
> if(hEvent == NULL) {
> CloseHandle(lpAdapter->hFile);
> } else {
> Ovrlapped.hEvent = hEvent;
>
> 2) Structure from modWINSOCK.bas (Created By: Kevin Wilson):
>
> Public Type OVERLAPPED
> Internal As Long 'ULONG_PTR
> InternalHigh As Long 'ULONG_PTR
> Offset As Long 'DWORD
> OffsetHigh As Long 'DWORD
> hEvent As Long 'HANDLE
> End Type
>
>
> 3) Listing from packet32.dll :
>
> .108E: 53 push ebx
> .108F: 53 push ebx
> .1090: 6A01 push 001
> .1092: 53 push ebx
> .1093: 895C2424 mov [esp][00024],ebx
> .1097: 895C2428 mov [esp][00028],ebx
> .109B: 895C242C mov [esp][0002C],ebx
> .109F: 895C2430 mov [esp][00030],ebx
> .10A3: 895C2434 mov [esp][00034],ebx
> .10A7: FF15C4400010 call CreateEventA ;KERNEL32.dll
> .10AD: 3BC3 cmp eax,ebx
> .10AF: 7515 jne .0100010C6 -------- (1)
> .10B1: 8B0E mov ecx,[esi]
> .10B3: 51 push ecx
> .10B4: FF15D0400010 call CloseHandle ;KERNEL32.dll
> .10BA: 8BC6 mov eax,esi
> .10BC: 5F pop edi
> .10BD: 5E pop esi
> .10BE: 5D pop ebp
> .10BF: 5B pop ebx
> .10C0: 83C418 add esp,018 ;
> .10C3: C20400 retn 00004 ;
> .10C6: 89442424 mov [esp][00024],eax ???
>
> if structure OVERLAPPED:
>
> Internal - [esp][00024] it’s Ovrlapped.hEvent ?
> InternalHigh - [esp][00028]
> Offset - [esp][0002C]
> OffsetHigh - [esp][00030]
> hEvent - [esp][00034]
>
>
>
> Why “mov [esp][00024],eax” if “Ovrlapped.hEvent = hEvent” ?
>
> I don’t undestant this, help me, please
>
> Andre
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

3

Hi.

The esp is changed after function call (function is __stdcall). That’s
because [esp][00024] is hEvent.

vlad-ntdev

.10C6: 89442424 mov [esp][00024],eax ???

if structure OVERLAPPED:

Internal - [esp][00024] it’s Ovrlapped.hEvent ?
InternalHigh - [esp][00028]
Offset - [esp][0002C]
OffsetHigh - [esp][00030]
hEvent - [esp][00034]

Why “mov [esp][00024],eax” if “Ovrlapped.hEvent = hEvent” ?

I don’t undestant this, help me, please

Andre