flat assembler
Message board for the users of flat assembler.

Index > Windows > Windows 7 PE

Author
Thread Post new topic Reply to topic
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
Anyone know what Windows 7/WOW64 demands of a PE for it to be accepted as valid? I have been trying to make a PE manually, and at one time I had an exe that run in XP, but I have never been able to produce a W7 working one. It just considers it a 16-bit app and refuses to run it. I have run some PE info applications, but they are usually not much help.

Is there some way to get hold of what headers FASM generates?

Code:
format binary as 'exe'
use16

alignment       equ     1

DOS_HEADER:
 .magic         db 'MZ'
                rb 58
 .lfanew        dd NT_HEADERS

                mov     ax,$4C01
                int     $21
use32

NT_HEADERS:
 .sig           dd 'PE'
FILE_HEADER:
 .machine       dw $014C
 .sections      dw 1
 .timedate      dd 0
 .psymtable     dd 0
 .symbols       dd 0
 .opthdrsize    dw opthdrsize
 .characterstcs dw $010e

OPTIONAL_HEADER32:
 .magic         dw 0x10B
 .majlinkvers   db 0
 .minlinkvers   db 0
 .codesize      dd 0
 .initdatasz    dd 0
 .uninitdatasz  dd 0
 .entrypoint    dd start
 .codebase      dd 0
 .database      dd 0
 .imagebase     dd 0x400000
 .sectalign     dd 1
 .filealign     dd 1
 .majosver      dw 0
 .minosver      dw 0
 .majimgver     dw 0
 .minimgver     dw 0
 .majsubsysver  dw 4
 .minsubsysver  dw 0
 .win32ver      dd 0
 .imagesize     dd filesize
 .headersize    dd hdrsize
 .checksum      dd 0
 .subsystem     dw 2            ;GUI
 .dllchars      dw 0
 .stackreserve  dd $100000
 .stackcommit   dd $1000
 .heapreserve   dd $100000
 .heapcommit    dd 0
 .loaderflags   dd 0
 .rvacount      dd 2

DATA_DIRECTORY:
 .edata         dd 0
 .edatasize     dd 0
 .idata         dd idata
 .idatasize     dd idatasize
                ;rq 14

opthdrsize      = $-OPTIONAL_HEADER32

SECTION_HEADER:
 .name          db 'blutsaft'
 .virtualsize   dd codesize
 .virtualaddr   dd start   ;0?
 .rawdatasize   dd codesize
 .rawdataptr    dd start
 .relocptr      dd 0
 .linenumbptr   dd 0
 .relocations   dw 0
 .linenumbers   dw 0
 .characterstcs dd 0

hdrsize         = $

idata:
 .originalfthk  dd 0; ilt
 .timedate      dd 0
 .forwarder     dd 0
 .name          dd kernel32
 .firstthunk    dd iat

                rb 20

idatasize       = $ - idata

iat:
                dd sleep
                dd 0
;ilt:
;                dd sleep
;                dd 0
kernel32:
                db 'kernel32.dll',0
sleep:          dw 0
                db 'Sleep',0
align alignment
start:
                push    $1000
                call    dword [iat]
                ret

codesize        = $-start
filesize        = $
    


And no, this one doesn't work in either Windows :P

_________________
This is a block of text that can be added to posts you make.
Post 06 Jun 2010, 23:02
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
Try peview or something like that, so you'll know how a valid pe is done. =D
Code:
;wtf??
use16
;did you mean:
use64;???    

_________________
Image
Nombre: Aquiles Castro.
Location2: about:robots
Post 07 Jun 2010, 01:33
View user's profile Send private message Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1901
DOS386
ass0 wrote:
Code:
;wtf??
use16
;did you mean:
use64;???    


NO he didn't Sad Sad Sad

> PE for it to be accepted as valid?

Please try my PE's Smile

http://board.flatassembler.net/topic.php?t=10873 AttribJunk
http://board.flatassembler.net/topic.php?t=10872 CommandLineBlah
Post 07 Jun 2010, 06:06
View user's profile Send private message Reply with quote
edemko



Joined: 18 Jul 2009
Posts: 549
edemko
Post 07 Jun 2010, 11:50
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler


I have gone through that document (and others). At least I get another error message now (not a valid win32 application).

Code:
format binary as 'exe'
use16

alignment       equ     512

DOS_HEADER:
 .magic         db 'MZ'
                rb 58
 .lfanew        dd NT_HEADERS

                mov     ax,$4c01
                int     $21
use32
align 8

NT_HEADERS:
 .sig           dd 'PE'

FILE_HEADER:
 .machine       dw $014c
 .sections      dw 2
 .timedate      dd 0
 .psymtable     dd 0
 .symbols       dd 0
 .opthdrsize    dw opthdrsize
 .characterstcs dw $010e

OPTIONAL_HEADER32:
 .magic         dw $10b
 .majlinkvers   db 0
 .minlinkvers   db 0
 .codesize      dd 0
 .initdatasz    dd 0
 .uninitdatasz  dd 4
 .entrypoint    dd start
 .codebase      dd 0
 .database      dd 0
 .imagebase     dd $400000
 .sectalign     dd 1
 .filealign     dd 1
 .majosver      dw 0
 .minosver      dw 0
 .majimgver     dw 0
 .minimgver     dw 0
 .majsubsysver  dw 4
 .minsubsysver  dw 0
 .win32ver      dd 0
 .imagesize     dd filesize
 .headersize    dd hdrsize
 .checksum      dd 0
 .subsystem     dw 2            ;GUI
 .dllchars      dw 0
 .stackreserve  dd $100000
 .stackcommit   dd $1000
 .heapreserve   dd $100000
 .heapcommit    dd 0
 .loaderflags   dd 0
 .rvacount      dd 2

DATA_DIRECTORY:
 .edata         dd 0
 .edatasize     dd 0
 .idata         dd idata
 .idatasize     dd idatasize

                rd 2

opthdrsize      = $-OPTIONAL_HEADER32

SECTION_HEADER:
 .name          db 'blutsaft'
 .virtualsize   dd codesize
 .virtualaddr   dd start
 .rawdatasize   dd codesize
 .rawdataptr    dd start
 .relocptr      dd 0
 .linenumbptr   dd 0
 .relocations   dw 0
 .linenumbers   dw 0
 .characterstcs dd $00000020+$20000000+$40000000

 .name2         db 'brudrost'
 .virtualsize2  dd 4;datasize
 .virtualaddr2  dd sdata
 .rawdatasize2  dd 0;datasize
 .rawdataptr2   dd 0;sdata
 .relocptr2     dd 0
 .linenumbptr2  dd 0
 .relocations2  dw 0
 .linenumbers2  dw 0
 .characterstc2 dd $00000080+$40000000+$80000000

hdrsize         = $

idata:
 .originalfthk  dd ilt
 .timedate      dd 0
 .forwarder     dd 0
 .name          dd kernel32
 .firstthunk    dd iat

                rb 20

idatasize       = $ - idata

iat:
                dd sleep
                dd 0
ilt:
                dd sleep
                dd 0
kernel32:
                db 'kernel32.dll',0
sleep:          dw 0
                db 'Sleep',0
align           2

align           alignment
start:
                push    $1000
                call    dword [iat]
                ret

codesize        = $-start
align           alignment
sdata:
                rd 1
datasize        = $-sdata

filesize        = $
    


Time for another approach. Taking the most minimal valid program from fasm as a starting point (1k):

Code:
format pe
entry start

section ".text" executable readable writeable
start:
        ret

section ".bss" readable writeable
        rd 1      


With some help from good old Olly (513b):

Code:
format binary as 'exe'
use32

db "MZ"               ; DOS_Signature[2] = "MZ"
dw $80                    ; DOS_PartPag = 128.
dw $1                     ; DOS_PageCnt = 1
dw $0                     ; DOS_ReloCnt = 0
dw $4                     ; DOS_HdrSize = 4
dw $10                    ; DOS_MinMem = 16.
dw $0FFFF                 ; DOS_MaxMem = 65535.
dw $0                     ; DOS_RelSS = 0
dw $140                   ; DOS_ExeSP = 140
dw $0                     ; DOS_ChkSum = 0
dw $0                     ; DOS_ExeIP = 0
dw $0                     ; DOS_RelCS = 0
dw $40                    ; DOS_RelocOffset = 40
dw $0                     ; DOS_Overlay = 0
dw $0                     ; DOS_Reserved1[4] = 00000000
dw $0
dw $0
dw $0
dw $0                     ; DOS_OEM_ID = 0
dw $0                     ; DOS_OEM_Info = 0
dw $0                     ; DOS_Reserved2[10.] = 00000000
dw $0
dw $0
dw $0
dw $0
dw $0
dw $0
dw $0
dw $0
dw $0
dw $80                    ; DOS_PEOffset = 80
db $00
db $00
db $0E
db $1F
db $BA
db $0E
db $00
db $B4
db $09                    ; TAB
db $CD
db $21                    ; CHAR '!'
db $B8
db $01
db $4C                    ; CHAR 'L'
db $CD
db $21                    ; CHAR '!'
db $54                    ; CHAR 'T'
db $68                    ; CHAR 'h'
db $69                    ; CHAR 'i'
db $73                    ; CHAR 's'
db $20                    ; CHAR ' '
db $70                    ; CHAR 'p'
db $72                    ; CHAR 'r'
db $6F                    ; CHAR 'o'
db $67                    ; CHAR 'g'
db $72                    ; CHAR 'r'
db $61                    ; CHAR 'a'
db $6D                    ; CHAR 'm'
db $20                    ; CHAR ' '
db $63                    ; CHAR 'c'
db $61                    ; CHAR 'a'
db $6E                    ; CHAR 'n'
db $6E                    ; CHAR 'n'
db $6F                    ; CHAR 'o'
db $74                    ; CHAR 't'
db $20                    ; CHAR ' '
db $62                    ; CHAR 'b'
db $65                    ; CHAR 'e'
db $20                    ; CHAR ' '
db $72                    ; CHAR 'r'
db $75                    ; CHAR 'u'
db $6E                    ; CHAR 'n'
db $20                    ; CHAR ' '
db $69                    ; CHAR 'i'
db $6E                    ; CHAR 'n'
db $20                    ; CHAR ' '
db $44                    ; CHAR 'D'
db $4F                    ; CHAR 'O'
db $53                    ; CHAR 'S'
db $20                    ; CHAR ' '
db $6D                    ; CHAR 'm'
db $6F                    ; CHAR 'o'
db $64                    ; CHAR 'd'
db $65                    ; CHAR 'e'
db $2E                    ; CHAR '.'
db $0D                    ; Carriage Return
db $0A                    ; Line Feed
db $24                    ; CHAR '$'
db $00
db $00
db $00
db $00
db $00
db $00
db $00
db $00
db "PE",0,0           ; IMAGE_NT_SIGNATURE[4] = "PE  "
dw $14C                   ; Machine = IMAGE_FILE_MACHINE_I386
dw $2                     ; NumberOfSections = 2
dd $4C0ED946              ; TimeDateStamp = 4C0ED946
dd $00000000              ; PointerToSymbolTable = 0
dd $00000000              ; NumberOfSymbols = 0
dw $0E0                   ; SizeOfOptionalHeader = 224.
dw $10E                   ; Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|LINE_NUMS_STRIPPED|LOCAL_SYMS_STRIPPED
dw $10B                   ; MagicNumber = IMAGE_NT_OPTIONAL_HDR32_MAGIC
db $01                    ; MajorLinkerVersion = 1
db $44                    ; MinorLinkerVersion = 68.
dd $00000000              ; SizeOfCode = 0
dd $00000000              ; SizeOfInitializedData = 0
dd $00000000              ; SizeOfUninitializedData = 0
dd $00001000              ; AddressOfEntryPoint = 1000
dd $00000000              ; BaseOfCode = 0
dd $00000000              ; BaseOfData = 0
dd $00400000              ; ImageBase = 400000
dd $00001000              ; SectionAlignment = 1000
dd $00000200              ; FileAlignment = 200
dw $1                     ; MajorOSVersion = 1
dw $0                     ; MinorOSVersion = 0
dw $0                     ; MajorImageVersion = 0
dw $0                     ; MinorImageVersion = 0
dw $3                     ; MajorSubsystemVersion = 3
dw $0A                    ; MinorSubsystemVersion = 10.
dd $00000000              ; Win32VersionValue = 0
dd $00003000              ; SizeOfImage = 12288.
dd $00000200              ; SizeOfHeaders = 512.
dd $00003A8F              ; CheckSum = 3A8F
dw $3                     ; Subsystem = IMAGE_SUBSYSTEM_WINDOWS_CUI
dw $0                     ; DLLCharacteristics = 0
dd $00001000              ; SizeOfStackReserve = 4096.
dd $00001000              ; SizeOfStackCommit = 4096.
dd $00010000              ; SizeOfHeapReserve = 65536.
dd $00000000              ; SizeOfHeapCommit = 0
dd $00000000              ; LoaderFlags = 0
dd $00000010              ; NumberOfRvaAndSizes = 16.
dd $00000000              ; Export Table address = 0
dd $00000000              ; Export Table size = 0
dd $00000000              ; Import Table address = 0
dd $00000000              ; Import Table size = 0
dd $00000000              ; Resource Table address = 0
dd $00000000              ; Resource Table size = 0
dd $00000000              ; Exception Table address = 0
dd $00000000              ; Exception Table size = 0
dd $00000000              ; Certificate File pointer = 0
dd $00000000              ; Certificate Table size = 0
dd $00000000              ; Relocation Table address = 0
dd $00000000              ; Relocation Table size = 0
dd $00000000              ; Debug Data address = 0
dd $00000000              ; Debug Data size = 0
dd $00000000              ; Architecture Data address = 0
dd $00000000              ; Architecture Data size = 0
dd $00000000              ; Global Ptr address = 0
dd $00000000              ; Reserved = 00000000
dd $00000000              ; TLS Table address = 0
dd $00000000              ; TLS Table size = 0
dd $00000000              ; Load Config Table address = 0
dd $00000000              ; Load Config Table size = 0
dd $00000000              ; Bound Import Table address = 0
dd $00000000              ; Bound Import Table size = 0
dd $00000000              ; Import Address Table address = 0
dd $00000000              ; Import Address Table size = 0
dd $00000000              ; Delay Import Descriptor address = 0
dd $00000000              ; Delay Import Descriptor size = 0
dd $00000000              ; COM+ Runtime Header address = 0
dd $00000000              ; Import Address Table size = 0
dd $00000000              ; Reserved = 00000000
dd $00000000              ; Reserved = 00000000
db ".text",0,0,0      ; Name[8] = ".text   "
dd $00000001              ; VirtualSize = 1
dd $00001000              ; VirtualAddress = 1000
dd $00000200              ; SizeOfRawData = 512.
dd $00000200              ; PointerToRawData = 200
dd $00000000              ; PointerToRelocations = 0
dd $00000000              ; PointerToLineNumbers = 0
dw $0                     ; NumberOfRelocations = 0
dw $0                     ; NumberOfLineNumbers = 0
dd $E0000000              ; Characteristics = EXECUTE|READ|WRITE
db ".bss",0,0,0,0     ; Name[8] = ".bss    "
dd $00000004              ; VirtualSize = 4
dd $00002000              ; VirtualAddress = 2000
dd $00000000              ; SizeOfRawData = 0
dd $00000000              ; PointerToRawData = 0
dd $00000000              ; PointerToRelocations = 0
dd $00000000              ; PointerToLineNumbers = 0
dw $0                     ; NumberOfRelocations = 0
dw $0                     ; NumberOfLineNumbers = 0
dd $C0000080              ; Characteristics = UNINITIALIZED_DATA|READ|WRITE

align 512
ret
    

_________________
This is a block of text that can be added to posts you make.
Post 09 Jun 2010, 00:27
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
W7 seems to be picky about a few things:

* DOS header, needs aligned mzstart padded with zeroes
* Alignment, haven't got any filealign below 512 to work
* import section needs to be in a.. section.

A working hello world with idata in code section (675b):

Code:
format binary as 'exe'
use16

sectionalign            equ 4096
filealign               equ 512
imgbase                 equ $400000

macro orgup n,level
{
   org (((n+(level-1))/level)*level)
}

db "MZ"                   ; DOS_Signature[2] = "MZ"
dw peof                   ; DOS_PartPag = 128.
dw $1                     ; DOS_PageCnt = 1
dw $0                     ; DOS_ReloCnt = 0
dw $4                     ; DOS_HdrSize = 4
dw $10                    ; DOS_MinMem = 16.
dw $0FFFF                 ; DOS_MaxMem = 65535.
dw $0                     ; DOS_RelSS = 0
dw $140                   ; DOS_ExeSP = 140
dw $0                     ; DOS_ChkSum = 0
dw $0                     ; DOS_ExeIP = 0
dw $0                     ; DOS_RelCS = 0
dw mzstart                ; DOS_RelocOffset = 40
rw 17
dw peof                   ; DOS_PEOffset = 80
db 0
db 0
mzstart:
                mov     ax,$4c01
                int     $21
align 4
peof:
db "PE",0,0               ; IMAGE_NT_SIGNATURE[4] = "PE  "
dw $14C                   ; Machine = IMAGE_FILE_MACHINE_I386
dw $2                     ; NumberOfSections = 2
dd $0                     ; TimeDateStamp = 4C0ED946
dd $00000000              ; PointerToSymbolTable = 0
dd $00000000              ; NumberOfSymbols = 0
dw optheadersize          ; SizeOfOptionalHeader = 224.
dw $10E                   ; Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|LINE_NUMS_STRIPPED|LOCAL_SYMS_STRIPPED
optheader:
dw $10B                   ; MagicNumber = IMAGE_NT_OPTIONAL_HDR32_MAGIC
db $00                    ; MajorLinkerVersion = 1
db $00                    ; MinorLinkerVersion = 68.
dd bss-start              ; SizeOfCode = 0
dd $00000000              ; SizeOfInitializedData = 0
dd bsssize                ; SizeOfUninitializedData = 0
dd start                  ; AddressOfEntryPoint = 1000
dd $00000000              ; BaseOfCode = 0
dd $00000000              ; BaseOfData = 0
dd imgbase                ; ImageBase = 400000
dd sectionalign           ; SectionAlignment = 1000
dd filealign              ; FileAlignment = 200
dw $1                     ; MajorOSVersion = 1
dw $0                     ; MinorOSVersion = 0
dw $0                     ; MajorImageVersion = 0
dw $0                     ; MinorImageVersion = 0
dw $3                     ; MajorSubsystemVersion = 3
dw $0A                    ; MinorSubsystemVersion = 10.
dd $00000000              ; Win32VersionValue = 0
dd imagesize              ; SizeOfImage = 12288.
dd headersize             ; SizeOfHeaders = 512.
dd $0                     ; CheckSum = 3A8F
dw $3                     ; Subsystem = IMAGE_SUBSYSTEM_WINDOWS_CUI
dw $0                     ; DLLCharacteristics = 0
dd $00001000              ; SizeOfStackReserve = 4096.
dd $00001000              ; SizeOfStackCommit = 4096.
dd $00010000              ; SizeOfHeapReserve = 65536.
dd $00000000              ; SizeOfHeapCommit = 0
dd $00000000              ; LoaderFlags = 0
dd $00000002              ; NumberOfRvaAndSizes = 16.
dd $00000000              ; Export Table address = 0
dd $00000000              ; Export Table size = 0
dd idata                  ; Import Table address = 0
dd idatasize              ; Import Table size = 0
dd $00000000              ; Reserved = 00000000
dd $00000000              ; Reserved = 00000000

optheadersize             =$-optheader

db ".text",0,0,0          ; Name[8] = ".text   "
dd bss-start              ; VirtualSize = 1
dd start                  ; VirtualAddress = 1000
dd codesize               ; SizeOfRawData = 512.
dd rawstart               ; PointerToRawData = 200
dd $00000000              ; PointerToRelocations = 0
dd $00000000              ; PointerToLineNumbers = 0
dw $0                     ; NumberOfRelocations = 0
dw $0                     ; NumberOfLineNumbers = 0
dd $E0000000              ; Characteristics = EXECUTE|READ|WRITE
db ".bss",0,0,0,0         ; Name[8] = ".bss    "
dd bsssize                ; VirtualSize = 4
dd bss                    ; VirtualAddress = 2000
dd $00000000              ; SizeOfRawData = 0
dd $00000000              ; PointerToRawData = 0
dd $00000000              ; PointerToRelocations = 0
dd $00000000              ; PointerToLineNumbers = 0
dw $0                     ; NumberOfRelocations = 0
dw $0                     ; NumberOfLineNumbers = 0
dd $C0000080              ; Characteristics = UNINITIALIZED_DATA|READ|WRITE
headersize                = $

;org                     imgbase

use32

align           filealign
rawstart:
orgup           $,sectionalign
start:
                push    -11
                call    dword [imgbase+g]
                push    0
                push    bss+imgbase
                push    16
                push    hello+imgbase
                push    eax
                call    dword [imgbase+w]
                push    -1
                call    dword [imgbase+s]
                ret

iat:
s:              dd sleep
w:              dd writeconsole
g:              dd GetStdHandle
                dd 0

idata:

 .originalfthk  dd 0;ilt
 .timedate      dd 0
 .forwarder     dd 0
 .name          dd kernel32
 .firstthunk    dd iat

                rb 20

idatasize       = $ - idata

kernel32:
                db 'kernel32.dll',0
sleep:          dw 0
                db 'Sleep',0
align           2
writeconsole    dw 0
                db 'WriteConsoleA',0
align           2
GetStdHandle    dw 0
                db 'GetStdHandle',0


hello:          db 'Hello, PE World!'

codesize        =$-start
orgup           $,sectionalign

bss:
                rd 1

bsssize         =$-bss
imagesize       =$    

_________________
This is a block of text that can be added to posts you make.
Post 12 Jun 2010, 04:54
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
With my PE "framework":

Code:
                ;DEBUG   equ TRUE
                include 'pe.inc'
                headers CUISUBSYS,".text",".bss"  
;----
start:
                invoke  GetStdHandle,STD_OUTPUT_HANDLE
                invoke  WriteConsoleA,eax,hello,hello.size,0,0
                invoke  Sleep,-1

hello           string  "Hello, World!"
;----
import          kernel32,<Sleep,WriteConsoleA,GetStdHandle>
;----
bss:
 dummy          rd 1
;----
endpe:    


Uses the equates included with win32w.inc, and a few macro replacements for for example invoke.

Now to just figure out why Olly doesn't reconize my imports..

_________________
This is a block of text that can be added to posts you make.
Post 17 Sep 2010, 17:29
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
I'm going to investigate what PE format 9x needs to be happy.

First find: 98 does not seem to like NumberOfRvaAndSizes less than 16.

Edit: More accurately it needs all directories, probably ignores NumberOfRvaAndSizes.

Edit: 98 doesn't seem to like imports in code section, it truncated a function name for me: DispatchMessageA to Disp

Edit: It gets truncated at a $200 boundary
Post 17 Sep 2010, 23:56
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
MinhHung



Joined: 10 Sep 2010
Posts: 51
Location: Viet Nam
MinhHung
i'm need some example to understand Embarassed http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx

where 'COFF Line Numbers, COFF Symbol Table, Auxiliary Symbol Records, COFF String Table, The Attribute Certificate Table,...'

thanks! Smile
Post 14 Dec 2010, 02:05
View user's profile Send private message Yahoo Messenger Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 977
Location: Czechoslovakia
MazeGen
MinhHung, I used Microsoft tools to understand coff format: MASM to generate an example object file (you can use FASM as well), then dumpbin.exe (or link.exe /dump) to dump the structures.
Post 14 Dec 2010, 08:07
View user's profile Send private message Visit poster's website Reply with quote
MinhHung



Joined: 10 Sep 2010
Posts: 51
Location: Viet Nam
MinhHung
dumpbin.exe are good, but it not show Detail.

i want to view it like
mindcooler:
Quote:

W7 seems to be picky about a few things:

* DOS header, needs aligned mzstart padded with zeroes
* Alignment, haven't got any filealign below 512 to work
* import section needs to be in a.. section.

A working hello world with idata in code section (675b):


Code:

format binary as 'exe'
use16

sectionalign equ 4096
filealign equ 512
imgbase equ $400000

macro orgup n,level
{
org (((n+(level-1))/level)*level)
}

db "MZ" ; DOS_Signature[2] = "MZ"
dw peof ; DOS_PartPag = 128.
dw $1 ; DOS_PageCnt = 1
dw $0 ; DOS_ReloCnt = 0
dw $4 ; DOS_HdrSize = 4
dw $10 ; DOS_MinMem = 16.
dw $0FFFF ; DOS_MaxMem = 65535.
dw $0 ; DOS_RelSS = 0
dw $140 ; DOS_ExeSP = 140
dw $0 ; DOS_ChkSum = 0
dw $0 ; DOS_ExeIP = 0
dw $0 ; DOS_RelCS = 0
dw mzstart ; DOS_RelocOffset = 40
rw 17
dw peof ; DOS_PEOffset = 80
db 0
db 0
mzstart:
mov ax,$4c01
int $21
align 4
peof:
db "PE",0,0 ; IMAGE_NT_SIGNATURE[4] = "PE "
dw $14C ; Machine = IMAGE_FILE_MACHINE_I386
dw $2 ; NumberOfSections = 2
dd $0 ; TimeDateStamp = 4C0ED946
dd $00000000 ; PointerToSymbolTable = 0
dd $00000000 ; NumberOfSymbols = 0
dw optheadersize ; SizeOfOptionalHeader = 224.
dw $10E ; Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|LINE_NUMS_STRIPPED|LOCAL_SYMS_STRIPPED
optheader:
dw $10B ; MagicNumber = IMAGE_NT_OPTIONAL_HDR32_MAGIC
db $00 ; MajorLinkerVersion = 1
db $00 ; MinorLinkerVersion = 68.
dd bss-start ; SizeOfCode = 0
dd $00000000 ; SizeOfInitializedData = 0
dd bsssize ; SizeOfUninitializedData = 0
dd start ; AddressOfEntryPoint = 1000
dd $00000000 ; BaseOfCode = 0
dd $00000000 ; BaseOfData = 0
dd imgbase ; ImageBase = 400000
dd sectionalign ; SectionAlignment = 1000
dd filealign ; FileAlignment = 200
dw $1 ; MajorOSVersion = 1
dw $0 ; MinorOSVersion = 0
dw $0 ; MajorImageVersion = 0
dw $0 ; MinorImageVersion = 0
dw $3 ; MajorSubsystemVersion = 3
dw $0A ; MinorSubsystemVersion = 10.
dd $00000000 ; Win32VersionValue = 0
dd imagesize ; SizeOfImage = 12288.
dd headersize ; SizeOfHeaders = 512.
dd $0 ; CheckSum = 3A8F
dw $3 ; Subsystem = IMAGE_SUBSYSTEM_WINDOWS_CUI
dw $0 ; DLLCharacteristics = 0
dd $00001000 ; SizeOfStackReserve = 4096.
dd $00001000 ; SizeOfStackCommit = 4096.
dd $00010000 ; SizeOfHeapReserve = 65536.
dd $00000000 ; SizeOfHeapCommit = 0
dd $00000000 ; LoaderFlags = 0
dd $00000002 ; NumberOfRvaAndSizes = 16.
dd $00000000 ; Export Table address = 0
dd $00000000 ; Export Table size = 0
dd idata ; Import Table address = 0
dd idatasize ; Import Table size = 0
dd $00000000 ; Reserved = 00000000
dd $00000000 ; Reserved = 00000000

optheadersize =$-optheader

db ".text",0,0,0 ; Name[8] = ".text "
dd bss-start ; VirtualSize = 1
dd start ; VirtualAddress = 1000
dd codesize ; SizeOfRawData = 512.
dd rawstart ; PointerToRawData = 200
dd $00000000 ; PointerToRelocations = 0
dd $00000000 ; PointerToLineNumbers = 0
dw $0 ; NumberOfRelocations = 0
dw $0 ; NumberOfLineNumbers = 0
dd $E0000000 ; Characteristics = EXECUTE|READ|WRITE
db ".bss",0,0,0,0 ; Name[8] = ".bss "
dd bsssize ; VirtualSize = 4
dd bss ; VirtualAddress = 2000
dd $00000000 ; SizeOfRawData = 0
dd $00000000 ; PointerToRawData = 0
dd $00000000 ; PointerToRelocations = 0
dd $00000000 ; PointerToLineNumbers = 0
dw $0 ; NumberOfRelocations = 0
dw $0 ; NumberOfLineNumbers = 0
dd $C0000080 ; Characteristics = UNINITIALIZED_DATA|READ|WRITE
headersize = $

;org imgbase

use32

align filealign
rawstart:
orgup $,sectionalign
start:
push -11
call dword [imgbase+g]
push 0
push bss+imgbase
push 16
push hello+imgbase
push eax
call dword [imgbase+w]
push -1
call dword [imgbase+s]
ret

iat:
s: dd sleep
w: dd writeconsole
g: dd GetStdHandle
dd 0

idata:

.originalfthk dd 0;ilt
.timedate dd 0
.forwarder dd 0
.name dd kernel32
.firstthunk dd iat

rb 20

idatasize = $ - idata

kernel32:
db 'kernel32.dll',0
sleep: dw 0
db 'Sleep',0
align 2
writeconsole dw 0
db 'WriteConsoleA',0
align 2
GetStdHandle dw 0
db 'GetStdHandle',0


hello: db 'Hello, PE World!'

codesize =$-start
orgup $,sectionalign

bss:
rd 1

bsssize =$-bss
imagesize =$





_________________
This is a block of text that can be added to posts you make.
Post 14 Dec 2010, 08:54
View user's profile Send private message Yahoo Messenger Reply with quote
MinhHung



Joined: 10 Sep 2010
Posts: 51
Location: Viet Nam
MinhHung
thanks EveryBody
Post 15 Dec 2010, 09:45
View user's profile Send private message Yahoo Messenger Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2914
Location: [RSP+8*5]
bitRAKE
Code:
Offset(h) 00   02   04   06   08   0A   0C   0E
00000000  4D5A 0000 0000 0000 0000 0000 0000 0000
00000010  0000 0000 0000 0000 0000 0000 0000 0000
00000020  0000 0000 0000 0000 0000 0000 0000 0000
00000030  0000 0000 0000 0000 0000 0000 4000 0000    
My Win7 only bothers with DWORD at +3C.

It is possible to save space and use header for data:
Code:
format binary as 'exe'
use16 

sectionalign            equ 4096 
filealign               equ 512 
imgbase                 equ $400000 

macro orgup n,level 
{ 
   org (((n+(level-1))/level)*level) 
} 

db "MZ"                   ; DOS_Signature[2] = "MZ" 

rw 8+8+7

peof:
db "PE",0,0               ; IMAGE_NT_SIGNATURE[4] = "PE  " 
dw $14C                   ; Machine = IMAGE_FILE_MACHINE_I386 
dw $2                     ; NumberOfSections = 2 
dd $0                     ;*TimeDateStamp = 4C0ED946
dd $00000030              ; PointerToSymbolTable = 0

dd $00000000              ; NumberOfSymbols = 0
dw optheadersize          ; SizeOfOptionalHeader = 224. 
dw $10E                   ; Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|LINE_NUMS_STRIPPED|LOCAL_SYMS_STRIPPED
optheader: 
dw $10B                   ; MagicNumber = IMAGE_NT_OPTIONAL_HDR32_MAGIC 
db $00                    ;*MajorLinkerVersion = 1
db $00                    ;*MinorLinkerVersion = 68.
dd bss-start              ; SizeOfCode = 0 

dd $00000000              ; SizeOfInitializedData = 0
dd bsssize                ; SizeOfUninitializedData = 0 
dd start                  ; AddressOfEntryPoint = 1000 
dd $00000000              ; BaseOfCode = 0 

dd $00000000              ; BaseOfData = 0
dd imgbase                ; ImageBase = 400000 
dd sectionalign           ; SectionAlignment = 1000 
dd filealign              ; FileAlignment = 200 

dw $1                     ; MajorOSVersion = 1
dw $0                     ; MinorOSVersion = 0 
dw $0                     ; MajorImageVersion = 0 
dw $0                     ; MinorImageVersion = 0 
dw $3                     ; MajorSubsystemVersion = 3 
dw $0A                    ; MinorSubsystemVersion = 10. 
dd $00000000              ; Win32VersionValue = 0 
dd imagesize              ; SizeOfImage = 12288. 
dd headersize             ; SizeOfHeaders = 512. 
dd $0                     ; CheckSum = 3A8F 
dw $3                     ; Subsystem = IMAGE_SUBSYSTEM_WINDOWS_CUI 
dw $0                     ; DLLCharacteristics = 0 
dd $00001000              ; SizeOfStackReserve = 4096. 
dd $00001000              ; SizeOfStackCommit = 4096. 
dd $00010000              ; SizeOfHeapReserve = 65536. 
dd $00000000              ; SizeOfHeapCommit = 0 
dd $00000000              ; LoaderFlags = 0 
dd $00000002              ; NumberOfRvaAndSizes = 16. 
dd $00000000              ; Export Table address = 0 
dd $00000000              ; Export Table size = 0 
dd idata                  ; Import Table address = 0 
dd idatasize              ; Import Table size = 0 
dd $00000000              ; Reserved = 00000000 
dd $00000000              ; Reserved = 00000000 

optheadersize             =$-optheader 

db ".text",0,0,0          ; Name[8] = ".text   " 
dd bss-start              ; VirtualSize = 1 
dd start                  ; VirtualAddress = 1000 
dd codesize               ; SizeOfRawData = 512. 
dd rawstart               ; PointerToRawData = 200 
dd $00000000              ; PointerToRelocations = 0 
dd $00000000              ; PointerToLineNumbers = 0 
dw $0                     ; NumberOfRelocations = 0 
dw $0                     ; NumberOfLineNumbers = 0 
dd $E0000000              ; Characteristics = EXECUTE|READ|WRITE 
db ".bss",0,0,0,0         ; Name[8] = ".bss    " 
dd bsssize                ; VirtualSize = 4 
dd bss                    ; VirtualAddress = 2000 
dd $00000000              ; SizeOfRawData = 0 
dd $00000000              ; PointerToRawData = 0 
dd $00000000              ; PointerToRelocations = 0 
dd $00000000              ; PointerToLineNumbers = 0 
dw $0                     ; NumberOfRelocations = 0 
dw $0                     ; NumberOfLineNumbers = 0 
dd $C0000080              ; Characteristics = UNINITIALIZED_DATA|READ|WRITE 
headersize                = $ 

;org                     imgbase 

use32 

align           filealign 
rawstart: 
orgup           $,sectionalign 
start: 
                push    -11 
                call    dword [imgbase+g] 
                push    0 
                push    bss+imgbase 
                push    16 
                push    hello+imgbase 
                push    eax 
                call    dword [imgbase+w] 
                push    -1 
                call    dword [imgbase+s] 
                ret 

iat: 
s:              dd sleep 
w:              dd writeconsole 
g:              dd GetStdHandle 
                dd 0 

idata: 

 .originalfthk  dd 0;ilt 
 .timedate      dd 0 
 .forwarder     dd 0 
 .name          dd kernel32 
 .firstthunk    dd iat 

                rb 20 

idatasize       = $ - idata 

kernel32: 
                db 'kernel32.dll',0 
sleep:          dw 0 
                db 'Sleep',0 
align           2 
writeconsole    dw 0 
                db 'WriteConsoleA',0 
align           2 
GetStdHandle    dw 0 
                db 'GetStdHandle',0 


hello:          db 'Hello, PE World!' 

codesize        =$-start 
orgup           $,sectionalign 

bss: 
                rd 1 

bsssize         =$-bss 
imagesize       =$    
...this is just one more step.
Works for 64-bit as well.
Post 16 Dec 2010, 02:44
View user's profile Send private message Visit poster's website Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
I don't think there's that there isn't enough space in the MZ header to bother storing data there, but there's about 200 bytes after the PE header that I'm probably going to use later.

_________________
This is a block of text that can be added to posts you make.
Post 16 Dec 2010, 02:56
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.