flat assembler
Message board for the users of flat assembler.
Index
> Windows > Manual PE Creation Goto page 1, 2 Next |
Author |
|
revolution 08 Oct 2009, 16:36
This doesn't work:
Code: .SectionAlignment dd 4 .FileAlignment dd 4 These will work better: SectionAlignment = 0x1000 FileAlignment = 0x200 |
|||
08 Oct 2009, 16:36 |
|
pal 08 Oct 2009, 17:12
I thought the whole point was that you change these so they are not aligned to their standard alignments, hence you can get a small file size?
Also I have seen other codes where these values are 1 or 4 and they work fine |
|||
08 Oct 2009, 17:12 |
|
revolution 08 Oct 2009, 17:14
pal wrote: Also I have seen other codes where these values are 1 or 4 and they work fine |
|||
08 Oct 2009, 17:14 |
|
kohlrak 08 Oct 2009, 19:06
Some things are ignored, and some things must be done to make AVs not FP all over your programs.
SEE HERE |
|||
08 Oct 2009, 19:06 |
|
pal 09 Oct 2009, 17:56
Yeah, cheers kohlrak, but at the minute I am trying to create it with all the fields in the headers there.
I am further into the code, and it doesn't crash now, it says it is not a valid application. Code: use32 IMAGE_BASE equ 0x00400000 dosHeader: ; IMAGE_DOS_HEADER .e_magic dw 'MZ' .e_cblp dw 0 .e_cp dw 0 .e_crlc dw 0 .e_cparhdr dw 0 .e_minalloc dw 0 .e_maxalloc dw 0 .e_ss dw 0 .e_sp dw 0 .e_csum dw 0 .e_ip dw 0 .e_cs dw 0 .e_lfarlc dw 0 .e_ovno dw 0 .e_res dw 4 dup 0 .e_oemid dw 0 .e_oeminfo dw 0 .e_res2 dw 10 dup 0 .e_lfanew dd ntHeader ntHeader: ; IMAGE_NT_HEADER .signature dd 'PE' fileHeader: ; IMAGE_FILE_HEADER .Machine dw 0x014C ; Intel 386 or later .NumberOfSections dw 1 .TimeDateStamp dd 0 .PointerToSymbolTable dd 0 .NumberOfSymbols dd 0 .SizeOfOptionalHeader dw sizeof.OptionalHeader .Characteristics dw 0x0103 optionalHeader: ; IMAGE_OPTIONAL_HEADER .Magic dw 0x010B ; Normal executable file .MajorLinkerVersion db 0 .MinorLinkerVersion db 0 .SizeOfCode dd 0 .SizeOfInitilaisedData dd 0 .SizeOfUninitialisedData dd 0 .AddressOfEntryPoint dd codeSection .BaseOfCode dd 0 .BaseOfData dd 0 ; NT Additional Members .ImageBase dd IMAGE_BASE .SectionAlignment dd 0x1000 .FileAlignment dd 0x200 .MajorOperatingSystemVersion dw 0 .MinorOperatingSystemVersion dw 0 .MajorImageVersion dw 0 .MinorImageVersion dw 0 .MajorSubsystemVersion dw 4 .MinorSubsystemVersion dw 0 .Win32VersionValue dd 0 .SizeOfImage dd sizeof.Image .SizeOfHeaders dd codeSection .CheckSum dd 0 .Subsystem dw 2 ; IMAGE_SUBSYSTEM_WINDOWS_GUI .DllCharacteristics dw 0 .SizeOfStackReserve dd 0x1000 .SizeOfStackCommit dd 0x1000 .SizeOfHeapReserve dd 0x1000 .SizeOfHeapCommit dd 0x1000 .LoaderFlags dd 0 .NumberOfRvaAndSizes dd 0 dataDirectories: .VirtualAddress dd 16 dup 0 .Size dd 16 dup 0 sizeof.OptionalHeader = $ - optionalHeader sectionHeader: .PhysicalAddress dq 0 ; '.text' .VirtualSize dd sizeof.Code .VirtualAddress dd codeSection .SizeOfRawData dd sizeof.Code .PointerToRawData dd codeSection .PointerToRelocations dd 0 .PointerToLinenumbers dd 0 .NumberOfRelocations dw 0 .NumberOfLineNumbers dw 0 .Characteristics dd 0 codeSection: ; Display a message box push 0 push 0 push szMessage+IMAGE_BASE push 0 call [MessageBox+IMAGE_BASE] ret szMessage db 'Hello',0 sizeof.Code = $ - codeSection importSection: dd 0,0,0,user_name,user_table dd 0,0,0,0,0 user_name db 'USER32.DLL',0 user_table: MessageBox dd _MessageBox dd 0 _MessageBox dw 0 db 'MessageBoxA',0 sizeof.Import = $ - importSection sizeof.Image = $ That is my code, but I have a feeling it is to do with the IMAGE_SECTION_HEADER part (in my code sectionHeader). Do I need to fill this structure in properly? I have seen a code where it has '.text' in but I have also seen one where it has 0 in. Any ideas? |
|||
09 Oct 2009, 17:56 |
|
kohlrak 10 Oct 2009, 03:20
There was a user some time ago named Sulaiman Chang (or something like that) who did a manual PE tutorial for fasm. Something else you could do is make a PE the normal way (though, i'd recommend that, because of the FP problems of fasm, you should probably make one using visual studio or something) and use a hex editor to compare values to make sure it's all aligned right. This sort of thing helped me alot when i remade my macros for a manual ELF file. (The hex editing a gcc created elf helped me more than nocona's code believe it or not...)
Remember, when it's not working, consult something that does... |
|||
10 Oct 2009, 03:20 |
|
revolution 10 Oct 2009, 03:27
Maybe we can apply the old coders song (with a small minor word change at the end) to this situation also.
Get it working then get it small. |
|||
10 Oct 2009, 03:27 |
|
windwakr 10 Oct 2009, 03:27
kohlrak wrote: There was a user some time ago named Sulaiman Chang (or something like that) ..... sleepsleep |
|||
10 Oct 2009, 03:27 |
|
revolution 10 Oct 2009, 03:29
windwakr wrote:
|
|||
10 Oct 2009, 03:29 |
|
windwakr 10 Oct 2009, 03:29
But he is/was vbVeryBeginner IIRC.
http://board.flatassembler.net/topic.php?t=9042 sleepsleep wrote: ops, sorry for late reply, you just got my guilty... sorry for didn't update the website or etc .... i actually wonder who links it to sraeg.net... much appreciate thanks 2 points for windwakr : )....maybe this makes up for my point reduction from using Python..... ANYWAYS.....Back on topic: Have you seen Borsucs manual PE macros? http://board.flatassembler.net/topic.php?t=10288 Maybe you could learn from them. |
|||
10 Oct 2009, 03:29 |
|
revolution 10 Oct 2009, 03:44
I used to have my RawPE.asm file here also, but it was deleted during the hacking incident some time back. I'll have to see about reposting it (if I can find the thread where it was).
windwakr: You have marginally redeemed yourself from the shame of posting HLL code to brute force 36 divisions instead of proper a maths proof. BTW: I found a better link. http://board.flatassembler.net/topic.php?t=6054 |
|||
10 Oct 2009, 03:44 |
|
Japheth 10 Oct 2009, 04:18
Code: .LoaderFlags dd 0 .NumberOfRvaAndSizes dd 0 dataDirectories: .VirtualAddress dd 16 dup 0 .Size dd 16 dup 0 I'd say that value of .NumberOfRvaAndSizes must reflect the true number of dataDirectory entries (=16). Also IMO the second entry of dataDirectories (IMPORTS) must "include" the "user32" import directory. Recently I did something similar in Masm syntax, See http://www.japheth.de/JWasm/Win32_5.html |
|||
10 Oct 2009, 04:18 |
|
Borsuc 10 Oct 2009, 15:34
I've done one with macros, and yes, the alignment has to be 4096 minumum, and file alignment 512 bytes min.
|
|||
10 Oct 2009, 15:34 |
|
pal 10 Oct 2009, 19:03
Japheth: I thought that with the NumberOfRvaAndSizes too, but I saw a code where it had 0 and it worked fine.
I would look at Borsuc's in more depth, but I don't like macros and I don't really understand them very well.. Cheers for all the help, I will keep trying :p |
|||
10 Oct 2009, 19:03 |
|
kohlrak 10 Oct 2009, 20:53
Believe me, buddy, if you don't like macros, you are in for a world of hurt with this. Macros aren't like C where the compiler adds junk. FASM always spits out what you put in, and that includes the macros. If you don't like the syntax, well, try your best to learn. Otherwise, you're going to copy and paste a lot of code for every program you make.
|
|||
10 Oct 2009, 20:53 |
|
bitshifter 10 Oct 2009, 21:24
I dont think he is punishing himself like that.
Maybe he just likes to take his toys apart (like me) |
|||
10 Oct 2009, 21:24 |
|
pal 11 Oct 2009, 08:40
When I say I don't like macros, I mean I try to keep using them to a minimum. I use: proc, cinvoke/ccall if I am lazy and right now that is all I can think of.
I like to know 'what is happening under the hood', i.e. how the code is assembled properly. If that makes sense? I think what bitshifter was talking about. |
|||
11 Oct 2009, 08:40 |
|
Borsuc 11 Oct 2009, 17:32
I don't use those macros myself, but I always use macros for data structures, as in this case (the PE format is a "data" structure, not "code"). It makes it much easier to alter something without screwing the offsets and having to manually recalculate them, etc.
_________________ Previously known as The_Grey_Beast |
|||
11 Oct 2009, 17:32 |
|
iic2 14 Oct 2009, 10:14
Have you check out karl and babyboy links below. There use to be a few more about manual PE in FASM. It was all about these guys and others, including vbVeryBeginner and revolution ... Most were all about being the smallest PE. vbVeryBeginner, karl and babyboy were about a full blown PE that worked for any win32 program that you would build. I saved everything this forum had about it. It was why I came to FASM in the first place, than my working HDD burn-out and something else in life came up (old lady came back home) and the fight was back ON ... hee hee . I got backup on my old 8 and 20gigs HDD in the closest. I will dig it up if you don't get the rest of what you need out of these links.
http://board.flatassembler.net/topic.php?t=5957 http://board.flatassembler.net/topic.php?t=5616 |
|||
14 Oct 2009, 10:14 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.