flat assembler
Message board for the users of flat assembler.
Index
> Windows > Create PE from scratch |
Author |
|
ShortCoder 01 Jun 2004, 18:13
Thank you for providing a very useful and very educational piece of code there.
_________________ Boycott Symantec/Norton/PowerQuest whenever possible |
|||
01 Jun 2004, 18:13 |
|
khanh 01 Jun 2004, 19:20
If y know anythings about other pieces of code like that for linux format...
Can you post them here, I'm very interested in this. It shows me how my coding are actually translated? Keep good work! |
|||
01 Jun 2004, 19:20 |
|
gorshing 02 Jun 2004, 19:25
Thanks LiuJunfeng
I was curious of what resources helped you come up with the above code. Thanks again, _________________ gorshing |
|||
02 Jun 2004, 19:25 |
|
Tommy 02 Jun 2004, 19:58
BTW: you can use %T to get the time stamp...
|
|||
02 Jun 2004, 19:58 |
|
vbVeryBeginner 09 Sep 2004, 06:34
Quote:
could somebody explain to me, why we need to ORG 0 here? according to iczelion''s PE Tutorial 1, Quote:
since it is a valid exe, why it doesn't need the PSP? and ORG in 0x100? |
|||
09 Sep 2004, 06:34 |
|
Madis731 09 Sep 2004, 07:59
My *theory* is that this big file (512*x Bytes) is mapped differently and the program (DOS_Stub) actually lays on the bottom of memory so you can run it directly.
^o) I have come to an idea that we could programme that DOS_Stub We jump to a location in code where we are writing 16bit code while we are actually programing in 32bit. So the output differs in Win32/DOS. |
|||
09 Sep 2004, 07:59 |
|
decard 09 Sep 2004, 08:02
It has a PSP too (IIRC it's location is pointed by ES at startup). Only COM exectuables are having PSP in the beginning of the segment (org 0), so the actual executable starts at org 0x100.
|
|||
09 Sep 2004, 08:02 |
|
mike.dld 09 Sep 2004, 10:05
Is there any limitations on then size of stub?
|
|||
09 Sep 2004, 10:05 |
|
silkodyssey 09 Sep 2004, 10:44
This code is a lot easier to read and understand than a lot of other PEs from scratch that I have seen.
_________________ silkodyssey |
|||
09 Sep 2004, 10:44 |
|
vbVeryBeginner 09 Sep 2004, 17:20
does PSP exists for 32 bit executable loading ?
|
|||
09 Sep 2004, 17:20 |
|
polygon7 09 Sep 2004, 20:28
mike.dld wrote: Is there any limitations on then size of stub? Minimum size of "working" (*.exe file run corectly on Windows, but you shouldn't run this at DOS) stub is 10 bytes: Code: dw 'MZ' rb 8 10 bytes stub looks like that: Code: Parameters: NS = 1 ;NumberOfSections BA = 0x400000 ;Base Address SA = 0x1000 ;SectionAlignment FA = 0x0200 ;FileAlignment DOS_Header: .e_magic dw "MZ" ;IMAGE_DOS_SIGNATURE dw 0x0090 .dll dd "d3d8" .hInstance dd BA PE_header: .Signature dd "PE" FileHeader: .Machine dw 0x014C ;i386 .NumberOfSections dw NS ;;;;;;;;;;;;;; .TimeDateStamp dd %t .PointerToSymbolTable dd 0 ; 4 \ 8b .NumberOfSymbols dd 0 ; 4 / ;;;;;;;;;;;;;; .SizeOfOptionalHeader dw SectionTable-OptionalHeader .Characteristics dw 0x818F ; OptionalHeader: ;OptionalHeader has 31 fields .Magic dw 0x010B ;PE32 ;;;;;;;;;;;;;; .LinkerVersion dw 0 ; 2 \ .SizeOfCode dd 0 ; 4 \ 14b .SizeOfInitializedData dd 0 ; 4 / .SizeOfUnInitializedData dd 0 ; 4 / ;;;;;;;;;;;;;; .AddressOfEntryPoint dd CodeSection .BaseOfCode dd 0 .BaseOfData dd PE_header .ImageBase dd BA .SectionAlignment dd SA .FileAlignment dd FA I dont know about maximum size of stub. _________________ best regards p7 |
|||
09 Sep 2004, 20:28 |
|
vbVeryBeginner 16 Sep 2004, 09:06
Code: IMAGE_DOS_HEADER: ;start : 00 (0) to 3F (63) .e_magic dw 0x5A4D ;00 01 .e_cblp dw 0x0080 ;02 03 .e_cp dw 0x0001 ;04 05 .e_crlc dw 0x0000 ;06 07 .e_cparhdr dw 0x0004 ;08 09 .e_minalloc dw 0x0010 ;10 11 .e_maxalloc dw 0xFFFF ;12 13 .e_ss dw 0x0000 ;14 15 .e_sp dw 0x0140 ;16 17 .e_csum dw 0x0000 ;18 19 .e_ip dw 0x0000 ;20 21 .e_cs dw 0x0000 ;22 23 .e_lfarlc dw 0x0040 ;24 25 .e_ovno dw 0x0000 ;26 27 .e_res rw 4 ;28 29 | 30 31 | 32 33 | 34 35 .e_oemid dw 0x0000 ;36 37 .e_oeminfo dw 0x0000 ;38 39 .e_res2 rw 10 ;40 41 | 42 43 | 44 45 | 46 47 | 48 49 | 50 51 .e_lfanew dd 0x00000080 ;52 53 | 54 55 | 56 57 | 58 59 ;60 61 62 63 ;===================================================================================================== DOS_STUB: ;start : 40 (64) to 7F (127) use16 ;DOS-STUB is a 16-bit program ;push cs <- we save 1 byte here ;pop ds <- we save another 1 byte here ;our DS is less 100h from CS, DS received PSP address mov dx,0x100 + 0x0B ;our db message starts at 0x0B because we save 3 bytes already mov ah,0x9 int 0x21 mov ah,0x4C ;save 1 byte here because we need to use AH only for function int 0x21 db 'This program cannot be run in DOS mode.',13,10,'$' rb 0x80 - $ ;0x80 - 0x75 = rb 0xB ;===================================================================================================== IMAGE_NT_HEADERS: ;start : 80 (128) to 1EF (495) .Signature db 'PE',0,0 ;128 131 IMAGE_FILE_HEADER: ;start : 84 (132) to 97 (151) .Machine dw 0x014C ;132 133 for intel 386 .NumberOfSection dw 0x0003 ;134 135 .TimeDateStamp dd %t ;136 139 .PointerToSymbolTable dd 0 ;140 143 .NumberOfSymbols dd 0 ;144 147 .SizeOfOptionalHeader dw 0x00E0 ;148 149 .Characteristic dw 0x818F ;150 151 IMAGE_OPTIONAL_HEADER: ;start : 98 (152) to F7 (247) * till IMAGE_DATA_DIRECTORY ;offset .Magic dw 0x010B ;152 153 .MajorLinkerVersion db 0x01 ;154 .MinorLinkerVersion db 0x37 ;155 .SizeOfCode dd 0 ;156 159 .SizeOfInitializedData dd 0 ;160 163 .SizeOfUninitializedData dd 0 ;164 167 .AddressOfEntryPoint dd 0x2000 ;168 171 = base + 2000 = 402000 (.code section) .BaseOfCode dd 0 ;172 175 .BaseOfData dd 0 ;176 179 .ImageBase dd 0x00400000 ;180 183 (default) .SectionAlignment dd 0x00001000 ;184 187 4096 bytes .FileAlignment dd 0x00000200 ;188 191 512 bytes (default) .MajorOperatingSystemVersion dw 1 ;192 193 .MinorOperatingSystemVersion dw 0 ;194 195 .MajorImageVersion dw 0 ;196 197 .MinorImageVersion dw 0 ;198 199 .MajorSubsystemVersion dw 4 ;200 201 .MinorSubsystemVersion dw 0 ;202 203 .Win32VersionValue dd 0 ;204 207 .SizeOfImage dd 0x00004000 ;208 211 .SizeOfHeaders dd 0x00000200 ;212 215 .CheckSum dd 0x0000EF20 ;216 219 .Subsystem dw 2 ;220 221 IMAGE_SUBSYSTEM_WINDOWS_GUI .DllCharacteristics dw 0 ;222 223 .SizeOfStackReserve dd 0x00001000 ;224 227 4096 bytes .SizeOfStackCommit dd 0x00001000 ;228 231 4096 bytes .SizeOfHeapReserve dd 0x00100000 ;232 235 1048576 bytes .SizeOfHeapCommit dd 0 ;236 239 .LoaderFlags dd 0 ;240 243 .NumberOfRvaAndSizes dd 0x10 ;244 247 16 decimal IMAGE_DATA_DIRECTORY: ;start : F8 (248) to 177 (375) * till IMAGE_SECTION_TABLE rq 1 ;248 255 .ImportTableVA dd 0x00003000 ;256 263 .ImportTableSize dd 0x00000090 rq 14 ;we don't need them also ;263 + 112 = 375 IMAGE_SECTION_TABLE: ;start : 178 (376) to 1EF (495) SECTION_1: .Name dq '.data' ;start : 178 (376) .VirtualSize dd 0x0000001D .VirtualAddress dd 0x00001000 ;-> in memory, it is 401000 .SizeOfRawData dd 0x00000200 .PointerToRawData dd 0x00000200 ;-> in our file, it is 0x200 (512) (offset from zero) .PointerToRelocations dd 0 .PointerToLineNumbers dd 0 .NumberOfRelocations dw 0 .NumberOfLineNumbers dw 0 .Characteristic dd 0xC0000040 ;end : 19F (415) SECTION_2: .Name dq '.code' ;start : 1A0 (416) .VirtualSize dd 0x0000001C .VirtualAddress dd 0x00002000 ;-> in memory, it is 402000 .SizeOfRawData dd 0x00000200 .PointerToRawData dd 0x00000400 ;-> in our file, it is 0x400 (1024) (offset from zero) .PointerToRelocations dd 0 .PointerToLineNumbers dd 0 .NumberOfRelocations dw 0 .NumberOfLineNumbers dw 0 .Characteristic dd 0x60000020 ;end : 1C7 (455) SECTION_3: .Name dq '.idata' ;start : 1C8 (456) .VirtualSize dd 0x00000090 .VirtualAddress dd 0x00003000 ;-> in memory, it is 403000 .SizeOfRawData dd 0x00000200 .PointerToRawData dd 0x00000600 ;-> in our file, it is 0x600 (1536) (offset from zero) .PointerToRelocations dd 0 .PointerToLineNumbers dd 0 .NumberOfRelocations dw 0 .NumberOfLineNumbers dw 0 .Characteristic dd 0x40000040 ;end : 1EF (495) ; | ;our SECTION_1 <PointerToRawData> points at 0x200 or (512) bytes from zero | ;since we are currently in file offset 1EF -------------------------------------------+ ;we need to "rb 0xF" or "rq 2" so that our address from 1F0 to 1FF are filled. rq 2 ;start : 1F0 (496) to 1FF (511) ;file offset = 0x200 ;memory offset = 0x401000 = (IMAGE_OPTIONAL_HEADER.ImageBase) + (SECTION_1.VirtualAddress) ;========================================================================================= SECTION_1_RAW_DATA: ;start : 200 (512) to 3FF (1023) org 0x401000 msgText db 'Message Text',0 ;\ ;512 524 ; } we use 1D (29) bytes here msgCaption db 'Message Caption',0 ;/ ;525 540 ; 541 to 1023 should be filled ; (1023 - 541) + 1 = 483 bytes ; we NEED to + 1 because 1023 is not INCLUDED when ; we use it to minus 541. rb 483 ;because our .code raw data start at 400 (1024) ;and because our IMAGE_OPTIONAL_HEADER > FileAlignment is 0x200 (512) bytes ;file offset = 0x400 ;memory offset = 0x402000 = (IMAGE_OPTIONAL_HEADER.ImageBase) + (SECTION_2.VirtualAddress) ;========================================================================================= org 0x2000 SECTION_2_RAW_DATA: ;start : 400 (1024) to 5FF (1535) use32 ;we are using 32-bit instruction push 0x40 ;6A 40 ;MB_OK + MB_ICONASTERIK + MB_APPLMODAL push msgCaption ;68 0D 10 40 00 ;push msgCaption push msgText ;68 00 00 40 00 ;push msgText push 0 ;6A 00 ;push HWND_DESKTOP call dword [0x0040307A] ;FF 15 7A 30 40 00 ;call MessageBoxA push 0 ;6A 00 ;push zero for ExitProcess parameter call dword [0x0040305C] ;FF 15 5C 30 40 00 ;call ExitProcess ;we have used 1C (2 bytes here ;1052 to 1535 should be filled ;(1535 - 1052) + 1 = 484 bytes rb 484 ;file offset = 0x600 ;memory offset = 0x403000 = (IMAGE_OPTIONAL_HEADER.ImageBase) + (SECTION_3.VirtualAddress) ;========================================================================================= org 0x3000 SECTION_3_RAW_DATA: ;start : 600 (1536) to 7FF (2047) IMAGE_IMPORT_DESCRIPTOR_1: .OriginalFirstThunk dd 0x00003054 ;3000 3003 .TimeDateStamp dd 0 ;3004 3007 .ForwarderChain dd 0 ;3008 300B .Name dd 0x0000303C ;300C 300F .FirstThunk dd 0x0000305C ;3010 3013 IMAGE_IMPORT_DESCRIPTOR_2: .OriginalFirstThunk dd 0x00003072 ;3014 3017 .TimeDateStamp dd 0 ;3018 301B .ForwarderChain dd 0 ;301C 301F .Name dd 0x00003049 ;3020 3023 .FirstThunk dd 0x0000307A ;3024 3027 ;terminated with IMAGE_IMPORT_DESCRIPTIOR that filled with 0 zeros rd 5 ;the structure size of IMAGE_IMPORT_DESCRIPTOR ;3028 to 303B ;Our DLL Name .KERNEL32 db 'KERNEL32.DLL',0 ;303C to 3048 .USER32 db 'USER32.DLL',0 ;3049 to 3053 IMAGE_THUNK_DATA32_1: .ForwarderString dd 0x00003064 ;3054 3057 .Function dd 0 ;3058 305B .Ordinal dd 0x00003064 ;305C 305F .AddressOfData dd 0 ;3060 3063 IMAGE_IMPORT_BY_NAME_1: .Hint dw 0 ;3064 3065 .Name db 'ExitProcess',0 ;3066 3071 IMAGE_THUNK_DATA32_2: .ForwarderString dd 0x00003082 ;3072 3075 .Function dd 0 ;3076 3079 .Ordinal dd 0x00003082 ;307A 307D .AddressOfData dd 0 ;307E 3081 IMAGE_IMPORT_BY_NAME_2: .Hint dw 0 ;3082 3083 .Name db 'MessageBoxA',0 ;3084 308F ;308F = 143 bytes used ;must filled 2047 - (1536 + 143) = 368 + 1 = 369 bytes rb 367 db 0 hopefully, this could be another reference for beginner (like me) to learn |
|||
16 Sep 2004, 09:06 |
|
vid 15 Dec 2006, 11:36
here is another PE from scratch:
http://board.flatassembler.net/topic.php?t=1694 |
|||
15 Dec 2006, 11:36 |
|
rugxulo 15 Dec 2006, 19:34
Here is another one (which is the most recent that I remember, anyways):
Writing .EXEs Manually (babyboy10777) |
|||
15 Dec 2006, 19:34 |
|
asmfan 16 Dec 2006, 17:52
And pointing to a small thing - ORG - in DOS stub - it should be ORG 100h, cuz stub is just old COM proggy (do not confuse with COM technology). Just write ORG 100h and forget about adding 100 to RVA of labels e.g.
Code: mov dx,0x100 + 0x0B _________________ Any offers? |
|||
16 Dec 2006, 17:52 |
|
charli 07 Mar 2007, 18:02
I found this tut for making a valid PE file with a hexditor and Ollydbg
http://www.tuts4you.com/blogs/download.php?view.1225 |
|||
07 Mar 2007, 18:02 |
|
DOS386 07 Mar 2007, 18:22
Quote: Here is another one (which is the most recent No longer ... http://board.flatassembler.net/topic.php?t=6735 (In MAIN) someone puts them ALL into FAQ ? Quote:
WRONG. It is a MZ DOS executable, and needs ORG 0. _________________ Bug Nr.: 12345 Title: Hello World program compiles to 100 KB !!! Status: Closed: NOT a Bug |
|||
07 Mar 2007, 18:22 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.