flat assembler
Message board for the users of flat assembler.

Index > Windows > Manual PE Creation

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
pal



Joined: 26 Aug 2008
Posts: 227
pal
I am trying to create a PE executable using ASM (no proper macros).

At first I am putting in all of the headers, then I will remove them and try to get it to be a small size. So far I have:

Code:
use32
IMAGE_BASE   equ     0x00400000

dosHeader: ; IMAGE_DOS_HEADER
 .e_magic                dw      'MZ'
      .e_cblp                 dw      0
   .e_cp                   dw      0
   .e_crlc                 dw      0
   .e_cparhdr              dw      0
   .e_minalloc             dw      0
   .e_maxalloc             dw      0
   .e_ss                   dw      0
   .e_sp                   dw      0
   .e_csum                 dw      0
   .e_ip                   dw      0
   .e_cs                   dw      0
   .e_lfarlc               dw      0
   .e_ovno                 dw      0
   .e_res                  dw      0,0,0,0
     .e_oemid                dw      0
   .e_oeminfo              dw      0
   .e_res2                 dw      0,0,0,0,0,0,0,0,0,0
 .e_lfanew               dw      ntHeader

ntHeader: ; IMAGE_NT_HEADER
     .signature      dd      'PE'

fileHeader: ; IMAGE_FILE_HEADER
   .Machine                                dw      0x014C
      .NumberOfSections               dw      1
   .TimeDateStamp                  dd      0
   .PointerToSymbolTable   dd      0
   .NumberOfSymbols                dd      0
   .SizeOfOptionalHeader   dw      sizeof.OptionalHeader
       .Characteristics                dw      0x0103

optionalHeader: ; IMAGE_OPTIONAL_HEADER
   .Magic                                                  dw      0x010B
      .MajorLinkerVersion                             db      0
   .MinorLinkerVersion                             db      0
   .SizeOfCode                                             dd      0
   .SizeOfInitilaisedData                  dd      0
   .SizeOfUninitialisedData                dd      0
   .AddressOfEntryPoint                    dd      codeSection
 .BaseOfCode                                             dd      0
   .BaseOfData                                             dd      0
   ; NT Additional Members
     .ImageBase                                              dd      IMAGE_BASE
  .SectionAlignment                               dd      4
   .FileAlignment                                  dd      4
   .MajorOperatingSystemVersion    dw      0
   .MinorOperatingSystemVersion    dw      0
   .MajorImageVersion                              dw      0
   .MinorImageVersion                              dw      0
   .MajorSubsystemVersion                  dw      4
   .MinorSubsystemVersion                  dw      1
   .Win32VersionValue                              dd      0
   .SizeOfImage                                    dd      sizeof.Image 
       .SizeOfHeaders                                  dd      codeSection
 .CheckSum                                               dd      0
   .Subsystem                                              dw      2
   .DllCharacteristics                             dw      0
   .SizeOfStackReserve                             dd      0x1000
      .SizeOfStackCommit                              dd      0x1000
      .SizeOfHeapReserve                              dd      0x1000
      .SizeOfHeapCommit                               dd      0x1000
      .LoaderFlags                                    dd      0
   .NumberOfRvaAndSizes                    dd      0

directory_entries:
     

sizeof.OptionalHeader = $ - optionalHeader

sectionHeader:
        .PhysicalAddress                dq      0 
  .VirtualSize                    dd      sizeof.Code 
        .VirtualAddress                 dd      codeSection
 .SizeOfRawData                  dd      sizeof.Code 
        .PointerToRawData               dd      codeSection
 .PointerToRelocations   dd      0
   .PointerToLinenumbers   dd      0
   .NumberOfRelocations    dw      0
   .NumberOfLineNumbers    dw      0
   .Characteristics                dd      0 ; 0x0E0000020

codeSection:
     ; Display a message box
     push    0
   push    0
   push    szMessage+IMAGE_BASE
        push    0
   call    [MessageBox+IMAGE_BASE]
     ret
 
    szMessage:  db      'Hello',0
 
    sizeof.Code = $ - codeSection

importSection:
     dd      0,0,0,user_name,user_table
  dd      0,0,0,0,0
   
    user_name       db      'USER32.DLL',0

        user_table:
             MessageBox      dd      _MessageBox
         dd      0
           
    _MessageBox             dw      0
           db      'MessageBoxA',0

sizeof.Import = $ - importSection
sizeof.Image = $
    


I have looked at other examples, but I cannot figure out what IMAGE_DATA_DIRECTORY actually does (that is the directory_entries bit). I tried putting someone elses (a few actually) parts for that into my code but it didn't work.

Any ideas what is wrong with the code?

Also, how does the $ work. I know it is like the offset from the beginning of the file (or that is what I know it as), but how exactly is this assembled? I would use OllyDbg to check the code but it will not even load the file, which makes me think I have messed the code up badly.

Cheers, pal.
Post 08 Oct 2009, 16:30
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
This doesn't work:
Code:
        .SectionAlignment                               dd      4
        .FileAlignment                                  dd      4    
Windows will reject your PE file as invalid.

These will work better:
SectionAlignment = 0x1000
FileAlignment = 0x200
Post 08 Oct 2009, 16:36
View user's profile Send private message Visit poster's website Reply with quote
pal



Joined: 26 Aug 2008
Posts: 227
pal
I thought the whole point was that you change these so they are not aligned to their standard alignments, hence you can get a small file size?

Also I have seen other codes where these values are 1 or 4 and they work fine Confused
Post 08 Oct 2009, 17:12
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
pal wrote:
Also I have seen other codes where these values are 1 or 4 and they work fine Confused
Not on XP/NT/2000. Maybe older versions of Windows didn't check them.
Post 08 Oct 2009, 17:14
View user's profile Send private message Visit poster's website Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak
Some things are ignored, and some things must be done to make AVs not FP all over your programs.

SEE HERE
Post 08 Oct 2009, 19:06
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
pal



Joined: 26 Aug 2008
Posts: 227
pal
Yeah, cheers kohlrak, but at the minute I am trying to create it with all the fields in the headers there.

I am further into the code, and it doesn't crash now, it says it is not a valid application.

Code:
use32
IMAGE_BASE equ     0x00400000

dosHeader: ; IMAGE_DOS_HEADER
 .e_magic                dw      'MZ'
      .e_cblp                 dw      0
   .e_cp                   dw      0
   .e_crlc                 dw      0
   .e_cparhdr              dw      0
   .e_minalloc             dw      0
   .e_maxalloc             dw      0
   .e_ss                   dw      0
   .e_sp                   dw      0
   .e_csum                 dw      0
   .e_ip                   dw      0
   .e_cs                   dw      0
   .e_lfarlc               dw      0
   .e_ovno                 dw      0
   .e_res                  dw      4 dup 0
     .e_oemid                dw      0
   .e_oeminfo              dw      0
   .e_res2                 dw      10 dup 0
    .e_lfanew               dd      ntHeader

ntHeader: ; IMAGE_NT_HEADER
     .signature      dd      'PE'

fileHeader: ; IMAGE_FILE_HEADER
   .Machine                                dw      0x014C ; Intel 386 or later
 .NumberOfSections               dw      1
   .TimeDateStamp                  dd      0
   .PointerToSymbolTable   dd      0
   .NumberOfSymbols                dd      0
   .SizeOfOptionalHeader   dw      sizeof.OptionalHeader
       .Characteristics                dw      0x0103

optionalHeader: ; IMAGE_OPTIONAL_HEADER
   .Magic                                                  dw      0x010B ; Normal executable file
     .MajorLinkerVersion                             db      0
   .MinorLinkerVersion                             db      0
   .SizeOfCode                                             dd      0
   .SizeOfInitilaisedData                  dd      0
   .SizeOfUninitialisedData                dd      0
   .AddressOfEntryPoint                    dd      codeSection
 .BaseOfCode                                             dd      0
   .BaseOfData                                             dd      0
   ; NT Additional Members
     .ImageBase                                              dd      IMAGE_BASE
  .SectionAlignment                               dd      0x1000
      .FileAlignment                                  dd      0x200
       .MajorOperatingSystemVersion    dw      0
   .MinorOperatingSystemVersion    dw      0
   .MajorImageVersion                              dw      0
   .MinorImageVersion                              dw      0
   .MajorSubsystemVersion                  dw      4
   .MinorSubsystemVersion                  dw      0
   .Win32VersionValue                              dd      0
   .SizeOfImage                                    dd      sizeof.Image 
       .SizeOfHeaders                                  dd      codeSection
 .CheckSum                                               dd      0
   .Subsystem                                              dw      2 ; IMAGE_SUBSYSTEM_WINDOWS_GUI
     .DllCharacteristics                             dw      0
   .SizeOfStackReserve                             dd      0x1000
      .SizeOfStackCommit                              dd      0x1000
      .SizeOfHeapReserve                              dd      0x1000
      .SizeOfHeapCommit                               dd      0x1000
      .LoaderFlags                                    dd      0
   .NumberOfRvaAndSizes                    dd      0
   
dataDirectories:
    .VirtualAddress dd      16 dup 0
    .Size                   dd      16 dup 0

sizeof.OptionalHeader = $ - optionalHeader

sectionHeader:
        .PhysicalAddress                dq      0 ; '.text'
       .VirtualSize                    dd      sizeof.Code 
        .VirtualAddress                 dd      codeSection
 .SizeOfRawData                  dd      sizeof.Code 
        .PointerToRawData               dd      codeSection
 .PointerToRelocations   dd      0
   .PointerToLinenumbers   dd      0
   .NumberOfRelocations    dw      0
   .NumberOfLineNumbers    dw      0
   .Characteristics                dd      0 

codeSection:
  ; Display a message box
     push    0
   push    0
   push    szMessage+IMAGE_BASE
        push    0
   call    [MessageBox+IMAGE_BASE]
     ret
 
    szMessage       db      'Hello',0
 
    sizeof.Code = $ - codeSection

importSection:
     dd      0,0,0,user_name,user_table
  dd      0,0,0,0,0
   
    user_name       db      'USER32.DLL',0

        user_table:
             MessageBox      dd      _MessageBox
         dd      0
           
    _MessageBox             dw      0
           db      'MessageBoxA',0

sizeof.Import = $ - importSection
sizeof.Image = $
    


That is my code, but I have a feeling it is to do with the IMAGE_SECTION_HEADER part (in my code sectionHeader). Do I need to fill this structure in properly? I have seen a code where it has '.text' in but I have also seen one where it has 0 in. Any ideas?
Post 09 Oct 2009, 17:56
View user's profile Send private message Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak
There was a user some time ago named Sulaiman Chang (or something like that) who did a manual PE tutorial for fasm. Something else you could do is make a PE the normal way (though, i'd recommend that, because of the FP problems of fasm, you should probably make one using visual studio or something) and use a hex editor to compare values to make sure it's all aligned right. This sort of thing helped me alot when i remade my macros for a manual ELF file. (The hex editing a gcc created elf helped me more than nocona's code believe it or not...)

Remember, when it's not working, consult something that does...
Post 10 Oct 2009, 03:20
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
Maybe we can apply the old coders song (with a small minor word change at the end) to this situation also.

Get it working then get it small.
Post 10 Oct 2009, 03:27
View user's profile Send private message Visit poster's website Reply with quote
windwakr



Joined: 30 Jun 2004
Posts: 827
Location: Michigan, USA
windwakr
kohlrak wrote:
There was a user some time ago named Sulaiman Chang (or something like that) .....


sleepsleep

_________________
----> * <---- My star, won HERE
Post 10 Oct 2009, 03:27
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
windwakr wrote:
kohlrak wrote:
There was a user some time ago named Sulaiman Chang (or something like that) .....


sleepsleep
No, it is vbVeryBeginner IIRC.
Post 10 Oct 2009, 03:29
View user's profile Send private message Visit poster's website Reply with quote
windwakr



Joined: 30 Jun 2004
Posts: 827
Location: Michigan, USA
windwakr
But he is/was vbVeryBeginner IIRC.


http://board.flatassembler.net/topic.php?t=9042


sleepsleep wrote:
ops, sorry for late reply, you just got my guilty... sorry for didn't update the website or etc .... i actually wonder who links it to sraeg.net... much appreciate Smile thanks

btw, you could download the whole website here,
http://sulaiman.netadvant.com/sulaiman.zip

Quote:

Actually, i'm not sure he is the right person, but is he Sulaiman Chang?

yeah, that is my fake name.... Smile

2 points for windwakr : )....maybe this makes up for my point reduction from using Python.....


ANYWAYS.....Back on topic:

Have you seen Borsucs manual PE macros?
http://board.flatassembler.net/topic.php?t=10288

Maybe you could learn from them.

_________________
----> * <---- My star, won HERE
Post 10 Oct 2009, 03:29
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
I used to have my RawPE.asm file here also, but it was deleted during the hacking incident some time back. I'll have to see about reposting it (if I can find the thread where it was).

windwakr: You have marginally redeemed yourself from the shame of posting HLL code to brute force 36 divisions instead of proper a maths proof. BTW: I found a better link. http://board.flatassembler.net/topic.php?t=6054
Post 10 Oct 2009, 03:44
View user's profile Send private message Visit poster's website Reply with quote
Japheth



Joined: 26 Oct 2004
Posts: 151
Japheth
Code:
        .LoaderFlags                                    dd      0
        .NumberOfRvaAndSizes                    dd      0
        
dataDirectories:
        .VirtualAddress dd      16 dup 0
        .Size                   dd      16 dup 0
    


I'd say that value of .NumberOfRvaAndSizes must reflect the true number of dataDirectory entries (=16). Also IMO the second entry of dataDirectories (IMPORTS) must "include" the "user32" import directory.

Recently I did something similar in Masm syntax, See http://www.japheth.de/JWasm/Win32_5.html
Post 10 Oct 2009, 04:18
View user's profile Send private message Visit poster's website Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
I've done one with macros, and yes, the alignment has to be 4096 minumum, and file alignment 512 bytes min.
Post 10 Oct 2009, 15:34
View user's profile Send private message Reply with quote
pal



Joined: 26 Aug 2008
Posts: 227
pal
Japheth: I thought that with the NumberOfRvaAndSizes too, but I saw a code where it had 0 and it worked fine.

I would look at Borsuc's in more depth, but I don't like macros and I don't really understand them very well..

Cheers for all the help, I will keep trying :p
Post 10 Oct 2009, 19:03
View user's profile Send private message Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak
Believe me, buddy, if you don't like macros, you are in for a world of hurt with this. Macros aren't like C where the compiler adds junk. FASM always spits out what you put in, and that includes the macros. If you don't like the syntax, well, try your best to learn. Otherwise, you're going to copy and paste a lot of code for every program you make.
Post 10 Oct 2009, 20:53
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
bitshifter



Joined: 04 Dec 2007
Posts: 764
Location: Massachusetts, USA
bitshifter
I dont think he is punishing himself like that.
Maybe he just likes to take his toys apart (like me) Smile
Post 10 Oct 2009, 21:24
View user's profile Send private message Reply with quote
pal



Joined: 26 Aug 2008
Posts: 227
pal
When I say I don't like macros, I mean I try to keep using them to a minimum. I use: proc, cinvoke/ccall if I am lazy and right now that is all I can think of.

I like to know 'what is happening under the hood', i.e. how the code is assembled properly. If that makes sense? I think what bitshifter was talking about.
Post 11 Oct 2009, 08:40
View user's profile Send private message Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
I don't use those macros myself, but I always use macros for data structures, as in this case (the PE format is a "data" structure, not "code"). It makes it much easier to alter something without screwing the offsets and having to manually recalculate them, etc.

_________________
Previously known as The_Grey_Beast
Post 11 Oct 2009, 17:32
View user's profile Send private message Reply with quote
iic2



Joined: 26 Jun 2008
Posts: 123
iic2
Have you check out karl and babyboy links below. There use to be a few more about manual PE in FASM. It was all about these guys and others, including vbVeryBeginner and revolution ... Most were all about being the smallest PE. vbVeryBeginner, karl and babyboy were about a full blown PE that worked for any win32 program that you would build. I saved everything this forum had about it. It was why I came to FASM in the first place, than my working HDD burn-out and something else in life came up (old lady came back home) and the fight was back ON ... hee hee . I got backup on my old 8 and 20gigs HDD in the closest. I will dig it up if you don't get the rest of what you need out of these links.

http://board.flatassembler.net/topic.php?t=5957

http://board.flatassembler.net/topic.php?t=5616
Post 14 Oct 2009, 10:14
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.