flat assembler
Message board for the users of flat assembler.
Index
> Windows > Tiny PE in win64 Goto page Previous 1, 2, 3 |
Author |
|
MatQuasar 19 Apr 2024, 14:22
jochenvnltn wrote: What about a self replicating 64bit EXE ? You can, either submit a pull request (late entry will be accepted) or use your tiny PE and wait for BGGP 2024 (begin in June). I was the winner of PE category (@fliermate) with 1024 bytes. But my late entry is a 528-byte 32-bit PE, as demonstrated in the second last post in page 1 of this thread. (Or you can click link: https://board.flatassembler.net/topic.php?p=237311#237311 ) With your 309-byte tiny PE, I think you can easily beat mine 528-byte PE (and 1KB PE). |
|||
19 Apr 2024, 14:22 |
|
jochenvnltn 19 Apr 2024, 17:02
MatQuasar wrote:
I now got a working x64 PE, with an import table that shows a MessageBox to 277bytes |
|||
19 Apr 2024, 17:02 |
|
bitRAKE 22 Apr 2024, 07:13
jochenvnltn wrote: Ill delete my post sorry ! Here is a related article, perhaps of interest ... https://secret.club/2023/06/05/spoof-pe-sections.html (FYI, this technique still works in Win11.) One of the beautiful things about such an advanced assembler, is that we can write code to verify what we know about the loader! Code: ; verify some known rules of loader: load e_lfanew:4 from $$+3Ch ; Offset to the NT header assert e_lfanew < ($-$$-4) ; can't be larger than file load PE_Sig:4 from $$+e_lfanew assert PE_Sig = 'PE' _________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
22 Apr 2024, 07:13 |
|
jochenvnltn 23 Apr 2024, 17:21
I found this : https://github.com/ayaka14732/TinyPE-on-Win10
Not sure if i want to just take what he did and put it into FASM code. He got to this result by his own effort and i don't want to replicate his project.. A PE file that's 277 bytes and works with Win10 & 11 isn't that bad |
|||
23 Apr 2024, 17:21 |
|
MatQuasar2 23 Jun 2024, 21:01
A virus researcher's guide to Tiny PE header, with comments for each header field!
http://pferrie.epizy.com/misc/tiny/pehdr.htm |
|||
23 Jun 2024, 21:01 |
|
ProMiNick 25 Jun 2024, 13:59
(related to win32 subsys) In flat memory model all segments force address space to be mapped exactly at its origin, but fs segment maps memory from TEB structure located somewhere in the middle of address space. for any thread TEB is always located by random addresses from launch to launch. But fs in every thread allways points to TEB of that thread.
|
|||
25 Jun 2024, 13:59 |
|
revolution 25 Jun 2024, 14:42
MatQuasar2 wrote: What is "fs"? CS DS ES FS GS SS All those are segment registers. Because of paging, segments are mostly useless nowadays, but Windows still uses FS to point to the thread local storage area. |
|||
25 Jun 2024, 14:42 |
|
MatQuasar2 25 Jun 2024, 14:47
Thanks ProMiNick and revolution, I learned something useful today from both of you.
|
|||
25 Jun 2024, 14:47 |
|
MatQuasar2 25 Jun 2024, 15:44
MatQuasar2 wrote: Any tiny PE example using GetProcAddress and then LoadLibraryA to call API, especially when need to call more than one API function and want to get rid of import table. I found a great example: https://keyj.emphy.de/win32-pe/ TEB --> PEB --> base address of Kernel32.dll in memory --> .... |
|||
25 Jun 2024, 15:44 |
|
Roman 26 Jun 2024, 11:27
Quote:
In Windows this registers unavailable. 6 registers i could using for my calculation. Sad but my program crash if i do mov es,ax or mov gs,ax or mov ds,ax. |
|||
26 Jun 2024, 11:27 |
|
revolution 26 Jun 2024, 11:36
Officially, in protected mode they aren't called registers, they are called selectors. And you can't arbitrarily select a different segment.
If you want to use them as registers, then you have to switch to (un)real mode. |
|||
26 Jun 2024, 11:36 |
|
Roman 26 Jun 2024, 15:25
Quote: If you want to use them as registers, then you have to switch to (un)real mode. How do this in Windows ? This is option in fasm compiler setup ? |
|||
26 Jun 2024, 15:25 |
|
revolution 26 Jun 2024, 15:30
You can't switch any current version of Windows to real mode. Real mode is the 1MB, 16-bit mode, with segments. It can be extended to unreal mode using some tricks, but there is no way you can get Windows to run there.
You can run DOS in real mode. Or write your own OS and use real mode there. |
|||
26 Jun 2024, 15:30 |
|
Goto page Previous 1, 2, 3 < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.