flat assembler
Message board for the users of flat assembler.

Index > Windows > PE From scratch, first try.

Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Hi, I'm trying to make PE file from scratch. as I guess, I'm having trouble with SizeofHeaders, SizeofImage and import directory. Here's code and let me know what I'm doing wrong.
p.s executable is sectionless.
Code:
format binary as 'exe'
include 'win32a.inc'

DOS_Header:
.e_magic        db "MZ"
                rw 29
.e_lfanew       dd NT_Headers

NT_Headers:
.signature db "PE",0,0
FileHeader:
.Machine dw 014ch
         rw 8
.Characteristics dw 0x010F
OptionalHeader:
.Magic dw 0x010B
       rw 7
.AddressOfEntryPoint dd start
       rd 2
.ImageBase dd 400000h
.SectionAlignment       dd 4
.FileAlignment          dd 4
                        rw 8
.SizeOfImage            dd sizeof.image
.SizeOfHeaders          dd sizeof.headers
                        rd 1
.Subsystem              dw 2
                        rw 11
.NumberOfRvaAndSizes    dd 10h

DataDirectory:
        rd 2
.IRva   dd iat_rva
        rd 27
sizeof.headers = $ - $$
start:
        push 0
        push 0
        push 0
        push 0
        call dword[_MessageBox]
        ret

iat_rva:

ImageImportDescriptor1:
.OriginalFirstThunk dd IMAGE_THUNK_DATA1
.TimeDateStamp      dd %t
.ForwarderChain     dd 0
.Name               dd DllNames.User32
.FirstThunk         dd 0
rd 5

DllNames:
.User32 db "USER32.DLL",0

IMAGE_THUNK_DATA1:
.ForwarderString dd _MessageBox
.Function        dd 0
.Ordinal         dd _MessageBox
.AddressOfData   dd 0

_MessageBox:
.Hint       dw 0
.Name       db "MessageBoxA",0

sizeof.image = $ - $$    

Code is not commented, so apologies.
Post 29 Sep 2012, 11:07
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
Quote:
.SectionAlignment dd 4
.FileAlignment dd 4


What OS are you targeting?

_________________
This is a block of text that can be added to posts you make.
Post 29 Sep 2012, 12:35
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
mindcooler
Windows 7 x86.
Anyways, I've read Undocumented PECOFF paper and there are written, that if SectionAlignment <= 800h then you can make PE section-less and SectionAlignment must be equal to FileAlignment.
Post 29 Sep 2012, 13:18
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
Never done anything sectionless, but W7 has always barfed on any attempts on setting alignment less than the default.
Post 29 Sep 2012, 13:32
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
mindcooler
Never mind about section things, as I mentioned at first post, I'm having trouble of calculating SizeOfImage, SizeOfHeaders and import directory. Any ideas what I'm doing wrong?
Post 29 Sep 2012, 14:07
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
bump...
Post 30 Sep 2012, 10:28
View user's profile Send private message Reply with quote
uart777



Joined: 17 Jan 2012
Posts: 369
uart777
Overflowz: Hi. SizeOfHeaders always appears to be 200h/512, start of 1st/only section and/or size of all previous headers (MZ+"optional"+PE including data directories).

SizeOfImage has caused me so many headaches due to conflicting explanations! According to PE Explorer, true SizeOfImage=FileSize-200h: http://www.heaventools.com/PE_Explorer_file_repair.htm , "It is important that the ultimate physical size of the file should equal the sum of the SizeOfImage value and the SizeOfHeaders value". However, a greater value doesn't cause an error.

To understand import table, check out Iczelion's PE tutorials and my import macro: http://sungod777.zxq.net/import.html

"MessageBox 0, 0, 0, 0" - I would suggest replacing this with int3 to eliminate dependancies (win32a.inc). If Windows says invalid executable, file format is incorrect. If it runs and crashes with breakpoint exception, then you know it works.

PS: I wrote the original "manual .EXE" in the forum about 6 years ago by the name babyboy777: http://board.flatassembler.net/topic.php?t=5616
Post 01 Oct 2012, 23:53
View user's profile Send private message Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1901
DOS386
mindcooler wrote:
Quote:
.SectionAlignment dd 4
.FileAlignment dd 4

What OS are you targeting?


For programs ("native" drivers can have less ???) use :

SectionAlignment : $1000
FileAlignment : $0200
SizeofHeaders : $0200 (more if you have big stub or many sections)
SizeofImage : integer multiple of $1000, at least $2000, total size of all sections, including headers section

http://board.flatassembler.net/download.php?id=5538

_________________
Bug Nr.: 12345

Title: Hello World program compiles to 100 KB !!!

Status: Closed: NOT a Bug
Post 02 Oct 2012, 01:32
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
These are the values I use in my PEs:

Code:
image.size              =pe.end-imgbase ;where pe.end is after everything
header.size             =$-imgbase      ;where $ is after all headers    


And here is my take at the import macro:

Code:
macro import [dll,functions]
{
common
   idata:
forward
   dd 0,0,0,dll#.name-imgbase,dll#.iat-imgbase
common
   dd 5 dup 0
forward
   dll#.iat: irp function,functions
   \{
      function: dd function\#.name-imgbase
   \}
   dd 0
forward
   dll#.name: db `dll,0
forward
   irp function, functions
   \{
      align 2
      function\#.name: dw 0
      db \`function,0
   \}
common
   code.end:
   idata.size = $-idata
   orgup           $,sectionalign
   bss:
}    

_________________
This is a block of text that can be added to posts you make.
Post 02 Oct 2012, 11:03
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Thanks mindcooler. Sorry for long time reply, I was busy with job. Anyways, will try these things, thanks!
Post 21 Oct 2012, 22:03
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
NP, as the documentation is less than excellent, much is trial and error.
Post 22 Oct 2012, 01:24
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
ange4771



Joined: 12 Dec 2012
Posts: 1
ange4771
Hi,

I wrote many PEs by hand, covering different examples, and the sources are available at http://pe.corkami.com , so it might help you.

Sincerely,

Ange
Post 12 Dec 2012, 08:11
View user's profile Send private message Visit poster's website Yahoo Messenger Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Hi Ange, I'm trying that examples from your website, they are amazing! Unfortunately, I don't really understand YASM syntax and macros you provided in your samples, trying to translate into FASM syntax. Good job anyways, keep it up!
Post 15 Dec 2012, 09:57
View user's profile Send private message Reply with quote
KevinN



Joined: 09 Oct 2012
Posts: 161
KevinN
ange4771 wrote:
Hi,

I wrote many PEs by hand, covering different examples, and the sources are available at http://pe.corkami.com , so it might help you.

Sincerely,

Ange


Thank you for this
Post 15 Dec 2012, 11:30
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.