Section ".flat" in PE32 mode.

Index > Main > Section ".flat" in PE32 mode.

Author

Thread

Core i7

Joined: 14 Nov 2024
Posts: 133
Location: Socket on motherboard

Core i7 11 Jul 2025, 12:36

It may be a stupid question, but why does FASM add its section ".flat" to PE32 files?
The problem is that it has RWE attributes, so VirusTotal considers exe a Trojan. 12 averages react to a regular "HelloWorld.exe", and if I remove the execution attributes, then 9. Also, this section immediately becomes the first in the file, as a result of which the entry point shifts to the second section. VT does not like all this, which can be checked in the "PeStudio" program.

Can I somehow remove section ".flat", or is it critically important?
At the same time, PE64 files no longer have this section, and VT finds only 2 vulnerabilities, against 12 for PE32.

Code:

format   pe gui
include 'win32ax.inc'
;//----------
.code
start:   invoke  MessageBox,0,'VirusTotal',0,0
         invoke  ExitProcess,0
.end start

Description:	Only RW
Filesize:	27.14 KB
Viewed:	184 Time(s)

Description:	RWE attrib
Filesize:	27.59 KB
Viewed:	184 Time(s)

11 Jul 2025, 12:36

Mаt Quasar

Joined: 29 Jun 2025
Posts: 13

Mаt Quasar 11 Jul 2025, 13:42

Maybe should start defining our own section with its attribute, e.g.:

Code:

section '.code' code executable readable

.flat RWX if I understand correctly is to create 1KB single-section EXE.

11 Jul 2025, 13:42

Core i7

Joined: 14 Nov 2024
Posts: 133
Location: Socket on motherboard

Core i7 11 Jul 2025, 14:03

.code - is a macro from include "win32ax.inc", which itself adds the line you specified.
And in section ".flat" there are some GUIDs, and nothing else.

11 Jul 2025, 14:03

Mаt Quasar

Joined: 29 Jun 2025
Posts: 13

Mаt Quasar 11 Jul 2025, 14:21

Your example code in post #1 as I compiled, showed 1536-byte double sections (".text" and ".idata") PE32.

There is no ".flat".

11 Jul 2025, 14:21

macomics

Joined: 26 Jan 2021
Posts: 1179
Location: Russia

macomics 11 Jul 2025, 15:06

I don't have any .flat section.

Description:
Filesize:	107.78 KB
Viewed:	147 Time(s)

Description:
Filesize:	37.8 KB
Viewed:	147 Time(s)

Description:	But the result of checking on Microsoft Sysinternals virtual machine is surprising.
Filesize:	108.72 KB
Viewed:	147 Time(s)

11 Jul 2025, 15:06

macomics

Joined: 26 Jan 2021
Posts: 1179
Location: Russia

macomics 11 Jul 2025, 15:12

Here's what happens if you add a .data section

Code:

format   pe gui
include 'win32ax.inc'
;//----------
.data
  msg db 'VirusTotal',0
.code
start:   invoke  MessageBox,0,addr msg,0,0
         invoke  ExitProcess,0
.end start

Description:
Filesize:	123.79 KB
Viewed:	136 Time(s)

Last edited by macomics on 11 Jul 2025, 15:31; edited 2 times in total

11 Jul 2025, 15:12

Core i7

Joined: 14 Nov 2024
Posts: 133
Location: Socket on motherboard

Core i7 11 Jul 2025, 15:15

It's strange... where did this section come from then? Shocked

Description:
Filesize:	13.18 KB
Viewed:	138 Time(s)

Description:
Filesize:	11.67 KB
Viewed:	138 Time(s)

11 Jul 2025, 15:15

macomics

Joined: 26 Jan 2021
Posts: 1179
Location: Russia

macomics 11 Jul 2025, 15:19

I'm using the latest version from May 22nd and the incllude files for it.

ADD: So I made a file with a .flat section

Code:

format   pe gui
flatData db 'flat'
include 'win32ax.inc'
;//----------
.code
start:   invoke  MessageBox,0,'VirusTotal',0,0
         invoke  ExitProcess,0
.end start

Description:
Filesize:	116.42 KB
Viewed:	117 Time(s)

Description:
Filesize:	44.94 KB
Viewed:	117 Time(s)

Description:		Download
Filename:	source_and_exe.zip
Filesize:	2.21 KB
Downloaded:	6 Time(s)

11 Jul 2025, 15:19

Core i7

Joined: 14 Nov 2024
Posts: 133
Location: Socket on motherboard

Core i7 11 Jul 2025, 16:35

macomics, Mаt Quasar, thank you.
I have many files in the "\equates" and "\api" folder that I added myself, apparently there is an error somewhere in them. Now I tried fasm "out of the box", and it also creates an exe without .flat-section.

11 Jul 2025, 16:35

Tomasz Grysztar

Joined: 16 Jun 2003
Posts: 8435
Location: Kraków, Poland

Tomasz Grysztar 12 Jul 2025, 10:04

'.flat' is the default section that is created when you generate any code or data without declaring a section first. Its presence suggests that some of the headers you added to your include set generate data, and because you include them before you declare a first section, they end up forcing the default one to be created.

On our Discord channel someone recently had a similar problem, in that case it was because of D3D11 headers. The file contained mixed definitions like:

Code:

;-----enum D3D11_CLEAR_FLAG----------
  D3D11_CLEAR_DEPTH     = 0x1
  D3D11_CLEAR_STENCIL   = 0x2
;-----------------------------------------------
D3D11_RECT  RECT
;-----struct D3D11_BOX----------
  struct D3D11_BOX
    left      dd ?
    top      dd ?
    front      dd ?
    right      dd ?
    bottom      dd ?
    back      dd ?
  ends

In this fragment "D3D11_RECT RECT" is defining actual data, and this meant that this header needed to be included in a data section. Another way to deal with it would be to use some of the data-gathering macro frameworks, but then the headers would also need to be modified.

12 Jul 2025, 10:04

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum