flat assembler
Message board for the users of flat assembler.

Index > Windows > PE64 from scratch

Author
Thread Post new topic Reply to topic
CandyMan



Joined: 04 Sep 2009
Posts: 322
Location: film "CandyMan" directed through Bernard Rose OR Candy Shop
CandyMan
How to create "Hello World" PE64 from scratch compressible by UPX?

_________________
smaller is better
Post 30 Oct 2014, 17:55
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 3056
Location: vpcmipstrm
bitRAKE
I used MSDELTA, should be on all Win64 machines. I have PE64 with decompression under 256 bytes - haven't seen smaller.
Code:
; MS Delta Unpacker by bitRAKE
;
; Much Thanks...
;   Franck Charlet (hitchhikr), 1kPack - the initial inspiration.
;   Ange Albertini (corkami), PE101 docs and samples.
;
; Goals:
;   - functional on all 64-bit versions of windows
;     (MSDELTA.DLL is distributed with Vista+. Yet, availble in SDK.)
;
; 2013.05.14-04:48 : Initial release to testers
;
; TODO:

; NOTE: Addresses default to RVA, must add IMAGEBASE to get memory address.
format binary as 'exe'
IMAGEBASE equ $10000
STAGE1    equ $20002 ; fixed

    use64
; registers:

EntryPoint: ; must be $100 * N          ;+ <-= required/fixed
    db 'MZ' ; pop r10                   ;+4D 5A                                 This is required and fixes the stack alignment win-win!
    jmp @F                              ; EB 2C

db 'PE',0,0                             ;+signature                             These are kind of static and required
dw $8664                                ;+machine                               If we can't find another use for them
dw $0000                                ;+sections                              they are just wasted bytes

@@: push SOURCE..                       ; 6A 76 uSize, length of buffer [0,127]
    jmp @F                              ; EB 20
sz.kernel32.dll db 'KERNEL32'           ; ######## 8 bytes

dw $0000                                ;+size of optional header (null)        More required bytes(+)
dw $0002                                ;+characteristics, not $2000 (DLL)      Can't really get loaded without these
dw $020B                                ;+PE32+ (hint)                          Re-purpose as much as possible
sz.GetProcAddress db 'GetProcAddress'   ; ############## 14 bytes
dd EntryPoint                           ;+AddressOfEntryPoint (null)            Tools are questioning if this is a valid PE Wink

@@: push rdx                            ; 52 lpStart address, IMAGEBASE
    push rsp                            ; 54 address of DELTA_INPUT structure
    jmp @F                              ; EB 20

dq IMAGEBASE                            ;+ImageBase QWORD
dd $00000004                            ;+SectionAlignment (DOS_HEADER.e_lfanew)
dd $00000004                            ;+FileAlignment (hint)
sz.msdelta.dll db 'MSDELTA',0           ;######## 8 bytes
dw 5                                    ;+MajorSubsystemVersion (5,6,?)
;dw $FFFF                               ; MinorSubsystemVersion (any)
    nop ; WHAT!
    nop ; WHAT!
dd $00000000                            ; Win32VersionValue (needed for D3D)
;dd $3F ; increase memory required      ;+SizeOfImage > $3F                     Now we are getting tricky
@@:
    mov dl,DELTAS                       ; B2 D3                                 Loader will clear us some memory.
    db $69,$01                          ; imul eax,[rcx],$0000009C
dd SizeOfHeaders ; 9C 00 00 00          ;+SizeOfHeaders

    mov esi,edx                         ; 89 D6
    db $41,$B9 ; mov r9,$0002'0002 ; fixed unpack address, save 3 bytes         We limit execution environment to save bytes.
dw $0002                                ;+Subsystem, GUI=2
dw $0002                                ; DLL Characteristics (IMAGE_DLLCHARACTERISTICS_NO_SEH=$400)

    nop ; WHAT!
    nop ; WHAT!
    db $69,$01,$00,$00,$00,$00          ; imul eax,[rcx],0
    pop rdx                             ; 5A Source DELTA_INPUT structure
    push rax                            ; 51 FALSE flag, no changes
    db $69,$01,$00,$00,$00,$00          ; imul eax,[rcx],0
    jmp @F                              ; EB 3A
kernel32.dll_iat:
kernel32.GetProcAddress dq sz.GetProcAddress-2
db 6 dup 0

dd $00000000                            ;#### LoaderFlags (null x2)
dd 2                                    ;+NumberOfRvaAndSizes

dd 0,0                                  ; Export
dd Import_Descriptor,0                  ; Import
SizeOfHeaders:

;sz.ApplyDeltaB db 'ApplyDeltaB',0 ; 12 bytes
sz.ApplyDeltaProvidedB db 'ApplyDeltaProvidedB',0 ; 20 bytes

;===============================================================================
; RDX=R9=[RCX]=IMAGEBASE, RCX=R8=TEB?
;
; Need to preserve a pointer to GetProcAddress.
;
@@:
    xchg ecx,eax                ; 91 && no flags
    lodsd                       ; AD
    push rax                    ; 50 length of deltas
    push rsi                    ; 57 address of delta data
    push rsp                    ; 54
    pop r8                      ; 41 58 delta DELTA_INPUT structure
    push TARGET..               ; 68 00 00 00 00
;    lea ebx,[r9+STAGE1.ENTRY-STAGE1]
    add esp,-32                 ; 83 C4 E0
int3
    OFFSET equ r9 - msdelta.ApplyDeltaProvidedB + (DELTAS+4+DELTAS..) - 127
    virtual at rsp
      .ApplyFlags  rq 1
      .Source      rq 1
      .Delta       rq 1
      .lpTarget    rq 1
      .uTargetSize rq 1
    end virtual
    call [OFFSET]               ; 41 FF 51 81
    ; there are many ways to jump into uncompressed data
    jmp rbx                     ; FF E3
;===============================================================================

; DB data, and constants
include 'deltas.finc'

; DELTAS:
; dd DELTAS..  ; bytes of delta data
; db 'PS30'    ; signature
; db $FF,$FF,...
; .. = $ - DELTAS
; SOURCE.. = ?


msdelta.dll_iat:
msdelta.ApplyDeltaProvidedB dq sz.ApplyDeltaProvidedB-2 ; ,dq 0
Import_Descriptor:
  dd 0,0,0,  sz.kernel32.dll,  kernel32.dll_iat
  dd 0,0,0,  sz.msdelta.dll;, msdelta.dll_iat
  db msdelta.dll_iat
;  dd 0,0,0,0,0 ; terminator    
Post 31 Oct 2014, 02:58
View user's profile Send private message Visit poster's website Reply with quote
CandyMan



Joined: 04 Sep 2009
Posts: 322
Location: film "CandyMan" directed through Bernard Rose OR Candy Shop
CandyMan
Thanks!

_________________
smaller is better
Post 31 Oct 2014, 15:01
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.