flat assembler
Message board for the users of flat assembler.

Index > Windows > Tiny PE in win64

Goto page 1, 2, 3  Next
Author
Thread Post new topic Reply to topic
Mikl___



Joined: 30 Dec 2014
Posts: 143
Location: Russian Federation, Irkutsk
Mikl___ 24 Mar 2015, 07:53
Tiny PE in win64
Code:
format binary as "exe"

IMAGE_DOS_SIGNATURE             equ 5A4Dh
IMAGE_NT_SIGNATURE              equ 00004550h
PROCESSOR_AMD_X8664             equ 8664h
IMAGE_SCN_CNT_CODE              equ 00000020h
IMAGE_SCN_MEM_READ              equ 40000000h
IMAGE_SCN_MEM_WRITE             equ 80000000h
IMAGE_SCN_CNT_INITIALIZED_DATA  equ 00000040h
IMAGE_SUBSYSTEM_WINDOWS_GUI     equ 2
IMAGE_NT_OPTIONAL_HDR64_MAGIC   equ 20Bh
IMAGE_FILE_RELOCS_STRIPPED      equ 1
IMAGE_FILE_EXECUTABLE_IMAGE     equ 2
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE equ 8000h

include 'win64a.inc'
org 0
use64

Signature:              dq IMAGE_DOS_SIGNATURE,0
ntHeader                dd IMAGE_NT_SIGNATURE;'PE'
;image_header--------------------------
.Machine                dw PROCESSOR_AMD_X8664
.Count_of_section       dw 1;2
.TimeStump              dd 0
.Symbol_table_offset    dd 0;ntHeader
.Symbol_table_count     dd 0
.Size_of_optional_header dw section_table-optional_header
.Characteristics        dw 0x20 or IMAGE_FILE_RELOCS_STRIPPED or IMAGE_FILE_EXECUTABLE_IMAGE
;20h Handle >2Gb addresses
;-------------------------------------
optional_header:
.Magic_optional_header  dw IMAGE_NT_OPTIONAL_HDR64_MAGIC
.Linker_version_major_and_minor dw 9 
.Size_of_code           dd 0
.Size_of_init_data      dd 0xC0
.Size_of_uninit_data    dd 0
.entry_point            dd begin
.base_of_code           dd ntHeader
.image_base             dq 0x140000000
.section_alignment      dd 0x10
.file_alignment         dd 0x10
.OS_version_major_minor dw 5,2
.image_version_major_minor dd 0
.subsystem_version_major_minor dw 5,2
.Win32_version          dd 0
.size_of_image          dd end_import
.size_of_header         dd begin
.checksum               dd 0
.subsystem              dw IMAGE_SUBSYSTEM_WINDOWS_GUI
.DLL_flag               dw IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
.Stack_allocation       dq 0x100000
.Stack_commit           dq 0x1000
.Heap_allocation        dq 0x100000
.Heap_commit            dq 0x1000
.loader_flag            dd 0
.number_of_dirs         dd (section_table-export_RVA_size)/8
export_RVA_size         dq 0
.import_RVA             dd import_
.import_size            dd end_import-import_
;------------------------------------------------
section_table:          dq '.text'
.virtual_size           dd 0x55
.virtual_address        dd begin
.Physical_size          dd end_import-begin
.Physical_offset        dd begin
.Relocations            dd 0
.Linenumbers            dd 0
.Relocations_and_Linenumbers_count dd 0
.Attributes              dd IMAGE_SCN_MEM_WRITE or IMAGE_SCN_CNT_CODE;0x80000020
;-------------------------------------------------
begin:
    sub rsp, 28h        ; space for 4 arguments + 16byte aligned stack
    xor r9d, r9d        ; 4. argument: r9d = uType = 0
    lea r8, [MsgCaption]; 3. argument: r8  = caption
    lea rdx,[MsgBoxText]; 2. argument: edx = window text
    xor ecx, ecx        ; 1. argument: rcx = hWnd = NULL
    call [MessageBox]
    add rsp, 28h
    ret
;------------------------------------------------
MsgCaption db "Iczelion's tutorial #2", 0
MsgBoxText db "Win64 Assembly is Great!",0
;------------------------------------------------
Import_Table:
user32_table:
MessageBox  dq _MessageBox
import_:
dd 0,0,0,user32_dll,user32_table
dd 0
user32_dll    db "user32",0,0
dw 0
_MessageBox     db 0,0,"MessageBoxA"
end_import:    
Size is 345 bytes


Description:
Download
Filename: msgbox_64.zip
Filesize: 1.65 KB
Downloaded: 1123 Time(s)



Last edited by Mikl___ on 25 Mar 2015, 06:02; edited 1 time in total
Post 24 Mar 2015, 07:53
View user's profile Send private message Visit poster's website Reply with quote
randall



Joined: 03 Dec 2011
Posts: 155
Location: Poland
randall 24 Mar 2015, 08:01
Cool! Thanks for sharing.
Post 24 Mar 2015, 08:01
View user's profile Send private message Visit poster's website Reply with quote
Mikl___



Joined: 30 Dec 2014
Posts: 143
Location: Russian Federation, Irkutsk
Mikl___ 24 Mar 2015, 08:08
randall,
link to the original text in russian is http://www.cyberforum.ru/post6303336.html
Post 24 Mar 2015, 08:08
View user's profile Send private message Visit poster's website Reply with quote
Mikl___



Joined: 30 Dec 2014
Posts: 143
Location: Russian Federation, Irkutsk
Mikl___ 03 Apr 2015, 06:48
I want to create a simple window with a menu. The app compiles and runs, but I do not see anything on the screen. Please tell me what is my mistake?
Code:
format PE64 GUI 5.0
entry WinMain
include 'win64a.inc'
ZZZ_TEST equ 0
ZZZ_OPEN equ 1
ZZZ_SAVE equ 2
ZZZ_EXIT equ 3

section '.text' code readable writeable executable
  _title TCHAR 'Iczelion Tutorial #8',0 ;name of our window
  _class TCHAR 'FASMWIN64',0;name of class
  wc WNDCLASSEX sizeof.WNDCLASSEX,0,WindowProc,0,0,400000h,0,10005h,COLOR_WINDOW,NULL,_class,NULL

     menu_name  db      'ZZZ_Menu',0
test_msg        db      'You select menu item TEST',0
open_msg        db      'You select menu item OPEN',0
save_msg        db      'You select menu item SAVE',0
menu_handlers dq test_msg, open_msg, save_msg

proc WinMain
local msg:MSG
          ; +------------------------------+
          ; | registering the window class |
          ; +------------------------------+
          invoke    RegisterClassEx,wc
          invoke    LoadMenu,400000h,30
          ; +--------------------------+
          ; | creating the main window |
          ; +--------------------------+
          invoke    CreateWindowEx,\
                         0,\
                         _class,\
                         _title,\
                         WS_OVERLAPPEDWINDOW or WS_VISIBLE,\
                         CW_USEDEFAULT,\
                         CW_USEDEFAULT,\
                         CW_USEDEFAULT,\
                         CW_USEDEFAULT,\
                         NULL,\
                         rax,\
                         400000h,\
                         NULL
          lea rdi,[msg]
          ; +---------------------------+
          ; | entering the message loop |
          ; +---------------------------+
          window_message_loop_start:
               invoke    GetMessage,rdi,NULL,0,0
               invoke    DispatchMessage,rdi
                         jmp  window_message_loop_start
endp



          ; +----------------------+
          ; | the window procedure |
          ; +----------------------+
          proc WindowProc,hWnd,uMsg,wParam,lParam
               cmp  rdx,WM_COMMAND
               je   wmCOMMAND
               cmp  rdx,WM_DESTROY
               je   wmDESTROY
wmDEFAULT:     leave
               jmp [DefWindowProc]
wmDESTROY:     invoke    ExitProcess,0
wmCOMMAND:     cmp r8,ZZZ_EXIT
               je   wmDESTROY
show_msg:      sub rsp,20h
               mov r9,MB_OK
               mov rdx,[menu_handlers+r8*8]
               lea r8,[menu_name]
               call [MessageBox]
               add rsp,20h
wmBYE:         ret
          endp

section '.idata' import data readable writeable
     library   KERNEL32, 'KERNEL32.DLL',\
               USER32,   'USER32.DLL'

     import    KERNEL32,\
               ExitProcess,        'ExitProcess'

     import    USER32,\
               RegisterClassEx,    'RegisterClassExA',\
               CreateWindowEx,     'CreateWindowExA',\
               DefWindowProc,      'DefWindowProcA',\
               LoadMenu,           'LoadMenuA',\
               GetMessage,         'GetMessageA',\
               MessageBox,         'MessageBoxA',\
               DispatchMessage,    'DispatchMessageA'

section '.rsrc' resource data readable
     directory RT_MENU,appMenu

     resource  appMenu,\
               30,LANG_ENGLISH,menuMain

     menu menuMain
          menuitem '&File',0,MFR_POPUP
          menuitem '&Test',ZZZ_TEST,MFT_STRING
          menuitem '&Open',ZZZ_OPEN,MFT_STRING
          menuitem '&Save',ZZZ_SAVE,MFT_STRING
          menuseparator
          menuitem '&Exit',ZZZ_EXIT,MFR_END

          menuitem '&Exit',ZZZ_EXIT,MFR_END    
Post 03 Apr 2015, 06:48
View user's profile Send private message Visit poster's website Reply with quote
l_inc



Joined: 23 Oct 2009
Posts: 881
l_inc 03 Apr 2015, 21:21
Mikl___
The 64-bit invoke macro has an unfortunate implementation that reuses the rax register to push arguments onto the stack:
Quote:
Code:
          invoke    CreateWindowEx,\ 
                         0,\ 
                         _class,\ 
                         _title,\ 
                         WS_OVERLAPPEDWINDOW or WS_VISIBLE,\ 
                         CW_USEDEFAULT,\ 
                         CW_USEDEFAULT,\ 
                         CW_USEDEFAULT,\ 
                         CW_USEDEFAULT,\ 
                         NULL,\ 
                         rax,\                                      ;<-- the problem is here
                         400000h,\ 
                         NULL    


Btw. instead of explicitly hardcoding the image base you'd better do smth. like IMAGE_BASE = $-rva $ at the beginning and then place IMAGE_BASE wherever you have 400000h .

_________________
Faith is a superposition of knowledge and fallacy
Post 03 Apr 2015, 21:21
View user's profile Send private message Reply with quote
Fixit



Joined: 22 Nov 2012
Posts: 161
Fixit 04 Apr 2015, 09:46
I would be impressed to see a demonstratably useful faster 64 bit program compared to a 32 bit one.
Post 04 Apr 2015, 09:46
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20753
Location: In your JS exploiting you and your system
revolution 04 Apr 2015, 10:18
Fixit: Perhaps you are misinformed about the purpose of 64-bit. It was never really to make things "faster". The main purpose was to allow use of larger data sets more easily. Even though that is the main reason we can still find some things can be faster in 64-bit and others can be faster in 32-bit. It all depends upon what is being done by the program.
Post 04 Apr 2015, 10:18
View user's profile Send private message Visit poster's website Reply with quote
HaHaAnonymous



Joined: 02 Dec 2012
Posts: 1178
Location: Unknown
HaHaAnonymous 04 Apr 2015, 16:10
Quote:

I would be impressed to see a demonstratably useful faster 64 bit program compared to a 32 bit one.

The performance difference is negligible if you consider only this benefit: Many more registers to play with (twice as many). D:

There are more benefits, of course. But that alone is enough.

Many people may think: "Encryption software benefits from 64 bits". Well it does, but not in performance as I see:
AESCrypt:
Code:
AESCrypt 32 = 7.893s
AESCrypt 64 = 11.603s
    


Perhaps if I had run the 32 bit on native 32 bits OS it would have a poorer performance, but that's what we have for now. D:

And here is an example where 64 bit is faster than 32:
Ordinary Memory Copy:
Code:
MemCopy 64 = 5.098s
MemCopy 32 = 5.190s
    


You see, it depends how you use it.

The examples above were generated by an ignorant source (me). Treat them seriously at your own risk!

I apologize for any inconveniences I may have caused.


Last edited by HaHaAnonymous on 06 Apr 2015, 02:44; edited 3 times in total
Post 04 Apr 2015, 16:10
View user's profile Send private message Reply with quote
Mikl___



Joined: 30 Dec 2014
Posts: 143
Location: Russian Federation, Irkutsk
Mikl___ 06 Apr 2015, 02:36
Thank you, l_inc! Image
Code:
format PE64 GUI 5.0
entry WinMain 
include 'win64a.inc' 
ZZZ_TEST equ 0 
ZZZ_OPEN equ 1 
ZZZ_SAVE equ 2 
ZZZ_EXIT equ 3 

section '.text' code readable writeable executable 
  _title TCHAR 'Iczelion Tutorial #8',0 ;name of our window 
  _class TCHAR 'FASMWIN64',0;name of class 
  wc WNDCLASSEX sizeof.WNDCLASSEX,0,WindowProc,0,0,IMAGE_BASE,0,10005h,COLOR_WINDOW,NULL,_class,NULL

     menu_name  db      'ZZZ_Menu',0 
test_msg        db      'You select menu item TEST',0 
open_msg        db      'You select menu item OPEN',0 
save_msg        db      'You select menu item SAVE',0 
menu_handlers dq test_msg, open_msg, save_msg 

proc WinMain 
IMAGE_BASE = $-rva $
local msg:MSG 
          ; +------------------------------+ 
          ; | registering the window class | 
          ; +------------------------------+
          sub rsp,20h
          xor ebx,ebx
          lea ecx,[wc]
          call [RegisterClassEx]
          mov edx,30
          mov ecx,IMAGE_BASE
          call [LoadMenu]
          ; +--------------------------+ 
          ; | creating the main window | 
          ; +--------------------------+
          sub rsp,40h
          xor ecx,ecx
          lea edx,[_class]
          lea r8,[_title]
          mov r9d,WS_OVERLAPPEDWINDOW or WS_VISIBLE
          mov [rsp+58h],rbx
          mov qword [rsp+50h],IMAGE_BASE
          mov [rsp+48h],rax
          mov [rsp+40h],rbx
          mov eax,CW_USEDEFAULT
          mov [rsp+38h],rax
          mov [rsp+30h],rax
          mov [rsp+28h],rax
          mov [rsp+20h],rax
          call [CreateWindowEx]
          add rsp,40h
          lea edi,[msg] 
          ; +---------------------------+ 
          ; | entering the message loop | 
          ; +---------------------------+ 
window_message_loop_start:
          mov ecx,edi
          xor edx,edx
          mov r8,rbx
          mov r9,rbx
          call [GetMessage]
          mov ecx,edi
          call [DispatchMessage]
          jmp  window_message_loop_start
endp 
          ; +----------------------+ 
          ; | the window procedure | 
          ; +----------------------+ 
          proc WindowProc,hWnd,uMsg,wParam,lParam 
               cmp  edx,WM_COMMAND
               je   wmCOMMAND 
               cmp  edx,WM_DESTROY
               je   wmDESTROY 
wmDEFAULT:     leave 
               jmp [DefWindowProc] 
wmDESTROY:xor ecx,ecx
                call [ExitProcess]
wmCOMMAND:     cmp r8,ZZZ_EXIT 
               je   wmDESTROY 
show_msg:      sub rsp,20h 
               mov r9,rbx;r9=MB_OK 
               mov rdx,[menu_handlers+r8*8] 
               lea r8,[menu_name] 
               call [MessageBox] 
               add rsp,20h 
wmBYE:         ret 
          endp 

section '.idata' import data readable writeable 
     library   KERNEL32, 'KERNEL32.DLL',\ 
               USER32,   'USER32.DLL' 

     import    KERNEL32,\ 
               ExitProcess,        'ExitProcess' 

     import    USER32,\ 
               RegisterClassEx,    'RegisterClassExA',\ 
               CreateWindowEx,     'CreateWindowExA',\ 
               DefWindowProc,      'DefWindowProcA',\ 
               LoadMenu,           'LoadMenuA',\ 
               GetMessage,         'GetMessageA',\ 
               MessageBox,         'MessageBoxA',\ 
               DispatchMessage,    'DispatchMessageA' 

section '.rsrc' resource data readable 
     directory RT_MENU,appMenu 

     resource  appMenu,\ 
               30,LANG_ENGLISH,menuMain 

     menu menuMain 
          menuitem '&File',0,MFR_POPUP 
          menuitem '&Test',ZZZ_TEST,MFT_STRING 
          menuitem '&Open',ZZZ_OPEN,MFT_STRING 
          menuitem '&Save',ZZZ_SAVE,MFT_STRING 
          menuseparator 
          menuitem '&Exit',ZZZ_EXIT,MFR_END 

          menuitem '&Exit',ZZZ_EXIT,MFR_END    
Post 06 Apr 2015, 02:36
View user's profile Send private message Visit poster's website Reply with quote
Fixit



Joined: 22 Nov 2012
Posts: 161
Fixit 10 Apr 2015, 04:26
Interesting.

.01 seconds faster for the memory copy does not look like much of a speed increase.
Post 10 Apr 2015, 04:26
View user's profile Send private message Reply with quote
Mikl___



Joined: 30 Dec 2014
Posts: 143
Location: Russian Federation, Irkutsk
Mikl___ 11 Jun 2015, 01:28
a working PE64 with import, size of exe-file is 268 bytes
Code:
format binary as 'exe'

IMAGE_DOS_SIGNATURE             equ 5A4Dh
IMAGE_NT_SIGNATURE              equ 00004550h
PROCESSOR_AMD_X8664             equ 8664h
IMAGE_SCN_CNT_CODE              equ 00000020h
IMAGE_SCN_MEM_READ              equ 40000000h
IMAGE_SCN_MEM_WRITE             equ 80000000h
IMAGE_SCN_CNT_INITIALIZED_DATA  equ 00000040h
IMAGE_SUBSYSTEM_WINDOWS_GUI     equ 2
IMAGE_NT_OPTIONAL_HDR64_MAGIC   equ 20Bh
IMAGE_FILE_RELOCS_STRIPPED      equ 1
IMAGE_FILE_EXECUTABLE_IMAGE     equ 2
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE equ 8000h

include 'win64a.inc'
org 0
use64
IMAGE_BASE = 400000h
Signature:              dw IMAGE_DOS_SIGNATURE,0
ntHeader                dd IMAGE_NT_SIGNATURE;'PE'
;image_header--------------------------
.Machine                dw PROCESSOR_AMD_X8664
.Count_of_section       dw 0;2
.TimeStump              dd 0
.Symbol_table_offset    dd 0;ntHeader
.Symbol_table_count     dd 0
.Size_of_optional_header dw EntryPoint-optional_header
.Characteristics        dw 0x20 or IMAGE_FILE_RELOCS_STRIPPED or IMAGE_FILE_EXECUTABLE_IMAGE
;20h Handle >2Gb addresses
;-------------------------------------
optional_header:
.Magic_optional_header  dw IMAGE_NT_OPTIONAL_HDR64_MAGIC
.Linker_version_major_and_minor dw 9 
.Size_of_code           dd 0
.Size_of_init_data      dd 0;xC0
.Size_of_uninit_data    dd 0
.entry_point            dd EntryPoint
.base_of_code           dd ntHeader
.image_base             dq IMAGE_BASE
.section_alignment      dd 4
.file_alignment         dd 4
.OS_version_major_minor dw 5,2
.image_version_major_minor dd 0
.subsystem_version_major_minor dw 5,2
.Win32_version          dd 0
.size_of_image          dd EndOfImage
.size_of_header         dd EntryPoint
.checksum               dd 0
.subsystem              dw IMAGE_SUBSYSTEM_WINDOWS_GUI
.DLL_flag               dw IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
.Stack_allocation       dq 0x100000
.Stack_commit           dq 0x1000
.Heap_allocation        dq 0x100000
.Heap_commit            dq 0x1000
.loader_flag            dd 0
.number_of_dirs         dd (EntryPoint-export_RVA_size)/8
export_RVA_size        dq 0
.import_RVA             dd import_
.import_size            dd end_import-import_
;------------------------------------------------
EntryPoint:
   enter 20h,0        ; space for 4 arguments + 16byte aligned stack
   xor ecx, ecx                   ; 1. argument: rcx = hWnd = NULL
   mov r9, rcx                    ; 4. argument: r9d = uType = MB_OK = 0
   mov edx,MsgCaption+IMAGE_BASE  ; 2. argument: edx = window text
   mov r8,rdx                     ; 3. argument: r8  = caption
   call [MessageBox]
   leave
   ret
;------------------------------------------------
MsgCaption      db "Iczelion's tutorial #2a",0
;-------------------------------------------------
Import_Table:
user32_table:
MessageBox  dq _MessageBox
import_:
dd 0,0,0,user32_dll,user32_table
dd 0
user32_dll    db "user32",0,0
dw 0
_MessageBox     db 0,0,"MessageBoxA"
end_import:
times 268-end_import db 0  ;filling up to 268 bytes
EndOfImage:    


Description:
Download
Filename: tinyPEx64.zip
Filesize: 1.51 KB
Downloaded: 1334 Time(s)

Post 11 Jun 2015, 01:28
View user's profile Send private message Visit poster's website Reply with quote
MUFOS



Joined: 17 Apr 2016
Posts: 47
MUFOS 17 Jun 2016, 00:20
Do you have a Win32 version available of this?
Great share!
Post 17 Jun 2016, 00:20
View user's profile Send private message Reply with quote
Mikl___



Joined: 30 Dec 2014
Posts: 143
Location: Russian Federation, Irkutsk
Mikl___ 17 Jun 2016, 01:28
MUFOS,
in Win32 parameters in API functions passed via stack, in Win64 parameters are passed via registers RCX, RDX, R8, R9, which are not in Win32. Especially for Win32 XP or Seven I wrote a program that creates MessageBox with size equal to 97 bytes, but this program will not work, even in compatibility mode in Win64. You must to translate the program from MASM dialect to FASM dialect yourself
Code:
.686P
.model flat
include windows.inc
includelib user32.lib
includelib kernel32.lib
extern _imp__MessageBoxA@16:dword
extern _imp__WriteFile@20:dword
extern _imp__CreateFileA@28:dword
extern _imp__CloseHandle@4:dword
extern _imp__LoadLibraryA@4:dword
.code
start:  xor ebx,ebx
        push MB_ICONINFORMATION OR MB_SYSTEMMODAL;1040h
        push offset szInfoCap 
        push offset namefile
        push ebx
    call _imp__MessageBoxA@16
    mov eax,_imp__LoadLibraryA@4
    sub eax,offset _LoadLibraryA-buffer+ImageBase+size _LoadLibraryA;400023h
    mov _LoadLibraryA,eax
    mov eax,_imp__MessageBoxA@16
    sub eax,offset _MessageBoxA-buffer+ImageBase+size _MessageBoxA;400035h
    mov _MessageBoxA,eax
    push ebx    ;NULL   
    push FILE_ATTRIBUTE_ARCHIVE
    push CREATE_ALWAYS
    push ebx
    push FILE_SHARE_READ or FILE_SHARE_WRITE
    push GENERIC_READ or GENERIC_WRITE
    push offset namefile
    call _imp__CreateFileA@28
    push eax    ;hFile 4;O CloseHandle
    push ebx        ;lpOverlapped
        push offset SizeReadWrite   ;lpNumberOfBytesToWrite
    push sizeof_image;a4-buffer ;nNumberOfBytesToWrite=97
    push offset buffer  ;lpBuffer
    push eax    ;hFile 4;O WriteFile
    call _imp__WriteFile@20
    call _imp__CloseHandle@4
QUIT:   retn
ImageBase equ 400000h
buffer  dd 'ZM','EP'
    dw 14Ch ;Machine (Intel 386)
    dw 0    ;NumberOfSection
EntryPoint: xor ebx,ebx ; ebx = 0
    mov edi,offset namedll-buffer+ImageBase
    push edi        ;push offset user32
    jmp short @f
    db 0,0  ;       UNUSED
    dw a4-optheader ;SizeOfOptionalHeader
    dw 103h ;Characteristics (no relocations, executable, 32 bit)
optheader:
    dw 10Bh ;Magic PE32
@@:
    db 0E8h         ;call LoadLibraryA
_LoadLibraryA dd 0
    push ebx        ;push 0
    push edi        ;push offset user32
    push edi        ;push offset user32
    push ebx        ;push 0
    jmp short @f
    db 0,0,0
    dd EntryPoint-buffer
@@:
    db 0E8h         ;call MessageBoxA
_MessageBoxA dd 0
    retn
    dw 0    ;           UNUSED
    dd ImageBase    ;ImageBase
    dd 4    ;SectionAligment
    dd 4    ;FileAligment
namedll db 'user32',0,0 ;       UNUSED
    dd 4    ;MinorSubsystemVersion  UNUSED
    dd 0    ;Win32VersionValue  UNUSED
    dd 68h  ;SizeOfimage
    dd sizeof_image;64h ;SizeOfHeader
    dd 0    ;CheckSum       UNUSED
    db 2    ;Subsystem (Win32 GUI)
a4:
;---------------------------------------------------------------------------
sizeof_image=$-buffer
.data
szInfoCap db "Creator tiny MessageBox",0
namefile db 'tiny97.exe',0
SizeReadWrite dd 0
end start    
Post 17 Jun 2016, 01:28
View user's profile Send private message Visit poster's website Reply with quote
MUFOS



Joined: 17 Apr 2016
Posts: 47
MUFOS 17 Jun 2016, 12:18
Mikl___ wrote:
MUFOS,
in Win32 parameters in API functions passed via stack, in Win64 parameters are passed via registers RCX, RDX, R8, R9, which are not in Win32. Especially for Win32 XP or Seven I wrote a program that creates MessageBox with size equal to 97 bytes, but this program will not work, even in compatibility mode in Win64. You must to translate the program from MASM dialect to FASM dialect yourself
Code:
.686P
.model flat
include windows.inc
includelib user32.lib
includelib kernel32.lib
extern _imp__MessageBoxA@16:dword
extern _imp__WriteFile@20:dword
extern _imp__CreateFileA@28:dword
extern _imp__CloseHandle@4:dword
extern _imp__LoadLibraryA@4:dword
.code
start:  xor ebx,ebx
        push MB_ICONINFORMATION OR MB_SYSTEMMODAL;1040h
        push offset szInfoCap 
        push offset namefile
        push ebx
    call _imp__MessageBoxA@16
    mov eax,_imp__LoadLibraryA@4
    sub eax,offset _LoadLibraryA-buffer+ImageBase+size _LoadLibraryA;400023h
    mov _LoadLibraryA,eax
    mov eax,_imp__MessageBoxA@16
    sub eax,offset _MessageBoxA-buffer+ImageBase+size _MessageBoxA;400035h
    mov _MessageBoxA,eax
    push ebx    ;NULL   
    push FILE_ATTRIBUTE_ARCHIVE
    push CREATE_ALWAYS
    push ebx
    push FILE_SHARE_READ or FILE_SHARE_WRITE
    push GENERIC_READ or GENERIC_WRITE
    push offset namefile
    call _imp__CreateFileA@28
    push eax    ;hFile 4;O CloseHandle
    push ebx        ;lpOverlapped
        push offset SizeReadWrite   ;lpNumberOfBytesToWrite
    push sizeof_image;a4-buffer ;nNumberOfBytesToWrite=97
    push offset buffer  ;lpBuffer
    push eax    ;hFile 4;O WriteFile
    call _imp__WriteFile@20
    call _imp__CloseHandle@4
QUIT:   retn
ImageBase equ 400000h
buffer  dd 'ZM','EP'
    dw 14Ch ;Machine (Intel 386)
    dw 0    ;NumberOfSection
EntryPoint: xor ebx,ebx ; ebx = 0
    mov edi,offset namedll-buffer+ImageBase
    push edi        ;push offset user32
    jmp short @f
    db 0,0  ;       UNUSED
    dw a4-optheader ;SizeOfOptionalHeader
    dw 103h ;Characteristics (no relocations, executable, 32 bit)
optheader:
    dw 10Bh ;Magic PE32
@@:
    db 0E8h         ;call LoadLibraryA
_LoadLibraryA dd 0
    push ebx        ;push 0
    push edi        ;push offset user32
    push edi        ;push offset user32
    push ebx        ;push 0
    jmp short @f
    db 0,0,0
    dd EntryPoint-buffer
@@:
    db 0E8h         ;call MessageBoxA
_MessageBoxA dd 0
    retn
    dw 0    ;           UNUSED
    dd ImageBase    ;ImageBase
    dd 4    ;SectionAligment
    dd 4    ;FileAligment
namedll db 'user32',0,0 ;       UNUSED
    dd 4    ;MinorSubsystemVersion  UNUSED
    dd 0    ;Win32VersionValue  UNUSED
    dd 68h  ;SizeOfimage
    dd sizeof_image;64h ;SizeOfHeader
    dd 0    ;CheckSum       UNUSED
    db 2    ;Subsystem (Win32 GUI)
a4:
;---------------------------------------------------------------------------
sizeof_image=$-buffer
.data
szInfoCap db "Creator tiny MessageBox",0
namefile db 'tiny97.exe',0
SizeReadWrite dd 0
end start    


Thank you a lot! Are you saying this won't run under Win64. How would I make it do so?
Post 17 Jun 2016, 12:18
View user's profile Send private message Reply with quote
Mikl___



Joined: 30 Dec 2014
Posts: 143
Location: Russian Federation, Irkutsk
Mikl___ 18 Jun 2016, 05:20
Quote:
Are you saying this won't run under Win64. How would I make it do so?

a working PE64 with import, size of exe-file is 268 bytes
Post 18 Jun 2016, 05:20
View user's profile Send private message Visit poster's website Reply with quote
MUFOS



Joined: 17 Apr 2016
Posts: 47
MUFOS 19 Jun 2016, 01:45
Mikl___ wrote:
Quote:
Are you saying this won't run under Win64. How would I make it do so?

a working PE64 with import, size of exe-file is 268 bytes


I meant, under 64 bit versions of Windows.
Post 19 Jun 2016, 01:45
View user's profile Send private message Reply with quote
therektafire



Joined: 06 Dec 2023
Posts: 1
therektafire 06 Dec 2023, 21:28
Mikl___ wrote:
a working PE64 with import, size of exe-file is 268 bytes
Code:
format binary as 'exe'

IMAGE_DOS_SIGNATURE             equ 5A4Dh
IMAGE_NT_SIGNATURE              equ 00004550h
PROCESSOR_AMD_X8664             equ 8664h
IMAGE_SCN_CNT_CODE              equ 00000020h
IMAGE_SCN_MEM_READ              equ 40000000h
IMAGE_SCN_MEM_WRITE             equ 80000000h
IMAGE_SCN_CNT_INITIALIZED_DATA  equ 00000040h
IMAGE_SUBSYSTEM_WINDOWS_GUI     equ 2
IMAGE_NT_OPTIONAL_HDR64_MAGIC   equ 20Bh
IMAGE_FILE_RELOCS_STRIPPED      equ 1
IMAGE_FILE_EXECUTABLE_IMAGE     equ 2
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE equ 8000h

include 'win64a.inc'
org 0
use64
IMAGE_BASE = 400000h
Signature:              dw IMAGE_DOS_SIGNATURE,0
ntHeader                dd IMAGE_NT_SIGNATURE;'PE'
;image_header--------------------------
.Machine                dw PROCESSOR_AMD_X8664
.Count_of_section       dw 0;2
.TimeStump              dd 0
.Symbol_table_offset    dd 0;ntHeader
.Symbol_table_count     dd 0
.Size_of_optional_header dw EntryPoint-optional_header
.Characteristics        dw 0x20 or IMAGE_FILE_RELOCS_STRIPPED or IMAGE_FILE_EXECUTABLE_IMAGE
;20h Handle >2Gb addresses
;-------------------------------------
optional_header:
.Magic_optional_header  dw IMAGE_NT_OPTIONAL_HDR64_MAGIC
.Linker_version_major_and_minor dw 9 
.Size_of_code           dd 0
.Size_of_init_data      dd 0;xC0
.Size_of_uninit_data    dd 0
.entry_point            dd EntryPoint
.base_of_code           dd ntHeader
.image_base             dq IMAGE_BASE
.section_alignment      dd 4
.file_alignment         dd 4
.OS_version_major_minor dw 5,2
.image_version_major_minor dd 0
.subsystem_version_major_minor dw 5,2
.Win32_version          dd 0
.size_of_image          dd EndOfImage
.size_of_header         dd EntryPoint
.checksum               dd 0
.subsystem              dw IMAGE_SUBSYSTEM_WINDOWS_GUI
.DLL_flag               dw IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
.Stack_allocation       dq 0x100000
.Stack_commit           dq 0x1000
.Heap_allocation        dq 0x100000
.Heap_commit            dq 0x1000
.loader_flag            dd 0
.number_of_dirs         dd (EntryPoint-export_RVA_size)/8
export_RVA_size        dq 0
.import_RVA             dd import_
.import_size            dd end_import-import_
;------------------------------------------------
EntryPoint:
   enter 20h,0        ; space for 4 arguments + 16byte aligned stack
   xor ecx, ecx                   ; 1. argument: rcx = hWnd = NULL
   mov r9, rcx                    ; 4. argument: r9d = uType = MB_OK = 0
   mov edx,MsgCaption+IMAGE_BASE  ; 2. argument: edx = window text
   mov r8,rdx                     ; 3. argument: r8  = caption
   call [MessageBox]
   leave
   ret
;------------------------------------------------
MsgCaption      db "Iczelion's tutorial #2a",0
;-------------------------------------------------
Import_Table:
user32_table:
MessageBox  dq _MessageBox
import_:
dd 0,0,0,user32_dll,user32_table
dd 0
user32_dll    db "user32",0,0
dw 0
_MessageBox     db 0,0,"MessageBoxA"
end_import:
times 268-end_import db 0  ;filling up to 268 bytes
EndOfImage:    


This 268 byte one doesn't seem to work in Windows 10, at least not the current version, I don't get any obvious error popups either when I run it from the command line or by clicking, but the message box doesn't appear so clearly something is wrong. However OP's 345 byte one does work, I wonder what the exact difference is that's causing it to not work, is that in the smaller version there are no sections? That would be my guess but i'm no PE or low level windows expert so i'm not sure why exactly it won't work, just that it doesn't 🤷
Post 06 Dec 2023, 21:28
View user's profile Send private message Visit poster's website Reply with quote
MatQuasar



Joined: 25 Oct 2023
Posts: 105
MatQuasar 03 Jan 2024, 09:56
This is great! The 345-byte EXE still run on my Windows 10 22H2.

Is the below a must?
Code:
.DLL_flag               dw IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE          


Code:
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE equ 8000h      


Even if I omit this, it still works.
Post 03 Jan 2024, 09:56
View user's profile Send private message Reply with quote
MatQuasar



Joined: 25 Oct 2023
Posts: 105
MatQuasar 03 Jan 2024, 12:13
I tweaked a little bit from Tomasz' "Learning binary file formats (work in progress)" example (basic.asm), and got a quite small, 32-bit 512-byte EXE that runs under Windows 10 22H2.

I learned from OP example that FileAlignment and SectionAlignment must be 16 each, the rest of the header fields (in original basic.asm) were mostly unchanged.

The changes include:
Code:
FILE_ALIGNMENT := 16
SECTION_ALIGNMENT := 16               


The Data Directory size is only 2:
Code:
RvaAndSizes:
        .Export.Rva                     dd 0
        .Export.Size                    dd 0
        .Import.Rva                     dd ImportTable-IMAGE_BASE
        .Import.Size                    dd ImportTable.End-ImportTable
        ;.Resource.Rva                   dd 0
        ;.Resource.Size                  dd 0
        ;.Exception.Rva                  dd 0
        ;.Exception.Size                 dd 0
        ;.Certificate.Rva                dd 0
        ;.Certificate.Size               dd 0
        ;.BaseRelocation.Rva             dd 0
        ;.BaseRelocation.Size            dd 0
        ;.Debug.Rva                      dd 0
        ;.Debug.Size                     dd 0
        ;.Architecture.Rva               dd 0
        ;.Architecture.Size              dd 0
        ;.GlobalPtr.Rva                  dd 0
        ;.GlobalPtr.Size                 dd 0
        ;.TLS.Rva                        dd 0
        ;.TLS.Size                       dd 0
        ;.LoadConfig.Rva                 dd 0
        ;.LoadConfig.Size                dd 0
        ;.BoundImport.Rva                dd 0
        ;.BoundImport.Size               dd 0
        ;.IAT.Rva                        dd 0
        ;.IAT.Size                       dd 0
        ;.DelayImport.Rva                dd 0
        ;.DelayImport.Size               dd 0
        ;.COMPlus.Rva                    dd 0
        ;.COMPlus.Size                   dd 0
        ;.Reserved.Rva                   dd 0
        ;.Reserved.Size                  dd 0     


Added the first line (so that no need to rename the binary file afterward):
Code:
format binary as "exe"    


The full source (modified from basic.asm)
Code:
format binary as "exe"

macro align? pow2*,value:?
        db  (-$) and (pow2-1)  dup value
end macro

include '80386.inc'
use32

IMAGE_BASE := 0x400000
org IMAGE_BASE

FILE_ALIGNMENT := 16
SECTION_ALIGNMENT := 16

Stub:
        .Signature                      dw "MZ"
        .BytesInLastSector              dw SIZE_OF_STUB mod 512
        .NumberOfSectors                dw (SIZE_OF_STUB-1)/512 + 1
        .NumberOfRelocations            dw 0
        .NumberOfHeaderParagraphs       dw SIZE_OF_STUB_HEADER / 16
                                        db 0x3C - ($-Stub) dup 0
        .NewHeaderOffset                dd Header-IMAGE_BASE

align 16

SIZE_OF_STUB_HEADER := $ - Stub

        ; The code of a DOS program would go here.

SIZE_OF_STUB := $ - Stub

align 8

Header:
        .Signature                      dw "PE",0
        .Machine                        dw 0x14C ; IMAGE_FILE_MACHINE_I386
        .NumberOfSections               dw NUMBER_OF_SECTIONS
        .TimeDateStamp                  dd %t
        .PointerToSymbolTable           dd 0
        .NumberOfSymbols                dd 0
        .SizeOfOptionalHeader           dw SectionTable - OptionalHeader
        .Characteristics                dw 0x102 ; IMAGE_FILE_32BIT_MACHINE + IMAGE_FILE_EXECUTABLE_IMAGE

OptionalHeader:
        .Magic                          dw 0x10B
        .MajorLinkerVersion             db 0
        .MinorLinkerVersion             db 0
        .SizeOfCode                     dd 0
        .SizeOfInitializedData          dd 0
        .SizeOfUninitializedData        dd 0
        .AddressOfEntryPoint            dd EntryPoint-IMAGE_BASE
        .BaseOfCode                     dd 0
        .BaseOfData                     dd 0
        .ImageBase                      dd IMAGE_BASE
        .SectionAlignment               dd SECTION_ALIGNMENT
        .FileAlignment                  dd FILE_ALIGNMENT
        .MajorOperatingSystemVersion    dw 3
        .MinorOperatingSystemVersion    dw 10
        .MajorImageVersion              dw 0
        .MinorImageVersion              dw 0
        .MajorSubsystemVersion          dw 3
        .MinorSubsystemVersion          dw 10
        .Win32VersionValue              dd 0
        .SizeOfImage                    dd SIZE_OF_IMAGE
        .SizeOfHeaders                  dd SIZE_OF_HEADERS
        .CheckSum                       dd 0
        .Subsystem                      dw 2 ; IMAGE_SUBSYSTEM_WINDOWS_GUI
        .DllCharacteristics             dw 0
        .SizeOfStackReserve             dd 4096
        .SizeOfStackCommit              dd 4096
        .SizeOfHeapReserve              dd 65536
        .SizeOfHeapCommit               dd 0
        .LoaderFlags                    dd 0
        .NumberOfRvaAndSizes            dd NUMBER_OF_RVA_AND_SIZES

RvaAndSizes:
        .Export.Rva                     dd 0
        .Export.Size                    dd 0
        .Import.Rva                     dd ImportTable-IMAGE_BASE
        .Import.Size                    dd ImportTable.End-ImportTable
        ;.Resource.Rva                   dd 0
        ;.Resource.Size                  dd 0
        ;.Exception.Rva                  dd 0
        ;.Exception.Size                 dd 0
        ;.Certificate.Rva                dd 0
        ;.Certificate.Size               dd 0
        ;.BaseRelocation.Rva             dd 0
        ;.BaseRelocation.Size            dd 0
        ;.Debug.Rva                      dd 0
        ;.Debug.Size                     dd 0
        ;.Architecture.Rva               dd 0
        ;.Architecture.Size              dd 0
        ;.GlobalPtr.Rva                  dd 0
        ;.GlobalPtr.Size                 dd 0
        ;.TLS.Rva                        dd 0
        ;.TLS.Size                       dd 0
        ;.LoadConfig.Rva                 dd 0
        ;.LoadConfig.Size                dd 0
        ;.BoundImport.Rva                dd 0
        ;.BoundImport.Size               dd 0
        ;.IAT.Rva                        dd 0
        ;.IAT.Size                       dd 0
        ;.DelayImport.Rva                dd 0
        ;.DelayImport.Size               dd 0
        ;.COMPlus.Rva                    dd 0
        ;.COMPlus.Size                   dd 0
        ;.Reserved.Rva                   dd 0
        ;.Reserved.Size                  dd 0

SectionTable:

        .1.Name                         dq +'.text'
        .1.VirtualSize                  dd Section.1.End - Section.1
        .1.VirtualAddress               dd Section.1 - IMAGE_BASE
        .1.SizeOfRawData                dd Section.1.SIZE_IN_FILE
        .1.PointerToRawData             dd Section.1.OFFSET_IN_FILE
        .1.PointerToRelocations         dd 0
        .1.PointerToLineNumbers         dd 0
        .1.NumberOfRelocations          dw 0
        .1.NumberOfLineNumbers          dw 0
        .1.Characteristics              dd 0x60000000 ; IMAGE_SCN_MEM_EXECUTE + IMAGE_SCN_MEM_READ

        .2.Name                         dq +'.rdata'
        .2.VirtualSize                  dd Section.2.End - Section.2
        .2.VirtualAddress               dd Section.2 - IMAGE_BASE
        .2.SizeOfRawData                dd Section.2.SIZE_IN_FILE
        .2.PointerToRawData             dd Section.2.OFFSET_IN_FILE
        .2.PointerToRelocations         dd 0
        .2.PointerToLineNumbers         dd 0
        .2.NumberOfRelocations          dw 0
        .2.NumberOfLineNumbers          dw 0
        .2.Characteristics              dd 0x40000000 ; IMAGE_SCN_MEM_READ

SectionTable.End:

NUMBER_OF_RVA_AND_SIZES := (SectionTable-RvaAndSizes)/8
NUMBER_OF_SECTIONS := (SectionTable.End-SectionTable)/40
SIZE_OF_HEADERS := Section.1.OFFSET_IN_FILE

align SECTION_ALIGNMENT
Section.1:

section $%%
align FILE_ALIGNMENT,0
Section.1.OFFSET_IN_FILE:

section Section.1

        EntryPoint:

                push    0
                push    CaptionString
                push    MessageString
                push    0
                call    [MessageBoxA]

                push    0
                call    [ExitProcess]

Section.1.End:

align SECTION_ALIGNMENT
Section.2:

section $%%
align FILE_ALIGNMENT,0
Section.1.SIZE_IN_FILE := $ - Section.1.OFFSET_IN_FILE
Section.2.OFFSET_IN_FILE:

section Section.2

        ImportTable:

                .1.ImportLookupTableRva         dd KernelLookupTable-IMAGE_BASE
                .1.TimeDateStamp                dd 0
                .1.ForwarderChain               dd 0
                .1.NameRva                      dd KernelDLLName-IMAGE_BASE
                .1.ImportAddressTableRva        dd KernelAddressTable-IMAGE_BASE

                .2.ImportLookupTableRva         dd UserLookupTable-IMAGE_BASE
                .2.TimeDateStamp                dd 0
                .2.ForwarderChain               dd 0
                .2.NameRva                      dd UserDLLName-IMAGE_BASE
                .2.ImportAddressTableRva        dd UserAddressTable-IMAGE_BASE

                                                dd 0,0,0,0,0

                KernelLookupTable:
                                dd ExitProcessLookup-IMAGE_BASE
                                dd 0
                KernelAddressTable:
                ExitProcess     dd ExitProcessLookup-IMAGE_BASE ; this is going to be replaced with the address of the function
                                dd 0

                UserLookupTable:
                                dd MessageBoxALookup-IMAGE_BASE
                                dd 0
                UserAddressTable:
                MessageBoxA     dd MessageBoxALookup-IMAGE_BASE ; this is going to be replaced with the address of the function
                                dd 0

                                align 2
                ExitProcessLookup:
                        .Hint   dw 0
                        .Name   db 'ExitProcess',0
                                align 2
                MessageBoxALookup:
                        .Hint   dw 0
                        .Name   db 'MessageBoxA',0

                KernelDLLName   db 'KERNEL32.DLL',0
                UserDLLName     db 'USER32.DLL',0

        ImportTable.End:

        CaptionString db "PE tutorial",0
        MessageString db "I am alive and well!",0

Section.2.End:

align SECTION_ALIGNMENT
SIZE_OF_IMAGE := $ - IMAGE_BASE

section $%%
align FILE_ALIGNMENT,0
Section.2.SIZE_IN_FILE := $ - Section.2.OFFSET_IN_FILE    


https://pastebin.com/L8qLWLhn
https://pastebin.com/EcDMUtAX


Description:
Filesize: 56.9 KB
Viewed: 10029 Time(s)

Screenshot 2024-01-03 215554.png




Last edited by MatQuasar on 07 Jan 2024, 14:38; edited 1 time in total
Post 03 Jan 2024, 12:13
View user's profile Send private message Reply with quote
Mikl___



Joined: 30 Dec 2014
Posts: 143
Location: Russian Federation, Irkutsk
Mikl___ 07 Jan 2024, 13:25
a working PE64 with import, size of exe-file is 282 bytes run on Windows 10
Code:
format binary as "exe"
include "win64a.inc"
struc dbs [data]
{
  common
  . db data
  .size = $ - .
}
 
IMAGE_DOS_SIGNATURE        equ 5A4Dh
IMAGE_NT_SIGNATURE        equ 00004550h
PROCESSOR_AMD_X8664        equ 8664h
IMAGE_SCN_CNT_CODE        equ 00000020h
IMAGE_SCN_MEM_WRITE        equ 80000000h
IMAGE_SCN_MEM_READ        equ 40000000h
IMAGE_SCN_CNT_INITIALIZED_DATA    equ 00000040h
IMAGE_SUBSYSTEM_WINDOWS_GUI    equ 2
IMAGE_NT_OPTIONAL_HDR64_MAGIC    equ 20Bh
IMAGE_FILE_RELOCS_STRIPPED    equ 1
IMAGE_FILE_EXECUTABLE_IMAGE    equ 2
IMAGE_BASE            equ 0x400000
align1                equ 4;0x10
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE equ 8000h
use64
org 0
;--------DOS-stub-------------------------------
Signature       dw IMAGE_DOS_SIGNATURE,0
;-------PE--------------------------------------------------
ntHeader        dd IMAGE_NT_SIGNATURE;'PE'
;image_header----
Machine             dw PROCESSOR_AMD_X8664
Count_of_section    dw 1
TimeStump           dd 0
Symbol_table_offset dd 0
Symbol_table_count  dd 0
Size_of_optional_header dw section_table-optional_header
Characteristics     dw IMAGE_FILE_RELOCS_STRIPPED or \
IMAGE_FILE_EXECUTABLE_IMAGE
;-------
optional_header:
Magic_optional_header    dw IMAGE_NT_OPTIONAL_HDR64_MAGIC
Linker_version_major_and_minor dw 9
Size_of_code        dd Import_Table-begin
Size_of_init_data   dd 0x70
Size_of_uninit_data dd 0
entry_point         dd begin
base_of_code        dd ntHeader
;-----------------------------------------------------
image_base          dq IMAGE_BASE
section_alignment   dd align1
file_alignment      dd align1
OS_version_major_minor    dw 5,2
image_version_major_minor dd 0
subsystem_version_major_minor dw 5,2
Win32_version       dd 0
size_of_image       dd end_import
size_of_header      dd begin
checksum            dd 0
subsystem           dw IMAGE_SUBSYSTEM_WINDOWS_GUI
DLL_flag            dw IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
Stack_allocation    dq 0x100000
Stack_commit        dq 0x1000
Heap_allocation     dq 0x100000
Heap_commit         dq 0x1000
loader_flag         dd 0
number_of_dirs      dd (section_table-export_RVA_size)/8
export_RVA_size     dq 0
import_RVA_size     dd _import,0x3C
;------------------------------------------------
section_table       dq ".text"
.virtual_size       dd 0x55
.virtual_address    dd begin
.Physical_size      dd end_import-begin
.Physical_offset    dd begin
.Relocations_and_Linenumbers dq 0
.Relocations_and_Linenumbers_count dd 0
.Attributes         dd IMAGE_SCN_MEM_WRITE or IMAGE_SCN_CNT_CODE or IMAGE_SCN_MEM_READ ;or IMAGE_SCN_CNT_INITIALIZED_DATA
;------------------------------------------------
begin:
    push rbp
    xor ecx,ecx
    mov edx,user32_dll+IMAGE_BASE
    lea r8d,[rdx+12]
    xor r9d,r9d
    call [MessageBox]
    pop rbp
    retn
;------------------------------------------------
Import_Table:
user32_table:
MessageBox  dq _MessageBox,0
_import:
dd 0,0,0,user32_dll,user32_table
dd 0
user32_dll db "user32",0,0
dw 0
_MessageBox        db 0,0,"MessageBoxA"
end_import:    
Post 07 Jan 2024, 13:25
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.