flat assembler
Message board for the users of flat assembler.
Index
> Windows > Manual PE Creation Goto page Previous 1, 2 |
Author |
|
iic2 14 Oct 2009, 11:22
I found copies on a old CD and I think I was using revolution version mostly. Anyway, I comment code for personal readability but it's the original of others. I could have modified a few while I was testing but not by much. Maybe no use to you anyway but this use to be my favorite subject when I knew little about it. How about the Ancient One. He wrote a nice manual PE too. I did not find none of the old saved web pages yet. Nice to know who sleep sleep use to be.
See attachment:
|
|||||||||||
14 Oct 2009, 11:22 |
|
pal 15 Oct 2009, 22:56
iic2: Thanks for contributing to the thread. I'll have a decent look tomorrow, but I have to log in as admin and download them/turn off my AV And it is too late for that now!
Cheers. |
|||
15 Oct 2009, 22:56 |
|
wht36 07 Nov 2009, 09:15
Here's my contribution, based on code from http://www.phreedom.org/solar/code/tinype/
It uses imports and does not work on win95 (because alignments are only 4). Only tested on XP. The below example assembles to 244 bytes. Code: include '..\tiny' import USER32,MessageBoxA FormatPE GUI Start: call [MessageBoxA],0,"Hello World!","TinyPE",MB_OK ret EndPE The include file looks like this: Code: macro align alignment*,char { if $ mod alignment > 0 db alignment - ($ mod alignment) dup (char) end if } macro ddround n,r { dd (n+r-1) and -r } dll_tables equ dll_imports equ dd 0,0,0,0,0 dll_strings equ filealign = 4 sectalign = 4 ; must be 4 because of e_lfanew adjust = sectalign - filealign image_base = 0x400000 dll_count = 0 macro import dll,[func] { common macro dll_tables \{ dll_tables if dll_count > 0 dd 0 end if dll_count = dll_count + 1 dll#_table: forward func = $ + image_base + adjust dd _#func+adjust-2 common \} macro dll_imports \{ dd 0,0,0,dll#_name+adjust, dll#_table+adjust dll_imports \} macro dll_strings \{ dll_strings dll#_name db `dll,0 forward _#func db `func,0 common \} } macro FormatPE subsys { format binary as 'exe' use32 ; MZ header ; The only two fields that matter are e_magic and e_lfanew dw "MZ" ; e_magic dw 0 ; e_cblp UNUSED dd "PE" ; e_cp, e_crlc UNUSED ; PE signature ; PE header dw 0x014C ; e_cparhdr UNUSED ; Machine (Intel 386) dw 1 ; e_minalloc UNUSED ; NumberOfSections pe_entry: jmp near Start-image_base db 0,0,0 ; dd 0 ; e_maxalloc, e_ss UNUSED ; TimeDateStamp UNUSED ; dd 0 ; e_sp, e_csum UNUSED ; PointerToSymbolTable UNUSED dd 0 ; e_ip, e_cs UNUSED ; NumberOfSymbols UNUSED dw sections-opthdr ; e_lsarlc UNUSED ; SizeOfOptionalHeader dw 0x103 ; e_ovno UNUSED ; Characteristics ; PE optional header opthdr: dw 0x010B ; e_res UNUSED ; Magic (PE32) db 8 ; MajorLinkerVersion UNUSED db 0 ; MinorLinkerVersion UNUSED sections: ddround codesize, filealign ; SizeOfCode UNUSED ; Name UNUSED dd 0 ; e_oemid, e_oeminfo UNUSED ; SizeOfInitializedData UNUSED dd codesize ; e_res2 UNUSED ; SizeOfUninitializedData UNUSED ; VirtualSize dd pe_entry ; AddressOfEntryPoint ; VirtualAddress dd codesize ; BaseOfCode UNUSED ; SizeOfRawData dd pe_entry ; BaseOfData UNUSED ; PointerToRawData dd 0x400000 ; ImageBase ; PointerToRelocations UNUSED dd sectalign ; e_lfanew ; SectionAlignment ; PointerToLinenumbers UNUSED dd filealign ; FileAlignment ; NumberOfRelocations UNUSED ; NumberOfLinenumbers UNUSED dw 4 ; MajorOSVersion UNUSED ; Characteristics UNUSED dw 0 ; MinorOSVersion UNUSED dw 0 ; MajorImageVersion UNUSED dw 0 ; MinorImageVersion UNUSED dw 4 ; MajorSubsystemVersion dw 0 ; MinorSubsystemVersion UNUSED dd 0 ; Win32VersionValue UNUSED dd ((hdrsize + sectalign-1) and -sectalign) + ((codesize + sectalign-1) and -sectalign) ; SizeOfImage ddround hdrsize, filealign ; SizeOfHeaders dd 0 ; CheckSum UNUSED subsystem = 3 match =GUI any,subsys \{ subsystem = 2 \} dw subsystem ; Subsystem (Win32 CONSOLE) ;GUI = 2, CONSOLE = 3 dw 0x400 ; DllCharacteristics UNUSED dd 0x100000 ; SizeOfStackReserve dd 0x1000 ; SizeOfStackCommit dd 0x100000 ; SizeOfHeapReserve dd 0x1000 ; SizeOfHeapCommit UNUSED dd 0 ; LoaderFlags UNUSED dd 2 ; NumberOfRvaAndSizes UNUSED ; Data directories ; The debug directory size at offset 0x34 from here must be 0 dq 0 ;export dd idata+adjust ;import section rva dd idata.size ;import section size opthdrsize = $ - opthdr hdrsize = $ - $$ dll_tables idata: dll_imports .size = $-idata dll_strings org $ + image_base purge align } macro pushd [args] { reverse match any, args \{ local ..continue if args eqtype '' CALL ..continue db args,0 ..continue: else pushd args end if \} } macro call proc,[args] { common pushd args call dword proc } macro EndPE { codesize = $ - pe_entry filesize = $ - $$ } Problems: This version doesn't allow sections. Also it doesn't add padding for the directory entries so it does not alwayswork. I have made another version with section & resource support as well as directory padding. It's output will be bigger then this example. See minipad.asm (from FASM example) in the updated attachment for usage. Again it won't work under win95 because of alignment settings. I also can't get icons to display properly for some reason (just figured it out, for windows explorer to display the icon of the program, it must have 16 directory entries and the section header must come after the directory entries).
|
|||||||||||||||||||||
07 Nov 2009, 09:15 |
|
Goto page Previous 1, 2 < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.