edemko 01 Nov 2010, 19:33
Hi people.
I just wanted to share this file.
Really tired writing\counting lots of numbers - not here :)
There'd been lots of sources i've seen and many of those were hard coded.
Saying again - not here as internal structure fixes all that.
Actually PE format is known about a week to me and i'm eager helping(naive? - no wtf i'm sorry!).
Also lots of documents - those are often different as format creators are :)

Still there are good docs:
1. www.google.com, look for MS docs studying structures
2. lots of good and lots of stump: http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/pecoff_v8.docx
3. download file

Well, here it is(pe - enu.asm).
Where would IMAGE_DOS_HEADER.MinimumextraParagraphs stay?
Is the stub valid?
;Manual PE32 creation example.
;Check next fields whenever changing this source:
format binary as 'exe'

macro padzero value*{db (value - $ and (value-1)) mod (value) dup 0}

macro m1 section{
  ;increase sections counter(see below)
  load a word from IMAGE_FILE_HEADER.NumberOfSections
  store word a+1 at IMAGE_FILE_HEADER.NumberOfSections
  ;defines 2 often usable constants(see below)
  load a dword from section#.Rva
  section#_RVA  = a - section#_RAW
  section#_BASE = IMAGE_BASE + section#_RVA

DISK_SECTOR = $0000'0200                                        ;0'000'512
PAGE        = $0000'1000                                        ;0'004'096
IMAGE_BASE  = $0040'0000                                        ;4'194'304

org 0
  .Signature                  dw 'MZ'
  .BytesOnLastPage            dw 64                             ;page = 512 bytes
  .PagesInFile                dw 1
  .Relocations                dw 0
  .SizeOfHeaderInParagraphs   dw 64/16                          ;paragraph = 16 bytes
  .MinimumExtraParagraphs     dw 0
  .MaximumExtraParagraphs     dw 0
  .InitialRelativeSS          dw 0
  .InitialSP                  dw 64
  .Checksum:                  int $20                           ;exit to DOS
  .InitialIP                  dw .Checksum
  .InitialRelativeCS          dw 0
  .OffsetToRelocationTable    dw 0
  .OverlayNumber              dw 0
  .Reserved1                  dw 4 dup 0
  .OEMIdentifier              dw 0                              ;)
  .OEMInformation             dw 0                              ;)
  .Reserverd2                 dw 10 dup 0
  .OffsetToNewEXEHeader       dd 64                             ;IMAGE_NT_HEADERS

  .Signature                  dd 'PE'

    .Machine                  dw $014c                          ;i386 and over required
    .NumberOfSections         dw 0                              ;sections counter, MACRO FILLS THIS ITSELF
    .TimeDateStamp            dd %t                             ;seconds passed since 1970_01_01, 00:00
    .PointerToSymbolTable     dd 0
    .NumberOfSymbols          dd 0
    .SizeOfOptionalHeader     dw IMAGE_SECTION_HEADER-\         ;sizeof.IMAGE_OPTIONAL_HEADER
    .Characteristics          dw $0002                          ;this is an executable file

    .Magic                    dw $010b                          ;32'bit
    .MajorLinkerVersion       db 0                              ;composer mark
    .MinorLinkerVersion       db 0                              ;...put smiles
    .SizeOfCode               dd 0
    .SizeOfInitializedData    dd 0
    .SizeOfUninitializedData  dd 0
    .AddressOfEntryPoint      dd PAGE+\                         ;PAGE(=.SectionAlignment); 1st section(being loaded to RAM) displacement relatively IMAGE_DOS_HEADER(=0)
                                 entry_point-SECTION_1_RAW      ;entry point
    .BaseOfCode               dd 0
    .BaseOfData               dd 0
    .ImageBase                dd IMAGE_BASE                     ;image load base; image starts at IMAGE_DOS_HEADER :)
    .SectionAlignment         dd PAGE                           ;sections will be aligned to this value on the load stage
    .FileAlignment            dd DISK_SECTOR                    ;section alignment in physical file
    .MajorOSVersion           dw 0
    .MinorOSVersion           dw 0
    .MajorImageVersion        dw 0                              ;smth
    .MinorImageVersion        dw 0                              ;yours
    .MajorSubsystemVersion    dw 4
    .MinorSubsystemVersion    dw 0
    .Win32VersionNumber       dd 0
    .SizeOfImage              dd PAGE*3                         ;size of image(including headers), reflected to RAM; rounded to .SectionAlignmnent
    .SizeOfHeaders            dd SECTION_1_RAW                  ;1st section displacement rounded to .FileAlignment
    .Checksum                 dd 0
    .Subsystem                dw 2                              ;win graphical user interface
    .Characteristics          dw 0
    .SizeOfStackReserve       dd 1024*1024                      ;stack space
    .SizeOfStackCommit        dd 0
    .SizeOfHeapReserve        dd 1024*1024                      ;heap space
    .SizeOfHeapCommit         dd 0
    .LoaderFlags              dd 0
    .NumberOfDataDirectories  dd 16                             ;numbers of pointers to (predefined) sections:

    .ExportTableRvaAndSize    dq 0                              ;1, export
    .ImportTableRvaAndSize    dd PAGE,\                         ;2, import, we'll use some
    times 14 dq 0                                               ;3..16

      .Name                   dq ''                             ;section name, eg 'tody' or 'body'
      .VirtualSize            dd 0
      .Rva                    dd PAGE                           ;mind .SectionAlignment ie any section's 1st byte's address
      .SizeOfRawData          dd SECTION_1_RAW.-SECTION_1_RAW   ;physical data size, align sections to .FileAlignment
      .PointerToRawData       dd SECTION_1_RAW                  ;physical data pointer, align sections to .FileAlignment
      .PointerToRelocations   dd 0
      .PointerToLineNumbers   dd 0
      .NumberOfRelocations    dw 0
      .NumberOfLineNumbers    dw 0
      .Characteristics        dd $0000'0020+\                   ;code
                                 $2000'0000+\                   ;executable
                                 $4000'0000+\                   ;readable
                                 $8000'0000                     ;writable
      m1 SECTION_1                                              ;great!
      .Name                   dq 'section2'
      .VirtualSize            dd 0
      .Rva                    dd PAGE*2                         ;see, we are skipping 1st section's alignment and 1st section itself
      .SizeOfRawData          dd SECTION_2_RAW.-SECTION_2_RAW
      .PointerToRawData       dd SECTION_2_RAW
      .PointerToRelocations   dd 0
      .PointerToLineNumbers   dd 0
      .NumberOfRelocations    dw 0
      .NumberOfLineNumbers    dw 0
      .Characteristics        dd $e000'0020
      m1 SECTION_2                                              ;great again!

  padzero DISK_SECTOR                                           ;align to .FileAllignment

                                                                ;import table
    dd 0,0,0,kernel_name+SECTION_1_RVA,kernel_table+SECTION_1_RVA
    dd 0,0,0,user_name+SECTION_1_RVA,user_table+SECTION_1_RVA
    dd 0,0,0,shell_name+SECTION_1_RVA,shell_table+SECTION_1_RVA
    dd 0,0,0,0,0

    kernel_name db 'kernel32.dll',0
      exit_process  dd exit_process_+SECTION_1_RVA
      beep          dd beep_+SECTION_1_RVA
      dd 0
      exit_process_ dw 0
                    db 'ExitProcess',0
      beep_         dw 0
                    db 'Beep',0

    user_name db 'user32.dll',0
      message_box  dd message_box_+SECTION_1_RVA
      dd 0
      message_box_ dw 0
                   db 'MessageBoxA',0

    shell_name db 'shell32.dll',0
      shell_execute  dd shell_execute_+SECTION_1_RVA
      shell_alabama  dd shell_alabama_+SECTION_1_RVA
      dd 0
      shell_execute_ dw 0
                     db 'ShellExecuteA',0
      shell_alabama_ dw 0
                     db 'ShellAboutA',0

  entry_point:                                                  ;entry point
        push     0
        push     0
        call     @f
        db       'Next MessageBoxA comes...',0
     @@:push     0
        call     [message_box+SECTION_1_BASE]

        push     0
        push     caption+SECTION_2_BASE
        call     @f
        db       'Check next fields whenever changing this source:',10,\
                 '- IMAGE_OPTIONAL_HEADER.SizeOfImage'           ,10,\
                 '- SECTION_X.Rva',0
     @@:push     0
        call     [message_box+SECTION_1_BASE]

        push     0
        push     0
        call     @f
        db       'ShellExecuteA and notepad.exe(the two rude boys) are trying to strip me...',0
     @@:push     0
        call     [message_box+SECTION_1_BASE]

        push     5
        push     0
        push     0
        call     @f
        db       'pe - enu.asm',0
     @@:push     0
        push     0
        call     [shell_execute+SECTION_1_BASE]

        cmp      eax,32
        mov      eax,fail+SECTION_2_BASE
        mov      edx,pervert+SECTION_2_BASE
        cmova    eax,edx
        push     0
        push     0
        push     eax
        push     0
        call     [message_box+SECTION_1_BASE]

        push     0
        push     0
        call     @f
        db       'DO',0
     @@:push     0
        call     [message_box+SECTION_1_BASE]

        mov      edi,melody+SECTION_2_BASE
        call     edi

        push     0
        call     @f
        db       'www.flatAssembler.net, www.wasm.ru, edemko@rambler.ru',0
     @@:push     caption+SECTION_2_BASE
        push     0
        call     [shell_alabama+SECTION_1_BASE]

        push     0
        push     0
        call     @f
        db       'The wiper is coming... ExitProcess',0
     @@:push     0
        call     [message_box+SECTION_1_BASE]

        push     0
        call     [exit_process+SECTION_1_BASE]
  padzero DISK_SECTOR

    caption db 'Manual PE32 creation example',0
    fail    db 'hohoho',0
    pervert db 'effing perverts :)',0

        push    300 120
        call    [beep+SECTION_1_BASE]
        ret     0

  padzero DISK_SECTOR

; val   = 0..2^64-1
; merge = 0<bytes<9 of value to show
; example: repeat 8
;            display 13,10
;            ShowHex $FEDCBA9876543210,%
;          end repeat
macro ShowHex val*, merge*{
  if merge > 0 & merge < 9
    local .a, .merge
    .merge = (merge) shl 1
    while .merge <> 0
      .a = (val) shr ((.merge - 1) * 4) and 1111b or 11'0000b
      if .a > 11'1001b
        .a = .a + 111b
      end if
      display .a
      .merge = .merge - 1
    end while
  end if

mindcooler 01 Nov 2010, 20:46
My stub. Haven't tested it yet.

                db "MZ"                   ; DOS_Signature[2] = "MZ"
                dw peof-imgbase           ; DOS_PartPag = 128.
                dw $0001                  ; DOS_PageCnt = 1
                dw $0000                  ; DOS_ReloCnt = 0
                dw $0004                  ; DOS_HdrSize = 4
                dw $0010                  ; DOS_MinMem = 16.
                dw $FFFF                  ; DOS_MaxMem = 65535.
                dw $0000                  ; DOS_RelSS = 0
                dw $0140                  ; DOS_ExeSP = 140
                dw $0000                  ; DOS_ChkSum = 0
                dw $0000                  ; DOS_ExeIP = 0
                dw $0000                  ; DOS_RelCS = 0
                dw mzstart-imgbase        ; DOS_RelocOffset = 40
                rw 17
                dw peof-imgbase           ; DOS_PEOffset = 80
                db $00
                db $00
                mov     ax,$4c01
                int     $21    

Comments are what fasm spits out.

edemko 11 Nov 2010, 13:20

