flat assembler
Message board for the users of flat assembler.

Index > Windows > Tiny PE in win64

Goto page Previous  1, 2, 3
Author
Thread Post new topic Reply to topic
MatQuasar



Joined: 25 Oct 2023
Posts: 105
MatQuasar 19 Apr 2024, 14:22
jochenvnltn wrote:
What about a self replicating 64bit EXE ?


You can, either submit a pull request (late entry will be accepted) or use your tiny PE and wait for BGGP 2024 (begin in June).

I was the winner of PE category (@fliermate) with 1024 bytes.
But my late entry is a 528-byte 32-bit PE, as demonstrated in the second last post in page 1 of this thread. (Or you can click link: https://board.flatassembler.net/topic.php?p=237311#237311 )

With your 309-byte tiny PE, I think you can easily beat mine 528-byte PE (and 1KB PE).
Post 19 Apr 2024, 14:22
View user's profile Send private message Reply with quote
jochenvnltn



Joined: 15 Jul 2011
Posts: 96
jochenvnltn 19 Apr 2024, 17:02
MatQuasar wrote:
jochenvnltn wrote:
What about a self replicating 64bit EXE ?


You can, either submit a pull request (late entry will be accepted) or use your tiny PE and wait for BGGP 2024 (begin in June).

I was the winner of PE category (@fliermate) with 1024 bytes.
But my late entry is a 528-byte 32-bit PE, as demonstrated in the second last post in page 1 of this thread. (Or you can click link: https://board.flatassembler.net/topic.php?p=237311#237311 )

With your 309-byte tiny PE, I think you can easily beat mine 528-byte PE (and 1KB PE).


I now got a working x64 PE, with an import table that shows a MessageBox to

277bytes Smile
Post 19 Apr 2024, 17:02
View user's profile Send private message MSN Messenger Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4046
Location: vpcmpistri
bitRAKE 22 Apr 2024, 07:13
jochenvnltn wrote:
Ill delete my post sorry !
Nothing to be sorry about. If you say you did a thing that is enough for me - I don't need proof. Of course, if you did something novel we could all learn from then a code snippet would be most generous.

Here is a related article, perhaps of interest ...
https://secret.club/2023/06/05/spoof-pe-sections.html
(FYI, this technique still works in Win11.)

One of the beautiful things about such an advanced assembler, is that we can write code to verify what we know about the loader!
Code:
; verify some known rules of loader:

load e_lfanew:4 from $$+3Ch ; Offset to the NT header
assert e_lfanew < ($-$$-4) ; can't be larger than file
load PE_Sig:4 from $$+e_lfanew
assert PE_Sig = 'PE'    
... this way we can try complex overlapping windows and other tricks and assemble-time code verifies we haven't broken something simple. Put this verifier in another file to be included at the end, and it'll save a lot of time. Find ways to add all the discoveries you make.

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 22 Apr 2024, 07:13
View user's profile Send private message Visit poster's website Reply with quote
jochenvnltn



Joined: 15 Jul 2011
Posts: 96
jochenvnltn 23 Apr 2024, 17:21
I found this : https://github.com/ayaka14732/TinyPE-on-Win10
Not sure if i want to just take what he did and put it into FASM code.
He got to this result by his own effort and i don't want to replicate his project..
A PE file that's 277 bytes and works with Win10 & 11 isn't that bad Smile
Post 23 Apr 2024, 17:21
View user's profile Send private message MSN Messenger Reply with quote
MatQuasar2



Joined: 10 Jun 2024
Posts: 26
MatQuasar2 23 Jun 2024, 21:01
A virus researcher's guide to Tiny PE header, with comments for each header field!

http://pferrie.epizy.com/misc/tiny/pehdr.htm
Post 23 Jun 2024, 21:01
View user's profile Send private message Reply with quote
MatQuasar2



Joined: 10 Jun 2024
Posts: 26
MatQuasar2 25 Jun 2024, 13:13
Any tiny PE example using GetProcAddress and then LoadLibraryA to call API, especially when need to call more than one API function and want to get rid of import table.

I see the example code uses this in the beginning:
Code:
mov eax, [fs:ecx+0x30]    


What is "fs"?
Post 25 Jun 2024, 13:13
View user's profile Send private message Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 802
Location: Russian Federation, Sochi
ProMiNick 25 Jun 2024, 13:59
(related to win32 subsys) In flat memory model all segments force address space to be mapped exactly at its origin, but fs segment maps memory from TEB structure located somewhere in the middle of address space. for any thread TEB is always located by random addresses from launch to launch. But fs in every thread allways points to TEB of that thread.
Post 25 Jun 2024, 13:59
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20355
Location: In your JS exploiting you and your system
revolution 25 Jun 2024, 14:42
MatQuasar2 wrote:
What is "fs"?
A segment register.

CS
DS
ES
FS
GS
SS

All those are segment registers.

Because of paging, segments are mostly useless nowadays, but Windows still uses FS to point to the thread local storage area.
Post 25 Jun 2024, 14:42
View user's profile Send private message Visit poster's website Reply with quote
MatQuasar2



Joined: 10 Jun 2024
Posts: 26
MatQuasar2 25 Jun 2024, 14:47
Thanks ProMiNick and revolution, I learned something useful today from both of you.
Post 25 Jun 2024, 14:47
View user's profile Send private message Reply with quote
MatQuasar2



Joined: 10 Jun 2024
Posts: 26
MatQuasar2 25 Jun 2024, 15:44
MatQuasar2 wrote:
Any tiny PE example using GetProcAddress and then LoadLibraryA to call API, especially when need to call more than one API function and want to get rid of import table.



I found a great example: https://keyj.emphy.de/win32-pe/

TEB --> PEB --> base address of Kernel32.dll in memory --> ....
Post 25 Jun 2024, 15:44
View user's profile Send private message Reply with quote
Roman



Joined: 21 Apr 2012
Posts: 1807
Roman 26 Jun 2024, 11:27
Quote:

CS
DS
ES
FS
GS
SS


In Windows this registers unavailable.
6 registers i could using for my calculation.
Sad but my program crash if i do mov es,ax or mov gs,ax or mov ds,ax.
Post 26 Jun 2024, 11:27
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20355
Location: In your JS exploiting you and your system
revolution 26 Jun 2024, 11:36
Officially, in protected mode they aren't called registers, they are called selectors. And you can't arbitrarily select a different segment.

If you want to use them as registers, then you have to switch to (un)real mode.
Post 26 Jun 2024, 11:36
View user's profile Send private message Visit poster's website Reply with quote
Roman



Joined: 21 Apr 2012
Posts: 1807
Roman 26 Jun 2024, 15:25
Quote:
If you want to use them as registers, then you have to switch to (un)real mode.

How do this in Windows ?
This is option in fasm compiler setup ?
Post 26 Jun 2024, 15:25
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20355
Location: In your JS exploiting you and your system
revolution 26 Jun 2024, 15:30
You can't switch any current version of Windows to real mode. Real mode is the 1MB, 16-bit mode, with segments. It can be extended to unreal mode using some tricks, but there is no way you can get Windows to run there.

You can run DOS in real mode. Or write your own OS and use real mode there.
Post 26 Jun 2024, 15:30
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.