idata before code and other weird PE format cases?

Index > Windows > idata before code and other weird PE format cases?

Author

Thread

Artlav

Joined: 23 Dec 2004
Posts: 188
Location: Moscow, Russia

Artlav 28 Nov 2009, 21:59

I've been playing around with generating PE files in different ways, and there are a few things i don't get.

Let's start with a simple hello world program:

Code:

format PE GUI 4.0
entry start
include 'win32a.inc'

section '.idata' import data readable writeable
 library kernel32,'KERNEL32.DLL',\
         user32  ,'USER32.DLL'
 import kernel32,ExitProcess,'ExitProcess'
 import user32  ,MessageBox ,'MessageBoxA'

section '.text' code readable executable
start:
 push  0
 call  l1
 db    "Win32 Assembly generator",0
 l1:
 call  l2
 db    "Hi! I'm the example output program!",0
 l2:
 push  0
 call  [MessageBox]
 push  0
 call  [ExitProcess]

As you can see, i put the import section before the code. This works fine in FASM, but if i generate the file in the same way myself, it refuses to start.
Closer look reveals, that FASM places import section image at 1000h and code at 2000h in that scenario, while i generated it as if the code section was first, at 1000h, and import next - 2000h, basically swapping the sections.
The code links to the 2000h addresses in my case, IDA opens up the file fine, and it looks correct.
Curiously, if i just swap the VirtualAddress'es of the sections, changing nothing else, the program loads, but crashes.

What is the difference?
As i understand, the loader places the section to the specified address, regardless of it's position in the file, no?

Second thing, i tried to reduce FileAlignment to make the file more compact, reducing the section padding accordingly. The program refuses to start. But, if it's increased to 400h, the program runs normally. Only these two values - default 200h and 400h seems to work. Is there more to it, or the field is not very useful?
Is there an example of non-degenerated minimal-padding-and-overhead PE file?

28 Nov 2009, 21:59

Borsuc

Joined: 29 Dec 2005
Posts: 2465
Location: Bucharest, Romania

Borsuc 29 Nov 2009, 02:52

I suggest you don't mess with the file alignment and keep it at 512. I don't get what you mean with "generate the file the same way yourself" though.

29 Nov 2009, 02:52

Artlav

Joined: 23 Dec 2004
Posts: 188
Location: Moscow, Russia

Artlav 29 Nov 2009, 09:34

Borsuc wrote:

I don't get what you mean with "generate the file the same way yourself" though.

Manually define all the PE file structure.

In essence, if a section with higher address is followed by a section with lower address, the file refuses to run.
I.E. data at 1000h, code at 2000h, but in the file code is section 0, and data is section 1.

29 Nov 2009, 09:34

Borsuc

Joined: 29 Dec 2005
Posts: 2465
Location: Bucharest, Romania

Borsuc 29 Nov 2009, 19:35

I have to be honest and flat out say I never used that way (decrementing addresses)... but why would that be important, just make them incrementing to be more compatible, even if it might work on some versions of Windows with decrementing addresses. (I said maybe, I don't know)

29 Nov 2009, 19:35

DOS386

Joined: 08 Dec 2006
Posts: 1898

DOS386 30 Nov 2009, 06:49

Check also this one:

http://board.flatassembler.net/topic.php?t=10887 (FASM formatter limitations)

and this one:

http://board.flatassembler.net/topic.php?t=10872 (PE brewing)

and:

??? (not yet) BTW, can you brew a valid and working DLL of just 1 KiB size ??? I can Smile

I'll post it later.

30 Nov 2009, 06:49

hopcode

Joined: 04 Mar 2008
Posts: 563
Location: Germany

hopcode 01 Dec 2009, 04:02

try this
for me it works, only 1024 bytes,
very interesting

Code:

format PE GUI 4.0
entry start
include 'win32a.inc'

section '.idata' import data readable writeable executable
 library kernel32,'KERNEL32.DLL',\
         user32  ,'USER32.DLL'
 import kernel32,ExitProcess,'ExitProcess'
 import user32  ,MessageBox ,'MessageBoxA'
align 4   ;<-----
start:
 push  0
 call  l1
 db    "Win32 Assembly generator",0
 l1:
 call  l2
 db    "Hi! I'm the example output program!",0
 l2:
 push  0
 call  [MessageBox]
 push  0
 call  [ExitProcess]

Regards,
hopcode

01 Dec 2009, 04:02

hopcode

Joined: 04 Mar 2008
Posts: 563
Location: Germany

hopcode 01 Dec 2009, 07:16

the most interesting...
Who said that DLL must have .reloc to works ? Very Happy

Who said that EXE cannot be used as DLL ? Very Happy

try this,
interesting

;1) compile this as "artlav_testC.asm"

Code:

;[Dienstag] - 01.Dezember.2009 - 07:51:31

;--- hopcode [mrk] ----------------------
;- Example of an exe file without (unuseful) relocation table
;- that acts as an EXE and as a DLL.
;- It could be launched as .exe on the command line
;- or with LoadLibrary from the "artlav_calldll.exe"
;- See it in debugger 
;- WARNING: POSSIBLE CRASHES!!!!!!

format PE GUI 4.0
entry start
include 'win32a.inc'

section '.idata' import data readable writeable executable
library kernel32,'KERNEL32.DLL',\
 user32,'USER32.DLL'
 import kernel32,ExitProcess,'ExitProcess',\
     GetModuleHandle,"GetModuleHandle"
 import user32,MessageBox ,'MessageBoxA'

align 4
 myfunc:        
  mov eax,[esp+4]
  mov dword[MessageBox],eax
  push 3
  push 2
  push 1
  call start
  ret 4

align 4
start:
 push  0
 call  l1
 db    "Win32 Assembly generator",0
 l1:
 call  l2
 db    "Hi! I'm the example output program!",0
 l2:
 push  0
 call [MessageBox]

 xor eax,eax
 inc eax
 ret 12

section '.edata' export data readable
export 'artlav_testC.exe',\
   myfunc,'myfunc'

;2) then compile this as "artlav_calldll.asm"

Code:

;[Dienstag] - 01.Dezember.2009 - 07:51:31

;--- hopcode [mrk] ----------------------------------
;- In this exe importing a function from "artlav_testC.exe" 
;- See it in debugger
;- WARNING: POSSIBLE CRASHES!!!!!!

format PE GUI 4.0
entry start
include 'win32a.inc'

section '.idata' import data readable writeable executable
library kernel32,"KERNEL32.DLL",\
 user32  ,'USER32.DLL'
; import artlav_testC,"artlav_testC.exe",myfunc,'myfunc' ;EDIT not needed tip
 import kernel32,ExitProcess,'ExitProcess',\
    LoadLibrary,'LoadLibraryA',\
    FreeLibrary,"FreeLibrary",\
    GetProcAddress,"GetProcAddress"
 import user32,MessageBox ,'MessageBoxA'

align 4
start:
 push 0
 call lab1
 db "myfunc",0

lab1:
 call lab2
 db "artlav_testC.exe",0

lab2:
 call [LoadLibrary]
 mov ebx,eax
 xchg eax,dword[esp]
 xchg dword[esp+4],eax
 call [GetProcAddress]
 push dword[MessageBox]   ;<-- i pass *THIS* function address to
 call eax                 ;<-- our exported function that uses a MessageBox in
 push ebx                 ; the code
 call [FreeLibrary]
 push  0
 call  [ExitProcess]

3) Now run in debugger the first ...
and then the second.

Regards,
hopcode

01 Dec 2009, 07:16

f0dder

Joined: 19 Feb 2004
Posts: 3175
Location: Denmark

f0dder 01 Dec 2009, 07:34

hopcode wrote:

Who said that DLL must have .reloc to works ?

Nobody, but you're screwed if your base address isn't available.

hopcode wrote:

Who said that EXE cannot be used as DLL ?

Nobody, but don't try this on Win9x Smile

01 Dec 2009, 07:34

hopcode

Joined: 04 Mar 2008
Posts: 563
Location: Germany

hopcode 01 Dec 2009, 07:54

f0dder wrote:

Nobody, but don't try this on Win9x

Surely, doesnt belong to me this style of coding... it was only an innocent playing... Very Happy

btw, iirc, it was possible on win98... or probably not

01 Dec 2009, 07:54

f0dder

Joined: 19 Feb 2004
Posts: 3175
Location: Denmark

f0dder 01 Dec 2009, 08:05

Yes and no - it's been a few years, but as I recall you can do LoadLibrary on an exe on Win9x, but relocations aren't applied... so you could modify .exe resources, but you couldn't call exported methods. So much for avoiding dealing with VERSIONINFO resources and just calling a getVersion() export Smile

01 Dec 2009, 08:05

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum