xwings
commented
4 years ago I move it here. @Dliv3 on his way
Closed xwings closed 4 years ago
xwings
commented
4 years ago I move it here. @Dliv3 on his way
Dliv3
commented
4 years ago If you want to define a windows API with stdcall you can refer to https://github.com/qilingframework/qiling/blob/master/qiling/os/windows/dlls/user32.py#L43
If you want to define a windows API with cdecl you can refer to https://github.com/qilingframework/qiling/blob/master/qiling/os/windows/dlls/msvcrt.py#L300
In short, you just need to use the winapi decorator, then set the cc parameter to the function calling convention you want
0ssigeno
commented
4 years ago Yes, i understood that, but thank you for the pointers. My question is: how I can determine when a windows API must be implemented with stdcall and when with cdecl. Is my choice or there are some standards? Like "api X must be stdcall, api Y is cdecl" and so on?
xwings
commented
4 years ago Technically, anything other then msvcrt.py those api should be StdCall
Dliv3
commented
4 years ago You can refer to: https://docs.microsoft.com/en-us/cpp/cpp/stdcall?view=vs-2019 https://docs.microsoft.com/en-us/cpp/cpp/cdecl?view=vs-2019
If you just want to know whether a windows api is cdecl or stdcall, you can decompile the exe using IDA, and find the function call, IDA will tell you the function calling convention.
0ssigeno
commented
4 years ago Thank you! This answers to my question
Thank you! Sorry to bother, i'm trying to implement some windows hooks to run a sample, and, since I'm quite new to malware analysis in general, I don't know where to retrieve the information if a call is a CDecl or a StdCall. I searched in the microsoft documentation, but I didn't find anything usefull. Do you, by any chance, have a pointer ?
Originally posted by @0ssigeno in https://github.com/qilingframework/qiling/pull/140#issuecomment-598757558