flat assembler
Message board for the users of flat assembler.
Index
> Windows > Tiny PE in win64 Goto page Previous 1, 2, 3 Next |
Author |
|
revolution 07 Jan 2024, 13:30
I note that you have this line 'include "win64a.inc"' but it is not needed. The code doesn't use any of the provided macros. The line can be deleted.
|
|||
07 Jan 2024, 13:30 |
|
Mikl___ 07 Jan 2024, 14:00
Thank you revolution!
|
|||
07 Jan 2024, 14:00 |
|
MatQuasar 07 Jan 2024, 14:01
Yes, just tested, it worked on my Windows 10. Not sure about Windows 11 though.
|
|||
07 Jan 2024, 14:01 |
|
Mikl___ 08 Jan 2024, 08:46
Quote: Not sure about Windows 11 though. Hi MatQuasar! What's the matter? Try . . . |
|||
08 Jan 2024, 08:46 |
|
MatQuasar 08 Jan 2024, 09:20
Mikl___ wrote:
Hi Mikl___, I am happy with your findings in discovering tiny PE. However, as bitRAKE had pointed out in his post: https://board.flatassembler.net/topic.php?t=22804&start=15 (You need to login to view his post as it is in Heap section) bitRAKE wrote: On Win11, I don't think PE's smaller than 1K are possible - there is a rigid enforcement of 512 byte file/section alignment. I've been trying all the old methods and so far nothing works. I wish to try but I don't have Windows 11. |
|||
08 Jan 2024, 09:20 |
|
revolution 26 Feb 2024, 14:14
MatQuasar wrote: Where is the tiny PE example by Mike Gonta, I saw it days ago as separate thread. https://board.flatassembler.net/search.php?search_author=Mike+Gonta |
|||
26 Feb 2024, 14:14 |
|
jochenvnltn 14 Apr 2024, 11:55
I know this is an old thread, but i tried myself to create a manual PE that works on Windows 10.
I came up with the code below, which is a working x64 PE file that displays a MessageBox. The only thing is that it compiles to 309 bytes which is bigger than the example's showed here. What can i improve on to make it smaller ? Code: format binary as 'exe' use64 org 0 ; https://learn.microsoft.com/en-us/windows/win32/debug/pe-format MZ_header: _ dw 'MZ' ; e_magic dw 0 ; e_cblp dd 'PE' ; e_cp, e_crlc (PE Signature) File_Header: dw 8664h ; Machine AMD64 dw 1 ; NumberOfSections dd 0 ; TimeDateStamp dd 0 ; PointerToSymbolTable dd 0 ; NumberOfSymbols dw 80h ; SizeOfOptionalHeader dw 3 ; Characteristics Optional_Header: dw 020Bh ; Magic PE64 db 9h ; MajorLinkerVersion db 00 ; MinorLinkerVersion dd 0 ; SizeOfCode dd 0 ; SizeOfInitializedData dd 0 ; SizeOfUninitializedData dd main ; AddressOfEntryPoint dd 0 ; BaseOfCode dq 0x400000 ; ImageBase dd 4 ; SectionAlignment dd 4 ; FileAlignment dw 5,2 ; MajorOperatingSystemVersion & MinorOperatingSystemVersion dd 0 ; MajorImageVersion & MinorImageVersion dw 5,2 ; MajorSubsystemVersion & MinorSubsystemVersion dd 0 ; Win32VersionValue dd EOF ; SizeOfImage dd 0 ; SizeOfHeaders dd 0 ; CheckSum dw 2 ; Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI dw 0 ; DllCharacteristics dq 0x100000 ; SizeOfStackReserve dq 0x1000 ; SizeOfStackCommit dq 0x100000 ; SizeOfHeapReserve dq 0x1000 ; SizeOfHeapCommit dd 0 ; LoaderFlags dd 2 ; NumberOfRvaAndSizes dq 0 ; ExportRVASize dd IAT ; ImportDirectoryRVA dd IATSize ; ImportDirectorySize Section_Headers: dq '.text' ; Name dd 4 ; VirtualSize dd main ; VirtualAddress dd EOF - main ; SizeOfRawData dd main ; PointerToRawData dd 0 ; PointerToRelocations dd 0 ; PointerToLinenumbers dw 0 ; NumberOfRelocations dw 0 ; NumberOfLinenumbers dd 0xC0000020 ; Characteristics main: push rbp mov rbp, rsp mov rcx, 0 lea rdx, [mes] lea r8, [mes] mov r9, 0 call qword [MessageBox] leave ret mes db 'Manual PE', 0 User32Table: MessageBox dq _MessageBox, 0 IAT: dd 0,0,0,User32DLL,User32Table dd 0 User32DLL db 'user32',0,0 dw 0 _MessageBox db 0,0,'MessageBoxA' IATSize = $ - IAT EOF: |
|||
14 Apr 2024, 11:55 |
|
bitRAKE 14 Apr 2024, 14:22
jochenvnltn wrote: What can i improve on to make it smaller ? Code: main: xor ecx, ecx push rcx push rcx lea edx, [Section_Headers+1] pop r8 pop r9 jmp qword [MessageBox] User32Table: MessageBox dq _MessageBox IAT: dd 0,0,0,User32DLL,User32Table dd 0 User32DLL db 'user32',0,0 dw 0 _MessageBox db 0,0,'MessageBoxA' IATSize = $ - IAT EOF: _________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
14 Apr 2024, 14:22 |
|
jochenvnltn 14 Apr 2024, 16:38
@bitRAKE: Okay thanks ! But can the PE get smaller by making modifications to the PE File Structure as it is now ?
|
|||
14 Apr 2024, 16:38 |
|
revolution 14 Apr 2024, 17:15
You can interleave the code into the header data. It doesn't have to be separated. Many of the header fields are ignored/unused leaving space for other uses.
|
|||
14 Apr 2024, 17:15 |
|
jochenvnltn 14 Apr 2024, 17:47
@revolution : Is this what you mean ?
"The Windows loader expects to find the PE section headers after the optional header. It calculates the address of the first section header by adding SizeOfOptionalHeader to the beginning of the optional header. However, the code that accesses the fields of the optional header never checks its size. We can set SizeOfOptionalHeader to a value smaller than the real size, and move the PE section into the unused space in the optional header." I don't know how to do that yet without breaking the PE .. |
|||
14 Apr 2024, 17:47 |
|
revolution 14 Apr 2024, 18:18
I think that is different. But you can do that also.
|
|||
14 Apr 2024, 18:18 |
|
bitRAKE 14 Apr 2024, 19:17
jochenvnltn wrote: I don't know how to do that yet without breaking the PE .. If you want to run the 64-bit version of WinXP, I think a PE under 100 bytes is possible. That OS is a real mess though. Alternately, you could step through the loader and reverse engineer the exact smallest PE possible. Perhaps the "dropper" type executables are better because reducing the size is more a matter of making the data compressible rather than shaving bytes. And eventually we want a program that does something more than a message box, but we still want it tiny ... (more size goodness) _________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
14 Apr 2024, 19:17 |
|
jochenvnltn 18 Apr 2024, 20:48
Can I do a self replicating messagebox instead ? I'll never get to the size you guy's are to achieve in this project and i never got any expedience with 16bit.. What about a self replicating 64bit EXE ?
Last edited by jochenvnltn on 18 Apr 2024, 20:51; edited 3 times in total |
|||
18 Apr 2024, 20:48 |
|
jochenvnltn 18 Apr 2024, 20:48
|
|||
18 Apr 2024, 20:48 |
|
jochenvnltn 18 Apr 2024, 20:57
[Deleted]
Last edited by jochenvnltn on 19 Apr 2024, 13:11; edited 1 time in total |
|||
18 Apr 2024, 20:57 |
|
jochenvnltn 18 Apr 2024, 21:01
[]
Last edited by jochenvnltn on 19 Apr 2024, 13:08; edited 1 time in total |
|||
18 Apr 2024, 21:01 |
|
bitRAKE 18 Apr 2024, 23:24
I'm not interested.
What do you hope to achieve with these activities? |
|||
18 Apr 2024, 23:24 |
|
jochenvnltn 19 Apr 2024, 13:10
I just wrote it because of the challenge... I never use it for anything it's just part of my code snip collection.. Ill delete my post sorry !
|
|||
19 Apr 2024, 13:10 |
|
Goto page Previous 1, 2, 3 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.