flat assembler
Message board for the users of flat assembler.
Index
> Assembly > Notes copied from Twitter |
Author |
|
Tomasz Grysztar 15 May 2021, 11:13
This is a collection of various notes that I originally posted on Twitter, mostly in 2018, while working on my binary formats tutorial. I copy their contents here to preserve them, but also to make it easier to find and read them all.
MZ stub: Tomasz Grysztar wrote: The PE loader in modern Windows does not care about the validity of MZ stub at all. It only pays attention to MZ signature and the offset of PE headers at position 0x3C. Tomasz Grysztar wrote: The "Rich" header put into PE stub by modern Microsoft tools is a clever design that makes use of this otherwise ignored area. But wouldn't it be fun if the stub program itself got a bit of a face-lift? Magic values: Tomasz Grysztar wrote: COFF's optional header mimics old a.out format, which it was supposed to replace on Unix systems. This is where the magic value in the optional header comes from. Tomasz Grysztar wrote: ELF did not hold onto the legacy. It seems deliberately designed as a fresh start, cautious to not copy limitations of its predecessors. NT subsystems: Tomasz Grysztar wrote: In the early days of PE, files usually had "operating system version" set to 1.0 and only "subsystem version" was used for the actual version of Windows (like 3.10 or 4.0). Section alignment: Tomasz Grysztar wrote: When PE image uses a section alignment smaller than the page size, there is a restriction that relative addresses in memory need to exactly match the offsets in file. Import Directory Entry: Tomasz Grysztar wrote: An early description of PE format from 1993 defined Import Directory Entry with layout a bit different from the final standard. The first field, which now points to ILT, was designated as flags. Various headers and documents retain an obsolete name Characteristics for it. Empty sections: Tomasz Grysztar wrote: Modern Windows (based on NT kernel) rejects to load a PE file containing an empty section (one that has virtual size set to zero). Other implementations, like Windows 9x or Win32s, did not object to such setup. Export Ordinal Table: Tomasz Grysztar wrote: PE specification has contradictory statements about the Export Ordinal Table. First defines it as an array of indexes into the Export Address Table, then suggests that these are the ordinals. Large ordinals: Tomasz Grysztar wrote: Export table in PE may have Ordinal Base higher than 65535. In theory it should be possible to import functions with such high numbers, since ILT entries may contain 31-bit ordinals. This worked perfectly on old implementations like Windows 9x. Manifest loadFrom: Tomasz Grysztar wrote: In Windows, an executable can spell out a path to a DLL it needs with a loadFrom attribute in RT_MANIFEST resource. This is a nice tool for testing and experimentation, too bad it is undocumented. Resource tables: Tomasz Grysztar wrote: Early PE specifications like http://bytepointer.com/resources/pecoff_v4.0.htm stated that resource tables use RVAs to point to subdirectories or data entries. At the same time they included example that contradicted this by using offsets relative to the beginning of the table. Printable x86 code: Tomasz Grysztar wrote: An x86 program that consists only of printable ASCII characters may sound like something intended for shellcode, but it is an art with a long history. I first saw it in MS-DOS when I encountered files made with COM2TXT. http://sac.sk/files.php?d=17&l=C Undocumented instructions: Tomasz Grysztar wrote: I find it ironic that the only time I saw SALC instruction described in official CPU documentation was when manuals for x86-64 (later renamed to AMD64) listed it among opcodes not promoted to long mode. Pentium F00F bug and Win9x: Tomasz Grysztar wrote: The Pentium F00F bug might have sounded like nothing serious to the users of Windows 95. Getting that system to freeze was nothing extraordinary, even a user-mode program could do it with just a couple of regular instructions. The simplest method I know is CLI followed by JMP $. Relocatable PE: Tomasz Grysztar wrote: As long as PE has fixups, it may get relocated when default base is unavailable, apparently even IMAGE_FILE_RELOCS_STRIPPED does not block this action (it did on Win32s, though). Win32s: Tomasz Grysztar wrote: Win32s, which allowed to run 32-bit programs on Windows 3.1, was a peculiar early implementation of PE loading. It was not able to load programs at their standard base, so every image had to include relocations. PT_PHDR: Tomasz Grysztar wrote: ELF specification defines PT_PHDR as optional and I used to think that it is never really needed in Linux. Origins of executable formats: Tomasz Grysztar wrote: While working on my tutorial I've been digging through Usenet archives and I found that - contrary to my earlier impression - Mach-O and ELF appeared almost simultaneously in 1988, and PE might also had been born around that date (development of NT was started then). |
|||
15 May 2021, 11:13 |
|
bitRAKE 15 May 2021, 23:43
I like to force ASLR with a base address of zero.
Tomasz Grysztar wrote: Manifest loadFrom: _________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
15 May 2021, 23:43 |
|
FlierMate 18 May 2021, 02:35
Origins of executable formats:
Tomasz Grysztar wrote: .....Each of the new formats had been made future-proof enough so that they stayed with us for 30 years and more. Enough time for me to catch up, x86 Assembly language and PE file format have not changed much for decades. Nice read, Tomasz. As a side note, your Twitter posts earlier than 18 Jul 2018 were not found but I saw you registered in 2013? Sorry if I have become busybody. And I like your Paged Out article. I am proud of you. |
|||
18 May 2021, 02:35 |
|
wizgogo 18 May 2021, 08:52
Any info about android ELF?
|
|||
18 May 2021, 08:52 |
|
Hrstka 18 May 2021, 11:13
In PE32+ relative virtual addresses remained only 32-bit. To me it would make more sense if they were 64-bit.
|
|||
18 May 2021, 11:13 |
|
bitRAKE 24 May 2021, 15:57
Tomasz Grysztar wrote:
There are many invalid addresses that result in forced relocation. For example, DEFAULT_IMAGE_BASE := -1 shl 16. A useful configuration for 64-bit is the use: Code: .Characteristics dw IMAGE_FILE_32BIT_MACHINE \ + IMAGE_FILE_EXECUTABLE_IMAGE \ + IMAGE_FILE_LARGE_ADDRESS_AWARE ... .DllCharacteristics dw IMAGE_DLLCHARACTERISTICS_NX_COMPAT \ + IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE\ + IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA Yes, even the stack is high in memory. This is useful from a debugging standpoint of catching address truncation errors when migrating 32-bit code. It's useful from a algorithmic standpoint when working with pointer heavy structures - as they can be put low in memory - effectively doubling throughput (whilst making the code equivalent to the 32-bit at minimum). Useful from an obfuscation standpoint as one can allocate the low memory matching the process space and produce some very confusing code. _________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
24 May 2021, 15:57 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.