flat assembler
Message board for the users of flat assembler.

Index > Windows > How to combine import table and code section as one?

Author
Thread Post new topic Reply to topic
FlierMate



Joined: 21 Jan 2021
Posts: 219
FlierMate 09 Apr 2021, 15:14
Theorectically I still think it is possible to combine all three basic sections (namely, .data, .code and .idata) together into one 512-byte (minimum as required by FileAlignment setting) section by generating the PE manually.
E.g. virtual address of section header of import table normally starts at 0x03000, we might adjust it to point to the address after the virtual size of code section.
All data would be placed in the beginning of code section, hence no data section.

Is this possible? And will it run?

PS: By combining them as one, we might have EXE as tiny as 1024 bytes only (including PE headers).

What I mean is for small program like displaying text string on screen, or message box on desktop. I know can just have code section alone, but without Win32 API the program would be doing nothing.
Post 09 Apr 2021, 15:14
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20290
Location: In your JS exploiting you and your system
revolution 09 Apr 2021, 18:11
There are already lots of minimal PE examples on this board.
Post 09 Apr 2021, 18:11
View user's profile Send private message Visit poster's website Reply with quote
FlierMate



Joined: 21 Jan 2021
Posts: 219
FlierMate 09 Apr 2021, 19:50
revolution wrote:
There are already lots of minimal PE examples on this board.


Thanks for your reminder. I saw you actually told the same thing to a forum member in 2011. Razz

bitRAKE's minimal PE example is impressive. I can only get 1536 bytes at minimum using macro without hardcoding the binary format manually.
Post 09 Apr 2021, 19:50
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8349
Location: Kraków, Poland
Tomasz Grysztar 09 Apr 2021, 20:56
There used to be this simple example in the fasmw package, which assembles to 1024 bytes:
Code:
; Beer - example of tiny (one section) Win32 program

format PE GUI 4.0

include 'win32a.inc'

; no section defined - fasm will automatically create .flat section for both
; code and data, and set entry point at the beginning of this section

        invoke  MessageBoxA,0,_message,_caption,MB_ICONQUESTION+MB_YESNO
        cmp     eax,IDYES
        jne     exit

        invoke  mciSendString,_cmd_open,0,0,0
        invoke  mciSendString,_cmd_eject,0,0,0
        invoke  mciSendString,_cmd_close,0,0,0

exit:
        invoke  ExitProcess,0

_message db 'Do you need a place for the beer?',0
_caption db 'Desktop configuration',0

_cmd_open db 'open cdaudio',0
_cmd_eject db 'set cdaudio door open',0
_cmd_close db 'close cdaudio',0

; import data in the same section

data import

 library kernel32,'KERNEL32.DLL',\
         user32,'USER32.DLL',\
         winmm,'WINMM.DLL'

 import kernel32,\
        ExitProcess,'ExitProcess'

 import user32,\
        MessageBoxA,'MessageBoxA'

 import winmm,\
        mciSendString,'mciSendStringA'

end data    
I stopped distributing it in the official package though, partly because AVs seemed to hate it more than the others. Also: it relies on an obsolete technology (CD tray). Wink
Post 09 Apr 2021, 20:56
View user's profile Send private message Visit poster's website Reply with quote
FlierMate



Joined: 21 Jan 2021
Posts: 219
FlierMate 09 Apr 2021, 21:33
Tomasz Grysztar wrote:
There used to be this simple example in the fasmw package, which assembles to 1024 bytes:
Code:
; Beer - example of tiny (one section) Win32 program

format PE GUI 4.0

include 'win32a.inc'

; no section defined - fasm will automatically create .flat section for both
; code and data, and set entry point at the beginning of this section

        invoke  MessageBoxA,0,_message,_caption,MB_ICONQUESTION+MB_YESNO
        cmp     eax,IDYES
        jne     exit

        invoke  mciSendString,_cmd_open,0,0,0
        invoke  mciSendString,_cmd_eject,0,0,0
        invoke  mciSendString,_cmd_close,0,0,0

exit:
        invoke  ExitProcess,0

_message db 'Do you need a place for the beer?',0
_caption db 'Desktop configuration',0

_cmd_open db 'open cdaudio',0
_cmd_eject db 'set cdaudio door open',0
_cmd_close db 'close cdaudio',0

; import data in the same section

data import

 library kernel32,'KERNEL32.DLL',\
         user32,'USER32.DLL',\
         winmm,'WINMM.DLL'

 import kernel32,\
        ExitProcess,'ExitProcess'

 import user32,\
        MessageBoxA,'MessageBoxA'

 import winmm,\
        mciSendString,'mciSendStringA'

end data    
I stopped distributing it in the official package though, partly because AVs seemed to hate it more than the others. Also: it relies on an obsolete technology (CD tray). Wink


Thank you, this is what I needed. Very Happy

And it actually opened my laptop CD tray if I click Yes. It still works, and Windows Defender does not complain anything.


Description: The import table mixed with (1) code, (2) data in one section, but offset starts at 0x02BD (as shown in hexdump above).
(0x10BD - 0x1000 + 0x200 = 02BD ;-)
Filesize: 50.96 KB
Viewed: 4559 Time(s)

T03.JPG


Description: Original first thunk in import descriptor table is indeed 0x1130 (as shown in hexdump above)
Filesize: 70.99 KB
Viewed: 4559 Time(s)

T02.JPG


Description: Hexdump of single section starting at 0x200 (512th byte)
Filesize: 290.41 KB
Viewed: 4559 Time(s)

T01.JPG


Post 09 Apr 2021, 21:33
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4016
Location: vpcmpistri
bitRAKE 10 Apr 2021, 15:09
IIRC, the 64-bit version of WinXP has a very relaxed loader - I could make under 400 byte EXEs. On Win10 the loader is more strict and security enforcing (especially with regard to subsystem 10 programs). fasm(g)'s DATA {type}/END DATA make it very easy to merge sections and just use the directory table. Sections are only needed for memory semantics/protections.

An alternate perspective, rather than aim for small PE, make as much of the file zero bytes as possible (to maximize compression). The entry address and image base can both be zero. It requires combination of many techniques.
Post 10 Apr 2021, 15:09
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.