Index
> Windows > Tiny PE in win64Goto page 1, 2, 3 Next |
| Author |
|
|
Mikl___ 24 Mar 2015, 07:53
Tiny PE in win64
Code: format binary as "exe" IMAGE_DOS_SIGNATURE equ 5A4Dh IMAGE_NT_SIGNATURE equ 00004550h PROCESSOR_AMD_X8664 equ 8664h IMAGE_SCN_CNT_CODE equ 00000020h IMAGE_SCN_MEM_READ equ 40000000h IMAGE_SCN_MEM_WRITE equ 80000000h IMAGE_SCN_CNT_INITIALIZED_DATA equ 00000040h IMAGE_SUBSYSTEM_WINDOWS_GUI equ 2 IMAGE_NT_OPTIONAL_HDR64_MAGIC equ 20Bh IMAGE_FILE_RELOCS_STRIPPED equ 1 IMAGE_FILE_EXECUTABLE_IMAGE equ 2 IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE equ 8000h include 'win64a.inc' org 0 use64 Signature: dq IMAGE_DOS_SIGNATURE,0 ntHeader dd IMAGE_NT_SIGNATURE;'PE' ;image_header-------------------------- .Machine dw PROCESSOR_AMD_X8664 .Count_of_section dw 1;2 .TimeStump dd 0 .Symbol_table_offset dd 0;ntHeader .Symbol_table_count dd 0 .Size_of_optional_header dw section_table-optional_header .Characteristics dw 0x20 or IMAGE_FILE_RELOCS_STRIPPED or IMAGE_FILE_EXECUTABLE_IMAGE ;20h Handle >2Gb addresses ;------------------------------------- optional_header: .Magic_optional_header dw IMAGE_NT_OPTIONAL_HDR64_MAGIC .Linker_version_major_and_minor dw 9 .Size_of_code dd 0 .Size_of_init_data dd 0xC0 .Size_of_uninit_data dd 0 .entry_point dd begin .base_of_code dd ntHeader .image_base dq 0x140000000 .section_alignment dd 0x10 .file_alignment dd 0x10 .OS_version_major_minor dw 5,2 .image_version_major_minor dd 0 .subsystem_version_major_minor dw 5,2 .Win32_version dd 0 .size_of_image dd end_import .size_of_header dd begin .checksum dd 0 .subsystem dw IMAGE_SUBSYSTEM_WINDOWS_GUI .DLL_flag dw IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE .Stack_allocation dq 0x100000 .Stack_commit dq 0x1000 .Heap_allocation dq 0x100000 .Heap_commit dq 0x1000 .loader_flag dd 0 .number_of_dirs dd (section_table-export_RVA_size)/8 export_RVA_size dq 0 .import_RVA dd import_ .import_size dd end_import-import_ ;------------------------------------------------ section_table: dq '.text' .virtual_size dd 0x55 .virtual_address dd begin .Physical_size dd end_import-begin .Physical_offset dd begin .Relocations dd 0 .Linenumbers dd 0 .Relocations_and_Linenumbers_count dd 0 .Attributes dd IMAGE_SCN_MEM_WRITE or IMAGE_SCN_CNT_CODE;0x80000020 ;------------------------------------------------- begin: sub rsp, 28h ; space for 4 arguments + 16byte aligned stack xor r9d, r9d ; 4. argument: r9d = uType = 0 lea r8, [MsgCaption]; 3. argument: r8 = caption lea rdx,[MsgBoxText]; 2. argument: edx = window text xor ecx, ecx ; 1. argument: rcx = hWnd = NULL call [MessageBox] add rsp, 28h ret ;------------------------------------------------ MsgCaption db "Iczelion's tutorial #2", 0 MsgBoxText db "Win64 Assembly is Great!",0 ;------------------------------------------------ Import_Table: user32_table: MessageBox dq _MessageBox import_: dd 0,0,0,user32_dll,user32_table dd 0 user32_dll db "user32",0,0 dw 0 _MessageBox db 0,0,"MessageBoxA" end_import:
Last edited by Mikl___ on 25 Mar 2015, 06:02; edited 1 time in total |
|||||||||||
24 Mar 2015, 07:53 |
|
|
randall 24 Mar 2015, 08:01
Cool! Thanks for sharing.
|
|||
|
24 Mar 2015, 08:01 |
|
|
Mikl___ 24 Mar 2015, 08:08
randall,
link to the original text in russian is http://www.cyberforum.ru/post6303336.html |
|||
|
24 Mar 2015, 08:08 |
|
|
l_inc 03 Apr 2015, 21:21
Mikl___
The 64-bit invoke macro has an unfortunate implementation that reuses the rax register to push arguments onto the stack: Quote:
Btw. instead of explicitly hardcoding the image base you'd better do smth. like IMAGE_BASE = $-rva $ at the beginning and then place IMAGE_BASE wherever you have 400000h . _________________ Faith is a superposition of knowledge and fallacy |
|||
|
03 Apr 2015, 21:21 |
|
|
Fixit 04 Apr 2015, 09:46
I would be impressed to see a demonstratably useful faster 64 bit program compared to a 32 bit one.
|
|||
|
04 Apr 2015, 09:46 |
|
|
revolution 04 Apr 2015, 10:18
Fixit: Perhaps you are misinformed about the purpose of 64-bit. It was never really to make things "faster". The main purpose was to allow use of larger data sets more easily. Even though that is the main reason we can still find some things can be faster in 64-bit and others can be faster in 32-bit. It all depends upon what is being done by the program.
|
|||
|
04 Apr 2015, 10:18 |
|
|
HaHaAnonymous 04 Apr 2015, 16:10
Quote:
The performance difference is negligible if you consider only this benefit: Many more registers to play with (twice as many). D: There are more benefits, of course. But that alone is enough. Many people may think: "Encryption software benefits from 64 bits". Well it does, but not in performance as I see: AESCrypt: Code: AESCrypt 32 = 7.893s AESCrypt 64 = 11.603s Perhaps if I had run the 32 bit on native 32 bits OS it would have a poorer performance, but that's what we have for now. D: And here is an example where 64 bit is faster than 32: Ordinary Memory Copy: Code: MemCopy 64 = 5.098s MemCopy 32 = 5.190s You see, it depends how you use it. The examples above were generated by an ignorant source (me). Treat them seriously at your own risk! I apologize for any inconveniences I may have caused. Last edited by HaHaAnonymous on 06 Apr 2015, 02:44; edited 3 times in total |
|||
|
04 Apr 2015, 16:10 |
|
|
Mikl___ 06 Apr 2015, 02:36
Thank you, l_inc!
Code: format PE64 GUI 5.0 entry WinMain include 'win64a.inc' ZZZ_TEST equ 0 ZZZ_OPEN equ 1 ZZZ_SAVE equ 2 ZZZ_EXIT equ 3 section '.text' code readable writeable executable _title TCHAR 'Iczelion Tutorial #8',0 ;name of our window _class TCHAR 'FASMWIN64',0;name of class wc WNDCLASSEX sizeof.WNDCLASSEX,0,WindowProc,0,0,IMAGE_BASE,0,10005h,COLOR_WINDOW,NULL,_class,NULL menu_name db 'ZZZ_Menu',0 test_msg db 'You select menu item TEST',0 open_msg db 'You select menu item OPEN',0 save_msg db 'You select menu item SAVE',0 menu_handlers dq test_msg, open_msg, save_msg proc WinMain IMAGE_BASE = $-rva $ local msg:MSG ; +------------------------------+ ; | registering the window class | ; +------------------------------+ sub rsp,20h xor ebx,ebx lea ecx,[wc] call [RegisterClassEx] mov edx,30 mov ecx,IMAGE_BASE call [LoadMenu] ; +--------------------------+ ; | creating the main window | ; +--------------------------+ sub rsp,40h xor ecx,ecx lea edx,[_class] lea r8,[_title] mov r9d,WS_OVERLAPPEDWINDOW or WS_VISIBLE mov [rsp+58h],rbx mov qword [rsp+50h],IMAGE_BASE mov [rsp+48h],rax mov [rsp+40h],rbx mov eax,CW_USEDEFAULT mov [rsp+38h],rax mov [rsp+30h],rax mov [rsp+28h],rax mov [rsp+20h],rax call [CreateWindowEx] add rsp,40h lea edi,[msg] ; +---------------------------+ ; | entering the message loop | ; +---------------------------+ window_message_loop_start: mov ecx,edi xor edx,edx mov r8,rbx mov r9,rbx call [GetMessage] mov ecx,edi call [DispatchMessage] jmp window_message_loop_start endp ; +----------------------+ ; | the window procedure | ; +----------------------+ proc WindowProc,hWnd,uMsg,wParam,lParam cmp edx,WM_COMMAND je wmCOMMAND cmp edx,WM_DESTROY je wmDESTROY wmDEFAULT: leave jmp [DefWindowProc] wmDESTROY:xor ecx,ecx call [ExitProcess] wmCOMMAND: cmp r8,ZZZ_EXIT je wmDESTROY show_msg: sub rsp,20h mov r9,rbx;r9=MB_OK mov rdx,[menu_handlers+r8*8] lea r8,[menu_name] call [MessageBox] add rsp,20h wmBYE: ret endp section '.idata' import data readable writeable library KERNEL32, 'KERNEL32.DLL',\ USER32, 'USER32.DLL' import KERNEL32,\ ExitProcess, 'ExitProcess' import USER32,\ RegisterClassEx, 'RegisterClassExA',\ CreateWindowEx, 'CreateWindowExA',\ DefWindowProc, 'DefWindowProcA',\ LoadMenu, 'LoadMenuA',\ GetMessage, 'GetMessageA',\ MessageBox, 'MessageBoxA',\ DispatchMessage, 'DispatchMessageA' section '.rsrc' resource data readable directory RT_MENU,appMenu resource appMenu,\ 30,LANG_ENGLISH,menuMain menu menuMain menuitem '&File',0,MFR_POPUP menuitem '&Test',ZZZ_TEST,MFT_STRING menuitem '&Open',ZZZ_OPEN,MFT_STRING menuitem '&Save',ZZZ_SAVE,MFT_STRING menuseparator menuitem '&Exit',ZZZ_EXIT,MFR_END menuitem '&Exit',ZZZ_EXIT,MFR_END |
|||
|
06 Apr 2015, 02:36 |
|
|
Fixit 10 Apr 2015, 04:26
Interesting.
.01 seconds faster for the memory copy does not look like much of a speed increase. |
|||
|
10 Apr 2015, 04:26 |
|
|
Mikl___ 11 Jun 2015, 01:28
a working PE64 with import, size of exe-file is 268 bytes
Code: format binary as 'exe' IMAGE_DOS_SIGNATURE equ 5A4Dh IMAGE_NT_SIGNATURE equ 00004550h PROCESSOR_AMD_X8664 equ 8664h IMAGE_SCN_CNT_CODE equ 00000020h IMAGE_SCN_MEM_READ equ 40000000h IMAGE_SCN_MEM_WRITE equ 80000000h IMAGE_SCN_CNT_INITIALIZED_DATA equ 00000040h IMAGE_SUBSYSTEM_WINDOWS_GUI equ 2 IMAGE_NT_OPTIONAL_HDR64_MAGIC equ 20Bh IMAGE_FILE_RELOCS_STRIPPED equ 1 IMAGE_FILE_EXECUTABLE_IMAGE equ 2 IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE equ 8000h include 'win64a.inc' org 0 use64 IMAGE_BASE = 400000h Signature: dw IMAGE_DOS_SIGNATURE,0 ntHeader dd IMAGE_NT_SIGNATURE;'PE' ;image_header-------------------------- .Machine dw PROCESSOR_AMD_X8664 .Count_of_section dw 0;2 .TimeStump dd 0 .Symbol_table_offset dd 0;ntHeader .Symbol_table_count dd 0 .Size_of_optional_header dw EntryPoint-optional_header .Characteristics dw 0x20 or IMAGE_FILE_RELOCS_STRIPPED or IMAGE_FILE_EXECUTABLE_IMAGE ;20h Handle >2Gb addresses ;------------------------------------- optional_header: .Magic_optional_header dw IMAGE_NT_OPTIONAL_HDR64_MAGIC .Linker_version_major_and_minor dw 9 .Size_of_code dd 0 .Size_of_init_data dd 0;xC0 .Size_of_uninit_data dd 0 .entry_point dd EntryPoint .base_of_code dd ntHeader .image_base dq IMAGE_BASE .section_alignment dd 4 .file_alignment dd 4 .OS_version_major_minor dw 5,2 .image_version_major_minor dd 0 .subsystem_version_major_minor dw 5,2 .Win32_version dd 0 .size_of_image dd EndOfImage .size_of_header dd EntryPoint .checksum dd 0 .subsystem dw IMAGE_SUBSYSTEM_WINDOWS_GUI .DLL_flag dw IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE .Stack_allocation dq 0x100000 .Stack_commit dq 0x1000 .Heap_allocation dq 0x100000 .Heap_commit dq 0x1000 .loader_flag dd 0 .number_of_dirs dd (EntryPoint-export_RVA_size)/8 export_RVA_size dq 0 .import_RVA dd import_ .import_size dd end_import-import_ ;------------------------------------------------ EntryPoint: enter 20h,0 ; space for 4 arguments + 16byte aligned stack xor ecx, ecx ; 1. argument: rcx = hWnd = NULL mov r9, rcx ; 4. argument: r9d = uType = MB_OK = 0 mov edx,MsgCaption+IMAGE_BASE ; 2. argument: edx = window text mov r8,rdx ; 3. argument: r8 = caption call [MessageBox] leave ret ;------------------------------------------------ MsgCaption db "Iczelion's tutorial #2a",0 ;------------------------------------------------- Import_Table: user32_table: MessageBox dq _MessageBox import_: dd 0,0,0,user32_dll,user32_table dd 0 user32_dll db "user32",0,0 dw 0 _MessageBox db 0,0,"MessageBoxA" end_import: times 268-end_import db 0 ;filling up to 268 bytes EndOfImage:
|
|||||||||||
|
11 Jun 2015, 01:28 |
|
|
MUFOS 17 Jun 2016, 00:20
Do you have a Win32 version available of this?
Great share! |
|||
|
17 Jun 2016, 00:20 |
|
|
Mikl___ 17 Jun 2016, 01:28
MUFOS,
in Win32 parameters in API functions passed via stack, in Win64 parameters are passed via registers RCX, RDX, R8, R9, which are not in Win32. Especially for Win32 XP or Seven I wrote a program that creates MessageBox with size equal to 97 bytes, but this program will not work, even in compatibility mode in Win64. You must to translate the program from MASM dialect to FASM dialect yourself Code: .686P .model flat include windows.inc includelib user32.lib includelib kernel32.lib extern _imp__MessageBoxA@16:dword extern _imp__WriteFile@20:dword extern _imp__CreateFileA@28:dword extern _imp__CloseHandle@4:dword extern _imp__LoadLibraryA@4:dword .code start: xor ebx,ebx push MB_ICONINFORMATION OR MB_SYSTEMMODAL;1040h push offset szInfoCap push offset namefile push ebx call _imp__MessageBoxA@16 mov eax,_imp__LoadLibraryA@4 sub eax,offset _LoadLibraryA-buffer+ImageBase+size _LoadLibraryA;400023h mov _LoadLibraryA,eax mov eax,_imp__MessageBoxA@16 sub eax,offset _MessageBoxA-buffer+ImageBase+size _MessageBoxA;400035h mov _MessageBoxA,eax push ebx ;NULL push FILE_ATTRIBUTE_ARCHIVE push CREATE_ALWAYS push ebx push FILE_SHARE_READ or FILE_SHARE_WRITE push GENERIC_READ or GENERIC_WRITE push offset namefile call _imp__CreateFileA@28 push eax ;hFile 4;O CloseHandle push ebx ;lpOverlapped push offset SizeReadWrite ;lpNumberOfBytesToWrite push sizeof_image;a4-buffer ;nNumberOfBytesToWrite=97 push offset buffer ;lpBuffer push eax ;hFile 4;O WriteFile call _imp__WriteFile@20 call _imp__CloseHandle@4 QUIT: retn ImageBase equ 400000h buffer dd 'ZM','EP' dw 14Ch ;Machine (Intel 386) dw 0 ;NumberOfSection EntryPoint: xor ebx,ebx ; ebx = 0 mov edi,offset namedll-buffer+ImageBase push edi ;push offset user32 jmp short @f db 0,0 ; UNUSED dw a4-optheader ;SizeOfOptionalHeader dw 103h ;Characteristics (no relocations, executable, 32 bit) optheader: dw 10Bh ;Magic PE32 @@: db 0E8h ;call LoadLibraryA _LoadLibraryA dd 0 push ebx ;push 0 push edi ;push offset user32 push edi ;push offset user32 push ebx ;push 0 jmp short @f db 0,0,0 dd EntryPoint-buffer @@: db 0E8h ;call MessageBoxA _MessageBoxA dd 0 retn dw 0 ; UNUSED dd ImageBase ;ImageBase dd 4 ;SectionAligment dd 4 ;FileAligment namedll db 'user32',0,0 ; UNUSED dd 4 ;MinorSubsystemVersion UNUSED dd 0 ;Win32VersionValue UNUSED dd 68h ;SizeOfimage dd sizeof_image;64h ;SizeOfHeader dd 0 ;CheckSum UNUSED db 2 ;Subsystem (Win32 GUI) a4: ;--------------------------------------------------------------------------- sizeof_image=$-buffer .data szInfoCap db "Creator tiny MessageBox",0 namefile db 'tiny97.exe',0 SizeReadWrite dd 0 end start |
|||
|
17 Jun 2016, 01:28 |
|
|
MUFOS 17 Jun 2016, 12:18
Mikl___ wrote: MUFOS, Thank you a lot! Are you saying this won't run under Win64. How would I make it do so? |
|||
|
17 Jun 2016, 12:18 |
|
|
Mikl___ 18 Jun 2016, 05:20
Quote: Are you saying this won't run under Win64. How would I make it do so? a working PE64 with import, size of exe-file is 268 bytes |
|||
|
18 Jun 2016, 05:20 |
|
|
MUFOS 19 Jun 2016, 01:45
Mikl___ wrote:
I meant, under 64 bit versions of Windows. |
|||
|
19 Jun 2016, 01:45 |
|
|
therektafire 06 Dec 2023, 21:28
Mikl___ wrote: a working PE64 with import, size of exe-file is 268 bytes This 268 byte one doesn't seem to work in Windows 10, at least not the current version, I don't get any obvious error popups either when I run it from the command line or by clicking, but the message box doesn't appear so clearly something is wrong. However OP's 345 byte one does work, I wonder what the exact difference is that's causing it to not work, is that in the smaller version there are no sections? That would be my guess but i'm no PE or low level windows expert so i'm not sure why exactly it won't work, just that it doesn't 🤷 |
|||
|
06 Dec 2023, 21:28 |
|
|
MatQuasar 03 Jan 2024, 09:56
This is great! The 345-byte EXE still run on my Windows 10 22H2.
Is the below a must? Code: .DLL_flag dw IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE Code: IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE equ 8000h Even if I omit this, it still works. |
|||
|
03 Jan 2024, 09:56 |
|
|
MatQuasar 03 Jan 2024, 12:13
I tweaked a little bit from Tomasz' "Learning binary file formats (work in progress)" example (basic.asm), and got a quite small, 32-bit 512-byte EXE that runs under Windows 10 22H2.
I learned from OP example that FileAlignment and SectionAlignment must be 16 each, the rest of the header fields (in original basic.asm) were mostly unchanged. The changes include: Code: FILE_ALIGNMENT := 16 SECTION_ALIGNMENT := 16 The Data Directory size is only 2: Code: RvaAndSizes: .Export.Rva dd 0 .Export.Size dd 0 .Import.Rva dd ImportTable-IMAGE_BASE .Import.Size dd ImportTable.End-ImportTable ;.Resource.Rva dd 0 ;.Resource.Size dd 0 ;.Exception.Rva dd 0 ;.Exception.Size dd 0 ;.Certificate.Rva dd 0 ;.Certificate.Size dd 0 ;.BaseRelocation.Rva dd 0 ;.BaseRelocation.Size dd 0 ;.Debug.Rva dd 0 ;.Debug.Size dd 0 ;.Architecture.Rva dd 0 ;.Architecture.Size dd 0 ;.GlobalPtr.Rva dd 0 ;.GlobalPtr.Size dd 0 ;.TLS.Rva dd 0 ;.TLS.Size dd 0 ;.LoadConfig.Rva dd 0 ;.LoadConfig.Size dd 0 ;.BoundImport.Rva dd 0 ;.BoundImport.Size dd 0 ;.IAT.Rva dd 0 ;.IAT.Size dd 0 ;.DelayImport.Rva dd 0 ;.DelayImport.Size dd 0 ;.COMPlus.Rva dd 0 ;.COMPlus.Size dd 0 ;.Reserved.Rva dd 0 ;.Reserved.Size dd 0 Added the first line (so that no need to rename the binary file afterward): Code: format binary as "exe" The full source (modified from basic.asm) Code: format binary as "exe" macro align? pow2*,value:? db (-$) and (pow2-1) dup value end macro include '80386.inc' use32 IMAGE_BASE := 0x400000 org IMAGE_BASE FILE_ALIGNMENT := 16 SECTION_ALIGNMENT := 16 Stub: .Signature dw "MZ" .BytesInLastSector dw SIZE_OF_STUB mod 512 .NumberOfSectors dw (SIZE_OF_STUB-1)/512 + 1 .NumberOfRelocations dw 0 .NumberOfHeaderParagraphs dw SIZE_OF_STUB_HEADER / 16 db 0x3C - ($-Stub) dup 0 .NewHeaderOffset dd Header-IMAGE_BASE align 16 SIZE_OF_STUB_HEADER := $ - Stub ; The code of a DOS program would go here. SIZE_OF_STUB := $ - Stub align 8 Header: .Signature dw "PE",0 .Machine dw 0x14C ; IMAGE_FILE_MACHINE_I386 .NumberOfSections dw NUMBER_OF_SECTIONS .TimeDateStamp dd %t .PointerToSymbolTable dd 0 .NumberOfSymbols dd 0 .SizeOfOptionalHeader dw SectionTable - OptionalHeader .Characteristics dw 0x102 ; IMAGE_FILE_32BIT_MACHINE + IMAGE_FILE_EXECUTABLE_IMAGE OptionalHeader: .Magic dw 0x10B .MajorLinkerVersion db 0 .MinorLinkerVersion db 0 .SizeOfCode dd 0 .SizeOfInitializedData dd 0 .SizeOfUninitializedData dd 0 .AddressOfEntryPoint dd EntryPoint-IMAGE_BASE .BaseOfCode dd 0 .BaseOfData dd 0 .ImageBase dd IMAGE_BASE .SectionAlignment dd SECTION_ALIGNMENT .FileAlignment dd FILE_ALIGNMENT .MajorOperatingSystemVersion dw 3 .MinorOperatingSystemVersion dw 10 .MajorImageVersion dw 0 .MinorImageVersion dw 0 .MajorSubsystemVersion dw 3 .MinorSubsystemVersion dw 10 .Win32VersionValue dd 0 .SizeOfImage dd SIZE_OF_IMAGE .SizeOfHeaders dd SIZE_OF_HEADERS .CheckSum dd 0 .Subsystem dw 2 ; IMAGE_SUBSYSTEM_WINDOWS_GUI .DllCharacteristics dw 0 .SizeOfStackReserve dd 4096 .SizeOfStackCommit dd 4096 .SizeOfHeapReserve dd 65536 .SizeOfHeapCommit dd 0 .LoaderFlags dd 0 .NumberOfRvaAndSizes dd NUMBER_OF_RVA_AND_SIZES RvaAndSizes: .Export.Rva dd 0 .Export.Size dd 0 .Import.Rva dd ImportTable-IMAGE_BASE .Import.Size dd ImportTable.End-ImportTable ;.Resource.Rva dd 0 ;.Resource.Size dd 0 ;.Exception.Rva dd 0 ;.Exception.Size dd 0 ;.Certificate.Rva dd 0 ;.Certificate.Size dd 0 ;.BaseRelocation.Rva dd 0 ;.BaseRelocation.Size dd 0 ;.Debug.Rva dd 0 ;.Debug.Size dd 0 ;.Architecture.Rva dd 0 ;.Architecture.Size dd 0 ;.GlobalPtr.Rva dd 0 ;.GlobalPtr.Size dd 0 ;.TLS.Rva dd 0 ;.TLS.Size dd 0 ;.LoadConfig.Rva dd 0 ;.LoadConfig.Size dd 0 ;.BoundImport.Rva dd 0 ;.BoundImport.Size dd 0 ;.IAT.Rva dd 0 ;.IAT.Size dd 0 ;.DelayImport.Rva dd 0 ;.DelayImport.Size dd 0 ;.COMPlus.Rva dd 0 ;.COMPlus.Size dd 0 ;.Reserved.Rva dd 0 ;.Reserved.Size dd 0 SectionTable: .1.Name dq +'.text' .1.VirtualSize dd Section.1.End - Section.1 .1.VirtualAddress dd Section.1 - IMAGE_BASE .1.SizeOfRawData dd Section.1.SIZE_IN_FILE .1.PointerToRawData dd Section.1.OFFSET_IN_FILE .1.PointerToRelocations dd 0 .1.PointerToLineNumbers dd 0 .1.NumberOfRelocations dw 0 .1.NumberOfLineNumbers dw 0 .1.Characteristics dd 0x60000000 ; IMAGE_SCN_MEM_EXECUTE + IMAGE_SCN_MEM_READ .2.Name dq +'.rdata' .2.VirtualSize dd Section.2.End - Section.2 .2.VirtualAddress dd Section.2 - IMAGE_BASE .2.SizeOfRawData dd Section.2.SIZE_IN_FILE .2.PointerToRawData dd Section.2.OFFSET_IN_FILE .2.PointerToRelocations dd 0 .2.PointerToLineNumbers dd 0 .2.NumberOfRelocations dw 0 .2.NumberOfLineNumbers dw 0 .2.Characteristics dd 0x40000000 ; IMAGE_SCN_MEM_READ SectionTable.End: NUMBER_OF_RVA_AND_SIZES := (SectionTable-RvaAndSizes)/8 NUMBER_OF_SECTIONS := (SectionTable.End-SectionTable)/40 SIZE_OF_HEADERS := Section.1.OFFSET_IN_FILE align SECTION_ALIGNMENT Section.1: section $%% align FILE_ALIGNMENT,0 Section.1.OFFSET_IN_FILE: section Section.1 EntryPoint: push 0 push CaptionString push MessageString push 0 call [MessageBoxA] push 0 call [ExitProcess] Section.1.End: align SECTION_ALIGNMENT Section.2: section $%% align FILE_ALIGNMENT,0 Section.1.SIZE_IN_FILE := $ - Section.1.OFFSET_IN_FILE Section.2.OFFSET_IN_FILE: section Section.2 ImportTable: .1.ImportLookupTableRva dd KernelLookupTable-IMAGE_BASE .1.TimeDateStamp dd 0 .1.ForwarderChain dd 0 .1.NameRva dd KernelDLLName-IMAGE_BASE .1.ImportAddressTableRva dd KernelAddressTable-IMAGE_BASE .2.ImportLookupTableRva dd UserLookupTable-IMAGE_BASE .2.TimeDateStamp dd 0 .2.ForwarderChain dd 0 .2.NameRva dd UserDLLName-IMAGE_BASE .2.ImportAddressTableRva dd UserAddressTable-IMAGE_BASE dd 0,0,0,0,0 KernelLookupTable: dd ExitProcessLookup-IMAGE_BASE dd 0 KernelAddressTable: ExitProcess dd ExitProcessLookup-IMAGE_BASE ; this is going to be replaced with the address of the function dd 0 UserLookupTable: dd MessageBoxALookup-IMAGE_BASE dd 0 UserAddressTable: MessageBoxA dd MessageBoxALookup-IMAGE_BASE ; this is going to be replaced with the address of the function dd 0 align 2 ExitProcessLookup: .Hint dw 0 .Name db 'ExitProcess',0 align 2 MessageBoxALookup: .Hint dw 0 .Name db 'MessageBoxA',0 KernelDLLName db 'KERNEL32.DLL',0 UserDLLName db 'USER32.DLL',0 ImportTable.End: CaptionString db "PE tutorial",0 MessageString db "I am alive and well!",0 Section.2.End: align SECTION_ALIGNMENT SIZE_OF_IMAGE := $ - IMAGE_BASE section $%% align FILE_ALIGNMENT,0 Section.2.SIZE_IN_FILE := $ - Section.2.OFFSET_IN_FILE https://pastebin.com/L8qLWLhn https://pastebin.com/EcDMUtAX
Last edited by MatQuasar on 07 Jan 2024, 14:38; edited 1 time in total |
||||||||||
|
03 Jan 2024, 12:13 |
|
|||||||||
|
Mikl___ 07 Jan 2024, 13:25
a working PE64 with import, size of exe-file is 282 bytes run on Windows 10
Code: format binary as "exe" include "win64a.inc" struc dbs [data] { common . db data .size = $ - . } IMAGE_DOS_SIGNATURE equ 5A4Dh IMAGE_NT_SIGNATURE equ 00004550h PROCESSOR_AMD_X8664 equ 8664h IMAGE_SCN_CNT_CODE equ 00000020h IMAGE_SCN_MEM_WRITE equ 80000000h IMAGE_SCN_MEM_READ equ 40000000h IMAGE_SCN_CNT_INITIALIZED_DATA equ 00000040h IMAGE_SUBSYSTEM_WINDOWS_GUI equ 2 IMAGE_NT_OPTIONAL_HDR64_MAGIC equ 20Bh IMAGE_FILE_RELOCS_STRIPPED equ 1 IMAGE_FILE_EXECUTABLE_IMAGE equ 2 IMAGE_BASE equ 0x400000 align1 equ 4;0x10 IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE equ 8000h use64 org 0 ;--------DOS-stub------------------------------- Signature dw IMAGE_DOS_SIGNATURE,0 ;-------PE-------------------------------------------------- ntHeader dd IMAGE_NT_SIGNATURE;'PE' ;image_header---- Machine dw PROCESSOR_AMD_X8664 Count_of_section dw 1 TimeStump dd 0 Symbol_table_offset dd 0 Symbol_table_count dd 0 Size_of_optional_header dw section_table-optional_header Characteristics dw IMAGE_FILE_RELOCS_STRIPPED or \ IMAGE_FILE_EXECUTABLE_IMAGE ;------- optional_header: Magic_optional_header dw IMAGE_NT_OPTIONAL_HDR64_MAGIC Linker_version_major_and_minor dw 9 Size_of_code dd Import_Table-begin Size_of_init_data dd 0x70 Size_of_uninit_data dd 0 entry_point dd begin base_of_code dd ntHeader ;----------------------------------------------------- image_base dq IMAGE_BASE section_alignment dd align1 file_alignment dd align1 OS_version_major_minor dw 5,2 image_version_major_minor dd 0 subsystem_version_major_minor dw 5,2 Win32_version dd 0 size_of_image dd end_import size_of_header dd begin checksum dd 0 subsystem dw IMAGE_SUBSYSTEM_WINDOWS_GUI DLL_flag dw IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE Stack_allocation dq 0x100000 Stack_commit dq 0x1000 Heap_allocation dq 0x100000 Heap_commit dq 0x1000 loader_flag dd 0 number_of_dirs dd (section_table-export_RVA_size)/8 export_RVA_size dq 0 import_RVA_size dd _import,0x3C ;------------------------------------------------ section_table dq ".text" .virtual_size dd 0x55 .virtual_address dd begin .Physical_size dd end_import-begin .Physical_offset dd begin .Relocations_and_Linenumbers dq 0 .Relocations_and_Linenumbers_count dd 0 .Attributes dd IMAGE_SCN_MEM_WRITE or IMAGE_SCN_CNT_CODE or IMAGE_SCN_MEM_READ ;or IMAGE_SCN_CNT_INITIALIZED_DATA ;------------------------------------------------ begin: push rbp xor ecx,ecx mov edx,user32_dll+IMAGE_BASE lea r8d,[rdx+12] xor r9d,r9d call [MessageBox] pop rbp retn ;------------------------------------------------ Import_Table: user32_table: MessageBox dq _MessageBox,0 _import: dd 0,0,0,user32_dll,user32_table dd 0 user32_dll db "user32",0,0 dw 0 _MessageBox db 0,0,"MessageBoxA" end_import: |
|||
|
07 Jan 2024, 13:25 |
|
| Goto page 1, 2, 3 Next < Last Thread | Next Thread > |
Forum Rules:
|