Уроки Iczelion'а от Sulaiman Chang на диалекте FASM

Тема в разделе "FASM", создана пользователем Mikl___, 12 дек 2016.

  1. Mikl___

    Mikl___ Супермодератор Команда форума

    Публикаций:
    14
    Регистрация:
    25 июн 2008
    Сообщения:
    3.708

    FASM INVOKE Explanation

    INVOKE это макроинструкция, которую используют для вызова функций при помощи STDCALL-конвенции, аргументы функции передаются через стек, справа налево, так что перед вызовом функции на вершине стека оказывается первый параметр. Очистку стека производит вызываемая функция. Например функция Foo(arg0, arg1, ..., argN) ассемблируется в виде:
    Код (ASM):
    1. push [argN]
    2. ...
    3. push [arg1]
    4. push [arg0]
    5. call Foo
    Перед выполнением команды CALL стек будет иметь следующий вид:
    [​IMG]
    А это вызов WinAPI функции MessageBox:
    Код (ASM):
    1. push    MB_OK
    2. push    _caption
    3. push    _text
    4. push    [hWnd]
    5. call    [MessageBox]
    что эквивалентно
    Код (ASM):
    1. invoke MessageBox, [hWnd], _text, _caption, MB_OK
     

    Вложения:

    • img00.png
      img00.png
      Размер файла:
      13,4 КБ
      Просмотров:
      2.776
    Последнее редактирование: 13 дек 2016
  2. Mikl___

    Mikl___ Супермодератор Команда форума

    Публикаций:
    14
    Регистрация:
    25 июн 2008
    Сообщения:
    3.708

    Формат PE. Урок 1. Обзор PE формата

    Presented is a step by step approach to understand the windows PE file format. First, we will build a simple windows .exe executable and we will then go to analyze it byte by byte.
    Код (ASM):
    1. format PE GUI 4.0
    2. entry start
    3.  
    4. include '%fasminc%\win32a.inc'
    5.  
    6. section '.data' data readable writeable
    7.        msgText       db     'Message Text',0
    8.        msgCaption    db     'Message Caption',0
    9.  
    10. section '.code' code readable executable
    11.        start:
    12.               invoke MessageBox,HWND_DESKTOP,msgText,msgCaption,MB_OK + MB_ICONINFORMATION
    13.               invoke ExitProcess,0
    14.  
    15. section '.idata' import data readable
    16.        library       KERNEL32,     'KERNEL32.DLL',\
    17.                      USER32,       'USER32.DLL'
    18.      
    19.        import KERNEL32,\
    20.               ExitProcess,         'ExitProcess'
    21.      
    22.        import USER32,\
    23.               MessageBox,          'MessageBoxA'
    this is the what you should see if you have assembled and executed it.
    [​IMG]
    now, i dump the file in hex and construct it using DB only so we could examine it step by step. Of course, you could try copy the below hex code and assemble it using your favourite assembler.
    Продолжение следует
     

    Вложения:

    • pe_1.gif
      pe_1.gif
      Размер файла:
      2,1 КБ
      Просмотров:
      2.790
    Последнее редактирование: 14 дек 2016
  3. Mikl___

    Mikl___ Супермодератор Команда форума

    Публикаций:
    14
    Регистрация:
    25 июн 2008
    Сообщения:
    3.708
    Код (Text):
    1.  
    2. db 0x4D,0x5A,0x80,0x00,0x01,0x00,0x00,0x00,0x04,0x00,0x10,0x00,0xFF,0xFF,0x00,0x00,\
    3. 0x40,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    4. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    5. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x00,0x00,0x00,\
    6. 0x0E,0x1F,0xBA,0x0E,0x00,0xB4,0x09,0xCD,0x21,0xB8,0x01,0x4C,0xCD,0x21,0x54,0x68,\
    7. 0x69,0x73,0x20,0x70,0x72,0x6F,0x67,0x72,0x61,0x6D,0x20,0x63,0x61,0x6E,0x6E,0x6F,\
    8. 0x74,0x20,0x62,0x65,0x20,0x72,0x75,0x6E,0x20,0x69,0x6E,0x20,0x44,0x4F,0x53,0x20,\
    9. 0x6D,0x6F,0x64,0x65,0x2E,0x0D,0x0A,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    10. 0x50,0x45,0x00,0x00,0x4C,0x01,0x03,0x00,0x9E,0xA2,0x46,0x41,0x00,0x00,0x00,0x00,\
    11. 0x00,0x00,0x00,0x00,0xE0,0x00,0x8F,0x81,0x0B,0x01,0x01,0x37,0x00,0x00,0x00,0x00,\
    12. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x00,0x00,0x00,\
    13. 0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x10,0x00,0x00,0x00,0x02,0x00,0x00,\
    14. 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    15. 0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x00,0x46,0xA7,0x00,0x00,0x02,0x00,0x00,0x00,\
    16. 0x00,0x10,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,\
    17. 0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    18. 0x00,0x30,0x00,0x00,0x90,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    19. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    20. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    21. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    22. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    23. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    24. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    25. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2E,0x64,0x61,0x74,0x61,0x00,0x00,0x00,\
    26. 0x1D,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,\
    27. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0xC0,\
    28. 0x2E,0x63,0x6F,0x64,0x65,0x00,0x00,0x00,0x1C,0x00,0x00,0x00,0x00,0x20,0x00,0x00,\
    29. 0x00,0x02,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    30. 0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x60,0x2E,0x69,0x64,0x61,0x74,0x61,0x00,0x00,\
    31. 0x90,0x00,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x00,\
    32. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x40,\
    33. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    34. 0x4D,0x65,0x73,0x73,0x61,0x67,0x65,0x20,0x54,0x65,0x78,0x74,0x00,0x4D,0x65,0x73,\
    35. 0x73,0x61,0x67,0x65,0x20,0x43,0x61,0x70,0x74,0x69,0x6F,0x6E,0x00,0x00,0x00,0x00,\
    36. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    37. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    38. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    39. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    40. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    41. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    42. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    43. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    44. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    45. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    46. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    47. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    48. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    49. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    50. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    51. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    52. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    53. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    54. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    55. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    56. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    57. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    58. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    59. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    60. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    61. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    62. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    63. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    64. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    65. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    66. 0x6A,0x40,0x68,0x0D,0x10,0x40,0x00,0x68,0x00,0x10,0x40,0x00,0x6A,0x00,0xFF,0x15,\
    67. 0x7A,0x30,0x40,0x00,0x6A,0x00,0xFF,0x15,0x5C,0x30,0x40,0x00,0x00,0x00,0x00,0x00,\
    68. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    69. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    70. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    71. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    72. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    73. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    74. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    75. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    76. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    77. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    78. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    79. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    80. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    81. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    82. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    83. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    84. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    85. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    86. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    87. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    88. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    89. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    90. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    91. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    92. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    93. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    94. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    95. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    96. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    97. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    98. 0x54,0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x3C,0x30,0x00,0x00,\
    99. 0x5C,0x30,0x00,0x00,0x72,0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    100. 0x49,0x30,0x00,0x00,0x7A,0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    101. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x4B,0x45,0x52,0x4E,\
    102. 0x45,0x4C,0x33,0x32,0x2E,0x44,0x4C,0x4C,0x00,0x55,0x53,0x45,0x52,0x33,0x32,0x2E,\
    103. 0x44,0x4C,0x4C,0x00,0x64,0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x64,0x30,0x00,0x00,\
    104. 0x00,0x00,0x00,0x00,0x00,0x00,0x45,0x78,0x69,0x74,0x50,0x72,0x6F,0x63,0x65,0x73,\
    105. 0x73,0x00,0x82,0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x30,0x00,0x00,0x00,0x00,\
    106. 0x00,0x00,0x00,0x00,0x4D,0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6F,0x78,0x41,0x00,\
    107.  
    Продолжение следует
     
    Последнее редактирование: 14 дек 2016
  4. Mikl___

    Mikl___ Супермодератор Команда форума

    Публикаций:
    14
    Регистрация:
    25 июн 2008
    Сообщения:
    3.708
    Код (Text):
    1.  
    2. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    3. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    4. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    5. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    6. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    7. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    8. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    9. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    10. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    11. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    12. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    13. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    14. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    15. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    16. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    17. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    18. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    19. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    20. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    21. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    22. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    23. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\
    24. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    25.  
    if you have copied the above code and assembled it, you would get exactly the same as what we got at first.

    The first 64 bytes (0 to 63 bytes) of our PE file is occupied by a structure named "IMAGE_DOS_HEADER". Below is the "IMAGE_DOS_HEADER" structure that was declared inside "WINNT.H" file.
    Код (C):
    1. typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
    2.     WORD   e_magic;                     // Magic number
    3.     WORD   e_cblp;                      // Bytes on last page of file
    4.     WORD   e_cp;                        // Pages in file
    5.     WORD   e_crlc;                      // Relocations
    6.     WORD   e_cparhdr;                   // Size of header in paragraphs
    7.     WORD   e_minalloc;                  // Minimum extra paragraphs needed
    8.     WORD   e_maxalloc;                  // Maximum extra paragraphs needed
    9.     WORD   e_ss;                        // Initial (relative) SS value
    10.     WORD   e_sp;                        // Initial SP value
    11.     WORD   e_csum;                      // Checksum
    12.     WORD   e_ip;                        // Initial IP value
    13.     WORD   e_cs;                        // Initial (relative) CS value
    14.     WORD   e_lfarlc;                    // File address of relocation table
    15.     WORD   e_ovno;                      // Overlay number
    16.     WORD   e_res[4];                    // Reserved words
    17.     WORD   e_oemid;                     // OEM identifier (for e_oeminfo)
    18.     WORD   e_oeminfo;                   // OEM information; e_oemid specific
    19.     WORD   e_res2[10];                  // Reserved words
    20.     LONG   e_lfanew;                    // File address of new exe header
    21. } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
    so, now we got some idea, what our first 64 bytes actually was, so we construct it again then link the rest of our code with the above "db" hex values.
    Код (ASM):
    1. IMAGE_DOS_HEADER:                         ;start : 00 (0) to 3F (63)
    2.        .e_magic      dw     0x5A4D        ;00 01
    3.        .e_cblp       dw     0x0080        ;02 03
    4.        .e_cp         dw     0x0001        ;04 05
    5.        .e_crlc       dw     0x0000        ;06 07
    6.        .e_cparhdr    dw     0x0004        ;08 09
    7.        .e_minalloc   dw     0x0010        ;10 11
    8.        .e_maxalloc   dw     0xFFFF        ;12 13
    9.        .e_ss         dw     0x0000        ;14 15
    10.        .e_sp         dw     0x0140        ;16 17
    11.        .e_csum       dw     0x0000        ;18 19
    12.        .e_ip         dw     0x0000        ;20 21
    13.        .e_cs         dw     0x0000        ;22 23
    14.        .e_lfarlc     dw     0x0040        ;24 25
    15.        .e_ovno       dw     0x0000        ;26 27
    16.        .e_res        rw     4             ;28 29 | 30 31 | 32 33 | 34 35
    17.        .e_oemid      dw     0x0000        ;36 37
    18.        .e_oeminfo    dw     0x0000        ;38 39
    19.        .e_res2       rw     10            ;40 41 | 42 43 | 44 45 | 46 47 | 48 49 | 50 51
    20.        .e_lfanew     dd     0x00000080    ;52 53 | 54 55 | 56 57 | 58 59
    21.                                           ;60 61 62 63
    22.  
    23. db 0x0E,0x1F,0xBA,0x0E,0x00,0xB4,0x09,0xCD,0x21,0xB8,0x01,0x4C,0xCD,0x21,0x54,0x68,\
    24. .......... ...... ..... .... ... .. .(until the end)
    25. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    26.  
    According to most of the tutorial i read on this subject, we only need to concern on 2 members of this IMAGE_DOS_HEADER structure which are, e_magic and e_lfanew. e_magic value "4D5A" is equal to "MZ" if we translated that value into ASCII while e_lfanew value "00 00 00 80" (we need to reverse read it in order to get the value) is the pointer or address to our IMAGE_NT_HEADERS structure. Before we could move our way to IMAGE_NT_HEADERS, there exists a DOS 2.0 Stub Program which lays between them. This stub program occupies the address from 0x40 to 0x77 generally then we add 8 bytes so that we could start our IMAGE_NT_HEADERS in paragraph boundary in 0x80.

    The DOS 2.0 Stub Program is a 16-bit instruction. so, we simply just use our windows provided debug program to see what are the instructions contained inside.
    Код (Text):
    1. Microsoft Windows 2000 [Version 4.00.0000]
    2. (C) Copyright 1985-1999 Microsoft Corp.
    3.  
    4. H:\tutorial>debug pe3.exe
    5. -u
    6. 1597:0000 0E            PUSH    CS
    7. 1597:0001 1F            POP     DS
    8. 1597:0002 BA0E00        MOV     DX,000E
    9. 1597:0005 B409          MOV     AH,09
    10. 1597:0007 CD21          INT     21
    11. 1597:0009 B8014C        MOV     AX,4C01
    12. 1597:000C CD21          INT     21
    OUR DATA SECTION STARTS FROM HERE
    Код (Text):
    1. 1597:000E 54            PUSH    SP               -> T
    2. 1597:000F 68            DB      68               -> h
    3. 1597:0010 69            DB      69               -> i
    4. 1597:0011 7320          JNB     0033             -> s (space bar)
    5. 1597:0013 7072          JO      0087             -> p r
    6. 1597:0015 6F            DB      6F               -> o
    7. 1597:0016 67            DB      67               -> g
    8. 1597:0017 7261          JB      007A             -> r a
    9. 1597:0019 6D            DB      6D               -> m
    10. 1597:001A 206361        AND     [BP+DI+61],AH    -> (space bar) c a
    11. 1597:001D 6E            DB      6E               -> n
    12. 1597:001E 6E            DB      6E               -> n
    13. 1597:001F 6F            DB      6F               -> o
    14. 159A:0020 7420          JZ      0042             -> t (space bar)
    15. 159A:0022 62            DB      62               -> b
    16. 159A:0023 65            DB      65               -> e
    17. 159A:0024 207275        AND     [BP+SI+75],DH    -> (space bar) r u
    18. 159A:0027 6E            DB      6E               -> n
    19. 159A:0028 20696E        AND     [BX+DI+6E],CH    -> (space bar) i n
    20. 159A:002B 20444F        AND     [SI+4F],AL       -> (space bar) D O
    21. 159A:002E 53            PUSH    BX               -> S
    22. 159A:002F 206D6F        AND     [DI+6F],CH       -> (space bar) m o
    23. 159A:0032 64            DB      64               -> d
    24. 159A:0033 65            DB      65               -> e
    25. 159A:0034 2E            CS:                      -> .
    26. 159A:0035 0D0A24        OR      AX,240A          -> (carriage return) (line feed) $
    27. 159A:0038 0000          ADD     [BX+SI],AL       -> 00 00
    28. 159A:003A 0000          ADD     [BX+SI],AL       -> 00 00
    29. 159A:003C 0000          ADD     [BX+SI],AL       -> 00 00
    30. 159A:003E 0000          ADD     [BX+SI],AL       -> 00 00
    31. -
    this is what we get if we unassemble our created PE file using the DEBUG program. The debug program won't unassemble our IMAGE_DOS_HEADER because it is already been replaced with PSP (Program Segment Prefix). One thing we need to concern here is our initial or start-up register values.
    Код (Text):
    1. -r
    2. AX=0000  BX=0000  CX=0600  DX=0000  SP=0140  BP=0000  SI=0000  DI=0000
    3. DS=158A  ES=158A  SS=159A  CS=159A  IP=0000   NV UP EI PL NZ NA PO NC
    4. 159A:0000 0E            PUSH    CS
    5.  
    The loader sets our DS and ES to the address of PSP and sets the CS, IP, SS and SP to values from our IMAGE_DOS_HEADER structure. The reason we need to PUSH CS and POP DS is to initialize our DS so that it is the same as CS so that nothing wrong when we use the instruction MOV DX,000E. i guess now, we got the information to code our dos-stub program.
    Код (ASM):
    1. DOS_STUB:
    2.        org 0                ;because our initial IP was 0
    3.        use16                ;DOS-STUB is a 16-bit program
    4.        push   cs
    5.        pop    ds            ;our DS is less 100h from CS, DS received PSP address
    6.        mov    dx,errMsg
    7.        mov    ah,0x9
    8.        int    0x21
    9.        mov    ax,0x4C01
    10.        int    0x21
    11.  
    12.        errMsg db     'This program cannot be run in DOS mode.',13,10,'$'
    13.  
    14.        org    $ + DOS_STUB  ;is equal to 0x38 + 0x40 = 0x78
    15.        rb     0x80 - $      ;0x80 - 0x78 = rb 0x8
    you might not prefer the idea to have ORG and ORG again, so how could we do it without the ORG. To code without using the ORG, we just use the address directly, example like below.
    Продолжение следует
     
    Последнее редактирование: 16 дек 2016
  5. Mikl___

    Mikl___ Супермодератор Команда форума

    Публикаций:
    14
    Регистрация:
    25 июн 2008
    Сообщения:
    3.708
    Код (ASM):
    1. DOS_STUB:
    2.        use16                ;DOS-STUB is a 16-bit program
    3.        push   cs
    4.        pop    ds            ;our DS is less 100h from CS, DS received PSP address
    5.        mov    dx,0x0E ;is 0x0E because our data start at 1597:000E in below unassemble
    6.        mov    ah,0x9
    7.        int    0x21
    8.        mov    ax,0x4C01
    9.        int    0x21
    10.    
    11.        db     'This program cannot be run in DOS mode.',13,10,'$'
    12.  
    13.        rb     0x80 - $      ;0x80 - 0x78 = rb 0x8
    Код (Text):
    1. ...
    2. 1597:000E 54            PUSH    SP --> This program cannot be run in DOS mode.
    3. ...
    i am the minimalist type, so, i choose to modify it not to initialize the DS because i use the DS for one time only in my DOS Stub Program.
    Код (ASM):
    1. DOS_STUB:                          ;start : 40 (64) to 7F (127)
    2.        use16                       ;DOS-STUB is a 16-bit program
    3.                                    ;push  cs <- we save 1 byte here
    4.                                    ;pop   ds <- we save another 1 byte here
    5.                                    ;our DS is less 100h from CS, DS received PSP address
    6.        mov    dx,100h + 0Bh ;our db message starts at 0x0B because we save 3 bytes already
    7.        mov    ah,0x9
    8.        int    0x21
    9.        mov    ah,0x4C ;save 1 byte here because we need to use AH only for function
    10.        int    0x21
    11.    
    12.        db     'This program cannot be run in DOS mode.',13,10,'$'
    13.  
    14.        rb     0x80 - $             ;0x80 - 0x75 = rb 0xB
    so far, we already cover the IMAGE_DOS_HEADER and DOS 2.0 STUB PROGRAM, we will continue to IMAGE_NT_HEADERS in our next walkthrough.
    PE File Format (so far)
    0x00 .... 0x3FIMAGE_DOS_HEADER
    0x40 .... 0x7FDOS 2.0 Stub Program
    0x80 .... ?IMAGE_NT_HEADERS

    Continue to Windows PE File Format Walkthrough II
     
    Последнее редактирование: 14 дек 2016
  6. Mikl___

    Mikl___ Супермодератор Команда форума

    Публикаций:
    14
    Регистрация:
    25 июн 2008
    Сообщения:
    3.708

    Windows PE File Format Walkthrough II

    IMAGE_NT_HEADERS



    Now, we are on the way to understand the IMAGE_NT_HEADERS structure. This structure is declared in WINNT.H file.
    Код (C):
    1. typedef struct _IMAGE_NT_HEADERS {
    2.     DWORD Signature;
    3.     IMAGE_FILE_HEADER FileHeader;
    4.     IMAGE_OPTIONAL_HEADER32 OptionalHeader;
    5. } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
    we got so many things to understand now! nevermind, we just move on step by step and hopefully in the end, we would be able to make sense out of it.

    The IMAGE_NT_HEADERS structure represents the PE header format. The Signature should contained the value
    Код (Text):
    1. 50 45 00 00
    or (ascii)
    Код (Text):
    1. PE 0 0
    to be identified as a valid PE image.

    IMAGE_FILE_HEADER



    The IMAGE_FILE_HEADER is a 20 bytes structure that included in the structure of IMAGE_NT_HEADERS.
    Код (C):
    1. typedef struct _IMAGE_FILE_HEADER {
    2.     WORD    Machine;
    3.     WORD    NumberOfSections;
    4.     DWORD   TimeDateStamp;
    5.     DWORD   PointerToSymbolTable;
    6.     DWORD   NumberOfSymbols;
    7.     WORD    SizeOfOptionalHeader;
    8.     WORD    Characteristics;
    9. } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
    MachineSpecifies the architecture type of the computer.
    0x014C = Intel 386 (generally we use this one)
    0x0200 = Intel 64-bit
    NumberOfSectionsSpecifies the number of sections.
    TimeDateStampSpecifies the time stamp of the image. This represents the date and time the image was created by the linker.
    PointerToSymbolTableOffset of the symbol table, or zero if no symbol table exists.
    NumberOfSymbolsSpecifies the number of symbols in the symbol table.
    SizeOfOptionalHeaderSpecifies the size of the optional header, in bytes.
    CharacteristicsSpecifies the characteristics of the image.

    IMAGE_FILE_RELOCS_STRIPPED
    0x0001 // Relocation info stripped from file.

    IMAGE_FILE_EXECUTABLE_IMAGE
    0x0002 // File is executable (i.e. no unresolved externel references).

    IMAGE_FILE_LINE_NUMS_STRIPPED
    0x0004 // Line nunbers stripped from file.

    IMAGE_FILE_LOCAL_SYMS_STRIPPED
    0x0008 // Local symbols stripped from file.

    IMAGE_FILE_AGGRESIVE_WS_TRIM
    0x0010 // Agressively trim working set

    IMAGE_FILE_LARGE_ADDRESS_AWARE
    0x0020 // App can handle >2gb addresses

    IMAGE_FILE_BYTES_REVERSED_LO
    0x0080 // Bytes of machine word are reversed.

    IMAGE_FILE_32BIT_MACHINE
    0x0100 // 32 bit word machine.

    IMAGE_FILE_DEBUG_STRIPPED
    0x0200 // Debugging info stripped from file in .DBG file

    IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
    0x0400 // If Image is on removable media, copy and run from the swap file.

    IMAGE_FILE_NET_RUN_FROM_SWAP
    0x0800 // If Image is on Net, copy and run from the swap file.

    IMAGE_FILE_SYSTEM
    0x1000 // System File.

    IMAGE_FILE_DLL
    0x2000 // File is a DLL.

    IMAGE_FILE_UP_SYSTEM_ONLY
    0x4000 // File should only be run on a UP machine

    IMAGE_FILE_BYTES_REVERSED_HI
    0x8000 // Bytes of machine word are reversed.
    now, we got some information how to code our IMAGE_NT_HEADERS with IMAGE_FILE_HEADER. Below is what we could form using the above information.
    Код (ASM):
    1. IMAGE_NT_HEADERS:                                ;start : 80 (128) to 1EF (495)
    2.        .Signature           db     'PE',0,0      ;128 131
    3.  
    4.  
    5.        IMAGE_FILE_HEADER:                        ;start : 84 (132) to 97 (151)
    6.               .Machine                           dw     0x014C        ;132 133 for intel 386
    7.               .NumberOfSection                   dw     0x0003        ;134 135
    8.               .TimeDateStamp                     dd     %t            ;136 139
    9.               .PointerToSymbolTable              dd     0             ;140 143
    10.               .NumberOfSymbols                   dd     0             ;144 147
    11.               .SizeOfOptionalHeader              dw     0x00E0        ;148 149
    12.               .Characteristic                    dw     0x818F        ;150 151
    13.  
    14. db 0x0B,0x01,0x01,0x37,0x00,0x00,0x00,0x00,\
    15. ..... to the end
    our characteristic value is 0x818F which is equal to
    Characteristic value for general PE EXE file
    IMAGE_FILE_RELOCS_STRIPPED0x0001
    IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 + = 0x0003
    IMAGE_FILE_LINE_NUMS_STRIPPED0x0004 + = 0x0007
    IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 + = 0x000F
    IMAGE_FILE_BYTES_REVERSED_LO 0x0080 + = 0x008F
    IMAGE_FILE_32BIT_MACHINE0x0100 + = 0x018F
    IMAGE_FILE_BYTES_REVERSED_HI0x8000 + = 0x818F <-- our characteristic value
    now, we got some new idea, how our PE file format actually looks like.
    PE File Format (so far)
    0x00 .... 0x3FIMAGE_DOS_HEADER
    0x40 .... 0x7FDOS 2.0 Stub Program
    0x80 .... ?IMAGE_NT_HEADERS
    0x84 .... 0x97IMAGE_FILE_HEADER
    Our NumberOfSection value is 0x0003 because we got 3 section for our PE, which are, ".data", ".code" and ".idata".
    Код (C):
    1. typedef struct _IMAGE_OPTIONAL_HEADER {
    2.     WORD    Magic;
    3.     BYTE    MajorLinkerVersion;
    4.     BYTE    MinorLinkerVersion;
    5.     DWORD   SizeOfCode;
    6.     DWORD   SizeOfInitializedData;
    7.     DWORD   SizeOfUninitializedData;
    8.     DWORD   AddressOfEntryPoint;
    9.     DWORD   BaseOfCode;
    10.     DWORD   BaseOfData;
    11.     DWORD   ImageBase;
    12.     DWORD   SectionAlignment;
    13.     DWORD   FileAlignment;
    14.     WORD    MajorOperatingSystemVersion;
    15.     WORD    MinorOperatingSystemVersion;
    16.     WORD    MajorImageVersion;
    17.     WORD    MinorImageVersion;
    18.     WORD    MajorSubsystemVersion;
    19.     WORD    MinorSubsystemVersion;
    20.     DWORD   Win32VersionValue;
    21.     DWORD   SizeOfImage;
    22.     DWORD   SizeOfHeaders;
    23.     DWORD   CheckSum;
    24.     WORD    Subsystem;
    25.     WORD    DllCharacteristics;
    26.     DWORD   SizeOfStackReserve;
    27.     DWORD   SizeOfStackCommit;
    28.     DWORD   SizeOfHeapReserve;
    29.     DWORD   SizeOfHeapCommit;
    30.     DWORD   LoaderFlags;
    31.     DWORD   NumberOfRvaAndSizes;
    32.     IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
    33. } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
    Продолжение следует
     
    Последнее редактирование: 14 дек 2016
    rococo795 нравится это.
  7. Mikl___

    Mikl___ Супермодератор Команда форума

    Публикаций:
    14
    Регистрация:
    25 июн 2008
    Сообщения:
    3.708
    MagicSpecifies the state of the image file

    IMAGE_NT_OPTIONAL_HDR_MAGIC
    0x010B (32-bit) // The file is an executable image.
    0x020B (64-bit) // The file is an executable image.

    IMAGE_ROM_OPTIONAL_HDR_MAGIC
    0x0107 // The file is a ROM image.
    MajorLinkerVersionMajor version number of the linker.
    MinorLinkerVersionMinor version number of the linker.
    SizeOfCodeThe size of the code section, or the sum of all such sections if there are multiple code sections.
    SizeOfInitializedDataThe size of the initialized data section, or the sum of all such sections if there are multiple initialized data sections.
    SizeOfUninitializedDataThe size of the uninitialized data section, or the sum of all such sections if there are multiple uninitialized data sections.
    AddressOfEntryPointPointer to the entry point function, relative to the image base address. The entry point function is optional for DLLs. When no entry point is present, this member is zero.
    BaseOfCodePointer to the beginning of the code section, relative to the image base.
    BaseOfDataPointer to the beginning of the data section, relative to the image base.
    ImageBasePreferred address of the first byte of the image when it is loaded in memory. This value is a multiple of 64K bytes. The default value for DLLs is 0x10000000. The default value for Win32-based applications on Windows CE is 0x00010000. The default value for Win32-based applications on Windows NT/Windows 2000 and Windows 95/98 is 0x00400000.
    SectionAlignmentThe alignment, in bytes, of sections loaded in memory. This value must be greater than or equal to the FileAlignment member. The default value is the page size for the system.
    FileAlignmentThe alignment, in bytes, of the raw data of sections in the image file. The value should be a power of 2 between 512 and 64K (inclusive). The default is 512. If the SectionAlignment member is less than the system page size, this member must be the same as SectionAlignment.
    MajorOperatingSystemVersionMajor version number of the required operating system.
    MinorOperatingSystemVersionMinor version number of the required operating system.
    MajorImageVersionMajor version number of the image.
    MinorImageVersionMinor version number of the image.
    MajorSubsystemVersionMajor version number of the subsystem.
    MinorSubsystemVersionMinor version number of the subsystem.
    Win32VersionValueThis member is reserved.
    SizeOfImageThe size of the image, in bytes, including all headers. Must be a multiple of SectionAlignment.
    SizeOfHeadersCombined size of the MS-DOS stub, the PE header, and the section headers, rounded to a multiple of the value specified in the FileAlignment member.
    CheckSumImage file checksum.
    SubsystemIMAGE_SUBSYSTEM_UNKNOWN
    0x0000 // Unknown subsystem.

    IMAGE_SUBSYSTEM_NATIVE
    0x0001 // No subsystem required.

    IMAGE_SUBSYSTEM_WINDOWS_GUI
    0x0002 // Image runs in the Windows GUI subsystem

    IMAGE_SUBSYSTEM_WINDOWS_CUI
    0x0003 // Image runs in the Windows character-mode subsystem.

    IMAGE_SUBSYSTEM_POSIX_CUI
    0x0007 // Image runs in the POSIX character-mode subsystem.

    IMAGE_SUBSYSTEM_NATIVE_WINDOWS
    0x0008 // Image is a native Win9x driver

    IMAGE_SUBSYSTEM_WINDOWS_CE_GUI
    0x0009 // Image runs in the Windows CE subsystem.
    DllCharacteristicsSpecifies the DLL characteristics of the image.
    SizeOfStackReserveThe number of bytes to reserve for the stack.
    SizeOfStackCommitThe number of bytes to commit for the stack.
    SizeOfHeapReserveThe number of bytes to reserve for the local heap.
    SizeOfHeapCommitThe number of bytes to commit for the local heap.
    LoaderFlagsThis member is obsolete.
    NumberOfRvaAndSizesNumber of directory entries.
    IMAGE_DATA_DIRECTORY
    (Occupies 8 bytes * NumberOfRvaAndSizes)
    typedef struct _IMAGE_DATA_DIRECTORY {
    DWORD VirtualAddress;
    DWORD Size;
    } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
    ok, I guess we got some information to code our IMAGE_OPTIONAL_HEADER
    PE File Format (so far)
    0x00 .... 0x3FIMAGE_DOS_HEADER
    0x40 .... 0x7FDOS 2.0 Stub Program
    0x80 .... ?IMAGE_NT_HEADERS
    0x84 .... 0x97IMAGE_FILE_HEADER
    0x98 .... 0xF7IMAGE_OPTIONAL_HEADER
    0xF8 .... 0x177IMAGE_DATA_DIRECTORY
    Код (ASM):
    1.  IMAGE_OPTIONAL_HEADER:                    ;start : 98 (152) to F7 (247) * till IMAGE_DATA_DIRECTORY
    2.                                                                       ;offset
    3.               .Magic                             dw     0x010B        ;152 153
    4.               .MajorLinkerVersion                db     0x01          ;154
    5.               .MinorLinkerVersion                db     0x37          ;155
    6.               .SizeOfCode                        dd     0             ;156 159
    7.               .SizeOfInitializedData             dd     0             ;160 163
    8.               .SizeOfUninitializedData           dd     0             ;164 167
    9.               .AddressOfEntryPoint               dd     0x2000        ;168 171
    10.                                                                       ;base + 2000 = 402000 (.code section)
    11.               .BaseOfCode                        dd     0             ;172 175
    12.               .BaseOfData                        dd     0             ;176 179
    13.               .ImageBase                         dd     0x00400000    ;180 183 (default)
    14.               .SectionAlignment                  dd     0x00001000    ;184 187 4096 bytes
    15.               .FileAlignment                     dd     0x00000200    ;188 191 512 bytes (default)
    16.               .MajorOperatingSystemVersion       dw     1             ;192 193
    17.               .MinorOperatingSystemVersion       dw     0             ;194 195
    18.               .MajorImageVersion                 dw     0             ;196 197
    19.               .MinorImageVersion                 dw     0             ;198 199
    20.               .MajorSubsystemVersion             dw     4             ;200 201
    21.               .MinorSubsystemVersion             dw     0             ;202 203
    22.               .Win32VersionValue                 dd     0             ;204 207
    23.               .SizeOfImage                       dd     0x00004000    ;208 211
    24.               .SizeOfHeaders                     dd     0x00000200    ;212 215
    25.               .CheckSum                          dd     0x0000EF20    ;216 219
    26.               .Subsystem                         dw     2             ;220 221 IMAGE_SUBSYSTEM_WINDOWS_GUI
    27.               .DllCharacteristics                dw     0             ;222 223
    28.               .SizeOfStackReserve                dd     0x00001000    ;224 227 4096 bytes
    29.               .SizeOfStackCommit                 dd     0x00001000    ;228 231 4096 bytes
    30.               .SizeOfHeapReserve                 dd     0x00100000    ;232 235 1048576 bytes
    31.               .SizeOfHeapCommit                  dd     0             ;236 239
    32.               .LoaderFlags                       dd     0             ;240 243
    33.               .NumberOfRvaAndSizes               dd     0x10          ;244 247 16 decimal
    34.        
    35.               IMAGE_DATA_DIRECTORY:              ;start : F8 (248) to 177 (375) * till IMAGE_SECTION_TABLE
    36.                      rq     1                    ;248 255
    37.                      .ImportTableVA              dd     0x00003000           ;256 263
    38.                      .ImportTableSize            dd     0x00000090
    39.                      rq     14                   ;we don't need them also    ;263 + 112 = 375
    40.  
    41. db 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2E,0x64,0x61,0x74,0x61,0x00,0x00,0x00,\
    42. .... to the end
    43.  
    Once we finish with IMAGE_DATA_DIRECTORY, we will need to present the system with IMAGE_SECTION_HEADER. Since we got 3 sections as defined above, we would need 3 structures of IMAGE_SECTION_TABLE
    Код (C):
    1. #define IMAGE_SIZEOF_SHORT_NAME 8
    2.  
    3. typedef struct _IMAGE_SECTION_HEADER {
    4.     BYTE    Name[IMAGE_SIZEOF_SHORT_NAME];
    5.     union {
    6.             DWORD   PhysicalAddress;
    7.             DWORD   VirtualSize;
    8.     } Misc;
    9.     DWORD   VirtualAddress;
    10.     DWORD   SizeOfRawData;
    11.     DWORD   PointerToRawData;
    12.     DWORD   PointerToRelocations;
    13.     DWORD   PointerToLinenumbers;
    14.     WORD    NumberOfRelocations;
    15.     WORD    NumberOfLinenumbers;
    16.     DWORD   Characteristics;
    17. } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
    Продолжение следует
     
    Последнее редактирование: 16 дек 2016
  8. Mikl___

    Mikl___ Супермодератор Команда форума

    Публикаций:
    14
    Регистрация:
    25 июн 2008
    Сообщения:
    3.708
    NameAn 8-byte, null-filled string. There is no terminating null character if the string is exactly eight characters long. For longer names, this member contains a forward slash (/) followed by a decimal number that is an offset into the string table. Executable images do not use a string table and do not support section names longer than eight characters.
    PhysicalAddressSpecifies the file address.
    VirtualSizeTotal size of the section when loaded into memory. If this value is greater than the SizeOfRawData member, the section is filled with zeroes.
    VirtualAddressThe address of the first byte of the section when loaded into memory, relative to the image base.
    SizeOfRawDataThe size of the initialized data on disk. This value must be a multiple of the FileAlignment member of the IMAGE_OPTIONAL_HEADER structure. If this value is less than the VirtualSize member, the remainder of the section is filled with zeroes. If the section contains only uninitialized data, the member is zero.
    PointerToRawDataFile pointer to the first page within the COFF file. This value must be a multiple of the FileAlignment member of the IMAGE_OPTIONAL_HEADER structure. If a section contains only uninitialized data, this member is zero.
    PointerToRelocationsFile pointer to the beginning of the relocation entries for the section. If there are no relocations, this value is zero.
    PointerToLinenumbersFile pointer to the beginning of the line-number entries for the section. If there are no COFF line numbers, this value is zero.
    NumberOfRelocationsNumber of relocation entries for the section. This value is zero for executable images.
    NumberOfLinenumbersNumber of line-number entries for the section.
    CharacteristicsSpecifies the characteristics of the image.

    IMAGE_SCN_TYPE_NO_PAD 0x00000008 // Reserved.

    IMAGE_SCN_CNT_CODE 0x00000020 // Section contains code.

    IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 // Section contains initialized data.

    IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 // Section contains uninitialized data.

    IMAGE_SCN_LNK_OTHER 0x00000100 // Reserved.

    IMAGE_SCN_LNK_INFO 0x00000200 // Section contains comments or some other type of information.

    IMAGE_SCN_LNK_REMOVE 0x00000800 // Section contents will not become part of image.

    IMAGE_SCN_LNK_COMDAT 0x00001000 // Section contents comdat.

    IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000 // Reset speculative exceptions handling bits in the TLB entries for this section.

    IMAGE_SCN_GPREL & IMAGE_SCN_MEM_FARDATA 0x00008000 // Section content can be accessed relative to GP

    IMAGE_SCN_MEM_PURGEABLE & IMAGE_SCN_MEM_16BIT 0x00020000 // Reserved.

    IMAGE_SCN_MEM_LOCKED 0x00040000 // Reserved.

    IMAGE_SCN_MEM_PRELOAD 0x00080000 // Reserved.

    IMAGE_SCN_ALIGN_1BYTES 0x00100000 // Align data on a 1-byte boundary.

    IMAGE_SCN_ALIGN_2BYTES 0x00200000 // Align data on a 2-byte boundary.

    IMAGE_SCN_ALIGN_4BYTES 0x00300000 // Align data on a 4-byte boundary.

    IMAGE_SCN_ALIGN_8BYTES 0x00400000 // Align data on a 8-byte boundary.

    IMAGE_SCN_ALIGN_16BYTES (Default alignment if no others are specified) 0x00500000 // Align data on a 16-byte boundary.

    IMAGE_SCN_ALIGN_32BYTES 0x00600000 // Align data on a 32-byte boundary.

    IMAGE_SCN_ALIGN_64BYTES 0x00700000 // Align data on a 64-byte boundary.

    IMAGE_SCN_ALIGN_128BYTES 0x00800000 // Align data on a 128-byte boundary.

    IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations.

    IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded.

    IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable.

    IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable.

    IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable.

    IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable.

    IMAGE_SCN_MEM_READ 0x40000000 // Section is readable.

    IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable.
    Continue to Windows PE File Format Walkthrough III
     
    Последнее редактирование: 14 дек 2016
  9. Mikl___

    Mikl___ Супермодератор Команда форума

    Публикаций:
    14
    Регистрация:
    25 июн 2008
    Сообщения:
    3.708

    Windows PE File Format Walkthrough III

    This is our IMAGE_SECTION_TABLE, i also put the file offset value at the right so that we could reference it.
    Код (ASM):
    1.              IMAGE_SECTION_TABLE: ;start : 178 (376) to 1EF (495)
    2.                      SECTION_1:
    3.                             .Name                       dq     '.data'       ;start : 178 (376)
    4.                             .VirtualSize                dd     0x0000001D
    5.                             .VirtualAddress             dd     0x00001000    ;-> in memory, it is 401000
    6.                             .SizeOfRawData              dd     0x00000200
    7.                             .PointerToRawData           dd     0x00000200    ;-> in our file, it is 0x200 (512) (offset from zero)
    8.                             .PointerToRelocations       dd     0
    9.                             .PointerToLineNumbers       dd     0
    10.                             .NumberOfRelocations        dw     0
    11.                             .NumberOfLineNumbers        dw     0
    12.                             .Characteristic             dd     0xC0000040    ;end   : 19F (415)
    13.                      SECTION_2:
    14.                             .Name                       dq     '.code'       ;start : 1A0 (416)
    15.                             .VirtualSize                dd     0x0000001C
    16.                             .VirtualAddress             dd     0x00002000    ;-> in memory, it is 402000
    17.                             .SizeOfRawData              dd     0x00000200
    18.                             .PointerToRawData           dd     0x00000400    ;-> in our file, it is 0x400 (1024) (offset from zero)
    19.                             .PointerToRelocations       dd     0
    20.                             .PointerToLineNumbers       dd     0
    21.                             .NumberOfRelocations        dw     0
    22.                             .NumberOfLineNumbers        dw     0
    23.                             .Characteristic             dd     0x60000020    ;end   : 1C7 (455)
    24.                      SECTION_3:
    25.                             .Name                       dq     '.idata'      ;start : 1C8 (456)
    26.                             .VirtualSize                dd     0x00000090
    27.                             .VirtualAddress             dd     0x00003000    ;-> in memory, it is 403000
    28.                             .SizeOfRawData              dd     0x00000200
    29.                             .PointerToRawData           dd     0x00000600    ;-> in our file, it is 0x600 (1536) (offset from zero)
    30.                             .PointerToRelocations       dd     0
    31.                             .PointerToLineNumbers       dd     0
    32.                             .NumberOfRelocations        dw     0
    33.                             .NumberOfLineNumbers        dw     0
    34.                             .Characteristic             dd     0x40000040    ;end   : 1EF (495)
    35. ;                                                                                      |
    36. ;our SECTION_1 <PointerToRawData> points at 0x200 or (512) bytes from zero             |
    37. ;since we are currently in file offset 1EF  -------------------------------------------+
    38. ;we need to "rb 0xF" or "rq 2" so that our address from 1F0 to 1FF are filled.
    39.                      rq     2                                                ;start : 1F0 (496) to 1FF (511)
    40.  
    so, our PE file format so far is like below:
    PE File Format (so far)
    0x00 .... 0x3FIMAGE_DOS_HEADER
    0x40 .... 0x7FDOS 2.0 Stub Program
    0x80 .... ?IMAGE_NT_HEADERS
    0x84 .... 0x97IMAGE_FILE_HEADER
    0x98 .... 0xF7IMAGE_OPTIONAL_HEADER
    0xF8 .... 0x177IMAGE_DATA_DIRECTORY
    0x178 ... 0x1FFIMAGE_SECTION_TABLE
    0x178 ... 0x19FSECTION_1 ('.data')
    0x1A0 ... 0x1C7SECTION_2 ('.code')
    0x1C8 ... 0x1EF SECTION_3 ('.idata')
    Once we code the IMAGE_SECTION_TABLE, the last task we need to code is the raw data for those sections, please check the pointer each section has pointed to.
    Продолжение следует
     
  10. Mikl___

    Mikl___ Супермодератор Команда форума

    Публикаций:
    14
    Регистрация:
    25 июн 2008
    Сообщения:
    3.708
    Код (ASM):
    1. ;file offset = 0x200
    2.                      ;memory offset = 0x401000 = (IMAGE_OPTIONAL_HEADER.ImageBase) + (SECTION_1.VirtualAddress)
    3.                      ;=========================================================================================
    4.                      SECTION_1_RAW_DATA:                                     ;start : 200 (512) to 3FF (1023)
    5.                      org 0x401000
    6.                             msgText       db     'Message Text',0            ;\  ;512 524
    7.                                                                              ; } we use 1D (29) bytes here
    8.                             msgCaption    db     'Message Caption',0         ;/  ;525 540
    9.                        
    10.                             ; 541 to 1023 should be filled
    11.                             ; (1023 - 541) + 1 = 483 bytes
    12.                        
    13.                             ; we NEED to + 1 because 1023 is not INCLUDED when
    14.                             ; we use it to minus 541.
    15.                             rb     483                         ;because our .code raw data start at 400 (1024)
    16.                                                                ;and because our IMAGE_OPTIONAL_HEADER > FileAlignment is 0x200 (512) bytes
    17.  
    18.                      ;file offset   = 0x400
    19.                      ;memory offset = 0x402000 = (IMAGE_OPTIONAL_HEADER.ImageBase) + (SECTION_2.VirtualAddress)
    20.                      ;=========================================================================================
    21.                      org 0x2000
    22.                      SECTION_2_RAW_DATA:                                            ;start : 400 (1024) to 5FF (1535)
    23.                             use32                                                   ;we are using 32-bit instruction
    24.                             push   0x40                 ;6A 40                      ;MB_OK + MB_ICONASTERIK + MB_APPLMODAL
    25.                             push   msgCaption           ;68 0D 10 40 00             ;push msgCaption
    26.                             push   msgText              ;68 00 00 40 00             ;push msgText
    27.                             push   0                    ;6A 00                      ;push HWND_DESKTOP
    28.                             call   dword [0x0040307A]   ;FF 15 7A 30 40 00          ;call MessageBoxA
    29.                             push   0                    ;6A 00                      ;push zero for ExitProcess parameter
    30.                             call   dword [0x0040305C]   ;FF 15 5C 30 40 00          ;call ExitProcess
    31.                        
    32.                             ;we have used 1C (28) bytes here
    33.                             ;1052 to 1535 should be filled
    34.                             ;(1535 - 1052) + 1 = 484 bytes
    35.                             rb     484
    36.  
    37.                      ;file offset   = 0x600
    38.                      ;memory offset = 0x403000 = (IMAGE_OPTIONAL_HEADER.ImageBase) + (SECTION_3.VirtualAddress)
    39.                      ;=========================================================================================
    40.                      org 0x3000
    41.                      SECTION_3_RAW_DATA:                                     ;start : 600 (1536) to 7FF (2047)
    42.                             IMAGE_IMPORT_DESCRIPTOR_1:
    43.                                    .OriginalFirstThunk  dd     0x00003054    ;3000 3003
    44.                                    .TimeDateStamp       dd     0             ;3004 3007
    45.                                    .ForwarderChain      dd     0             ;3008 300B
    46.                                    .Name                dd     0x0000303C    ;300C 300F
    47.                                    .FirstThunk          dd     0x0000305C    ;3010 3013
    48.                             IMAGE_IMPORT_DESCRIPTOR_2:
    49.                                    .OriginalFirstThunk  dd     0x00003072    ;3014 3017
    50.                                    .TimeDateStamp       dd     0             ;3018 301B
    51.                                    .ForwarderChain      dd     0             ;301C 301F
    52.                                    .Name                dd     0x00003049    ;3020 3023
    53.                                    .FirstThunk          dd     0x0000307A    ;3024 3027
    54.                        
    55.                                           ;terminated with IMAGE_IMPORT_DESCRIPTIOR that filled with 0 zeros
    56.                             rd     5      ;the structure size of IMAGE_IMPORT_DESCRIPTOR
    57.                                                                              ;3028 to 303B
    58.                        
    59.                             ;Our DLL Name
    60.                             .KERNEL32     db     'KERNEL32.DLL',0            ;303C to 3048
    61.                             .USER32       db     'USER32.DLL',0              ;3049 to 3053
    62.                        
    63.                             IMAGE_THUNK_DATA32_1:
    64.                                    .ForwarderString     dd     0x00003064           ;3054 3057
    65.                                    .Function            dd     0                    ;3058 305B
    66.                                    .Ordinal             dd     0x00003064           ;305C 305F
    67.                                    .AddressOfData       dd     0                    ;3060 3063
    68.                        
    69.                                    IMAGE_IMPORT_BY_NAME_1:
    70.                                           .Hint         dw     0                    ;3064 3065
    71.                                           .Name         db     'ExitProcess',0      ;3066 3071
    72.                        
    73.                             IMAGE_THUNK_DATA32_2:
    74.                                    .ForwarderString     dd     0x00003082           ;3072 3075
    75.                                    .Function            dd     0                    ;3076 3079
    76.                                    .Ordinal             dd     0x00003082           ;307A 307D
    77.                                    .AddressOfData       dd     0                    ;307E 3081
    78.                                
    79.                                    IMAGE_IMPORT_BY_NAME_2:
    80.                                           .Hint         dw     0                    ;3082 3083
    81.                                           .Name         db     'MessageBoxA',0      ;3084 308F
    82.                        
    83.                             ;308F = 143 bytes used
    84.                             ;must filled 2047 - ((1536 + 143)-1) = 368 bytes
    85.                             rb 367
    86.                             db 0
    PE File Format
    0x00 .... 0x3FIMAGE_DOS_HEADER
    0x40 .... 0x7FDOS 2.0 Stub Program
    0x80 .... ?IMAGE_NT_HEADERS
    0x84 .... 0x97IMAGE_FILE_HEADER
    0x98 .... 0xF7IMAGE_OPTIONAL_HEADER
    0xF8 .... 0x177IMAGE_DATA_DIRECTORY
    0x178 ... 0x1FFIMAGE_SECTION_TABLE
    0x178 ... 0x19FSECTION_1 ('.data')
    0x1A0 ... 0x1C7SECTION_2 ('.code')
    0x1C8 ... 0x1EFSECTION_3 ('.idata')
    0x1F0 ... 0x1FF16 zeroes
    0x200 ... 0x3FFSECTION_1_RAW_DATA
    0x400 ... 0x5FFSECTION_2_RAW_DATA
    0x600 ... 0x7FFSECTION_3_RAW_DATA
    DLL Names
    IMAGE_THUNK_DATA32_1
    IMAGE_IMPORT_BY_NAME_1
    IMAGE_THUNK_DATA32_2
    IMAGE_IMPORT_BY_NAME_2
    *fill the rest with zeroes so that we could reach 0x7FF
    Continue to Windows PE File Format Walkthrough (Code)
     
    Последнее редактирование: 14 дек 2016
  11. Mikl___

    Mikl___ Супермодератор Команда форума

    Публикаций:
    14
    Регистрация:
    25 июн 2008
    Сообщения:
    3.708

    Windows PE File Format Walkthrough (Code)

    Download Tab-Unfilled version here
    Код (ASM):
    1. IMAGE_DOS_HEADER: ;start : 00 (0) to 3F (63)
    2.        .e_magic      dw     0x5A4D        ;00 01
    3.        .e_cblp       dw     0x0080        ;02 03
    4.        .e_cp         dw     0x0001        ;04 05
    5.        .e_crlc       dw     0x0000        ;06 07
    6.        .e_cparhdr    dw     0x0004        ;08 09
    7.        .e_minalloc   dw     0x0010        ;10 11
    8.        .e_maxalloc   dw     0xFFFF        ;12 13
    9.        .e_ss         dw     0x0000        ;14 15
    10.        .e_sp         dw     0x0140        ;16 17
    11.        .e_csum       dw     0x0000        ;18 19
    12.        .e_ip         dw     0x0000        ;20 21
    13.        .e_cs         dw     0x0000        ;22 23
    14.        .e_lfarlc     dw     0x0040        ;24 25
    15.        .e_ovno       dw     0x0000        ;26 27
    16.        .e_res        rw     4             ;28 29 | 30 31 | 32 33 | 34 35
    17.        .e_oemid      dw     0x0000        ;36 37
    18.        .e_oeminfo    dw     0x0000        ;38 39
    19.        .e_res2       rw     10            ;40 41 | 42 43 | 44 45 | 46 47 | 48 49 | 50 51
    20.        .e_lfanew     dd     0x00000080    ;52 53 | 54 55 | 56 57 | 58 59
    21.                                           ;60 61 62 63
    22. ;=====================================================================================================
    23. DOS_STUB:                          ;start : 40 (64) to 7F (127)
    24.        use16                       ;DOS-STUB is a 16-bit program
    25.                                    ;push  cs <- we save 1 byte here
    26.                                    ;pop   ds <- we save another 1 byte here
    27.                                    ;our DS is less 100h from CS, DS received PSP address
    28.        mov    dx,0x100 + 0x0B      ;our db message starts at 0x0B because we save 3 bytes already
    29.        mov    ah,0x9
    30.        int    0x21
    31.        mov    ah,0x4C              ;save 1 byte here because we need to use AH only for function
    32.        int    0x21
    33.        
    34.        db     'This program cannot be run in DOS mode.',13,10,'$'
    35.  
    36.        rb     0x80 - $             ;0x80 - 0x75 = rb 0xB
    37. ;=====================================================================================================
    38. IMAGE_NT_HEADERS:                                ;start : 80 (128) to 1EF (495)
    39.        .Signature           db     'PE',0,0      ;128 131
    40.        
    41.  
    42.        IMAGE_FILE_HEADER:                        ;start : 84 (132) to 97 (151)
    43.               .Machine                           dw     0x014C        ;132 133 for intel 386
    44.               .NumberOfSection                   dw     0x0003        ;134 135
    45.               .TimeDateStamp                     dd     %t            ;136 139
    46.               .PointerToSymbolTable              dd     0             ;140 143
    47.               .NumberOfSymbols                   dd     0             ;144 147
    48.               .SizeOfOptionalHeader              dw     0x00E0        ;148 149
    49.               .Characteristic                    dw     0x818F        ;150 151
    50.        
    51.  
    52.        IMAGE_OPTIONAL_HEADER:                    ;start : 98 (152) to F7 (247) * till IMAGE_DATA_DIRECTORY
    53.                                                                       ;offset
    54.               .Magic                             dw     0x010B        ;152 153
    55.               .MajorLinkerVersion                db     0x01          ;154
    56.               .MinorLinkerVersion                db     0x37          ;155
    57.               .SizeOfCode                        dd     0             ;156 159
    58.               .SizeOfInitializedData             dd     0             ;160 163
    59.               .SizeOfUninitializedData           dd     0             ;164 167
    60.               .AddressOfEntryPoint               dd     0x2000        ;168 171 = base + 2000 = 402000 (.code section)
    61.               .BaseOfCode                        dd     0             ;172 175
    62.               .BaseOfData                        dd     0             ;176 179
    63.               .ImageBase                         dd     0x00400000    ;180 183 (default)
    64.               .SectionAlignment                  dd     0x00001000    ;184 187 4096 bytes
    65.               .FileAlignment                     dd     0x00000200    ;188 191 512 bytes (default)
    66.               .MajorOperatingSystemVersion       dw     1             ;192 193
    67.               .MinorOperatingSystemVersion       dw     0             ;194 195
    68.               .MajorImageVersion                 dw     0             ;196 197
    69.               .MinorImageVersion                 dw     0             ;198 199
    70.               .MajorSubsystemVersion             dw     4             ;200 201
    71.               .MinorSubsystemVersion             dw     0             ;202 203
    72.               .Win32VersionValue                 dd     0             ;204 207
    73.               .SizeOfImage                       dd     0x00004000    ;208 211
    74.               .SizeOfHeaders                     dd     0x00000200    ;212 215
    75.               .CheckSum                          dd     0x0000EF20    ;216 219
    76.               .Subsystem                         dw     2             ;220 221 IMAGE_SUBSYSTEM_WINDOWS_GUI
    77.               .DllCharacteristics                dw     0             ;222 223
    78.               .SizeOfStackReserve                dd     0x00001000    ;224 227 4096 bytes
    79.               .SizeOfStackCommit                 dd     0x00001000    ;228 231 4096 bytes
    80.               .SizeOfHeapReserve                 dd     0x00100000    ;232 235 1048576 bytes
    81.               .SizeOfHeapCommit                  dd     0             ;236 239
    82.               .LoaderFlags                       dd     0             ;240 243
    83.               .NumberOfRvaAndSizes               dd     0x10          ;244 247 16 decimal
    84.              
    85.               IMAGE_DATA_DIRECTORY:              ;start : F8 (248) to 177 (375) * till IMAGE_SECTION_TABLE
    86.                      rq     1                    ;248 255
    87.                      .ImportTableVA              dd     0x00003000           ;256 263
    88.                      .ImportTableSize            dd     0x00000090
    89.                      rq     14                   ;we don't need them also    ;263 + 112 = 375
    90.  
    91.               IMAGE_SECTION_TABLE:                                           ;start : 178 (376) to 1EF (495)
    92.                      SECTION_1:
    93.                             .Name                       dq     '.data'       ;start : 178 (376)
    94.                             .VirtualSize                dd     0x0000001D
    95.                             .VirtualAddress             dd     0x00001000    ;-> in memory, it is 401000
    96.                             .SizeOfRawData              dd     0x00000200
    97.                             .PointerToRawData           dd     0x00000200    ;-> in our file, it is 0x200 (512) (offset from zero)
    98.                             .PointerToRelocations       dd     0
    99.                             .PointerToLineNumbers       dd     0
    100.                             .NumberOfRelocations        dw     0
    101.                             .NumberOfLineNumbers        dw     0
    102.                             .Characteristic             dd     0xC0000040    ;end   : 19F (415)
    103.                      SECTION_2:
    104.                             .Name                       dq     '.code'       ;start : 1A0 (416)
    105.                             .VirtualSize                dd     0x0000001C
    106.                             .VirtualAddress             dd     0x00002000    ;-> in memory, it is 402000
    107.                             .SizeOfRawData              dd     0x00000200
    108.                             .PointerToRawData           dd     0x00000400    ;-> in our file, it is 0x400 (1024) (offset from zero)
    109.                             .PointerToRelocations       dd     0
    110.                             .PointerToLineNumbers       dd     0
    111.                             .NumberOfRelocations        dw     0
    112.                             .NumberOfLineNumbers        dw     0
    113.                             .Characteristic             dd     0x60000020    ;end   : 1C7 (455)
    114.                      SECTION_3:
    115.                             .Name                       dq     '.idata'      ;start : 1C8 (456)
    116.                             .VirtualSize                dd     0x00000090
    117.                             .VirtualAddress             dd     0x00003000    ;-> in memory, it is 403000
    118.                             .SizeOfRawData              dd     0x00000200
    119.                             .PointerToRawData           dd     0x00000600    ;-> in our file, it is 0x600 (1536) (offset from zero)
    120.                             .PointerToRelocations       dd     0
    121.                             .PointerToLineNumbers       dd     0
    122.                             .NumberOfRelocations        dw     0
    123.                             .NumberOfLineNumbers        dw     0
    124.                             .Characteristic             dd     0x40000040    ;end   : 1EF (495)
    125. ;                                                                                      |
    126. ;our SECTION_1 <PointerToRawData> points at 0x200 or (512) bytes from zero             |
    127. ;since we are currently in file offset 1EF  -------------------------------------------+
    128. ;we need to "rb 0xF" or "rq 2" so that our address from 1F0 to 1FF are filled.
    129.  
     

    Вложения:

    • pe.zip
      Размер файла:
      3,2 КБ
      Просмотров:
      1.041
    Последнее редактирование: 14 дек 2016
  12. Mikl___

    Mikl___ Супермодератор Команда форума

    Публикаций:
    14
    Регистрация:
    25 июн 2008
    Сообщения:
    3.708
    Код (ASM):
    1.                      rq 2 ;start : 1F0 (496) to 1FF (511)
    2.                
    3.                      ;file offset   = 0x200
    4.                      ;memory offset = 0x401000 = (IMAGE_OPTIONAL_HEADER.ImageBase) + (SECTION_1.VirtualAddress)
    5.                      ;=========================================================================================
    6.                      SECTION_1_RAW_DATA:                                     ;start : 200 (512) to 3FF (1023)
    7.                      org 0x401000
    8.                             msgText       db     'Message Text',0            ;\  ;512 524
    9.                                                                              ; } we use 1D (29) bytes here
    10.                             msgCaption    db     'Message Caption',0         ;/  ;525 540
    11.                        
    12.                             ; 541 to 1023 should be filled
    13.                             ; (1023 - 541) + 1 = 483 bytes
    14.                        
    15.                             ; we NEED to + 1 because 1023 is not INCLUDED when
    16.                             ; we use it to minus 541.
    17.                             rb     483                         ;because our .code raw data start at 400 (1024)
    18.                                                                ;and because our IMAGE_OPTIONAL_HEADER > FileAlignment is 0x200 (512) bytes
    19.  
    20.                      ;file offset   = 0x400
    21.                      ;memory offset = 0x402000 = (IMAGE_OPTIONAL_HEADER.ImageBase) + (SECTION_2.VirtualAddress)
    22.                      ;=========================================================================================
    23.                      org 0x2000
    24.                      SECTION_2_RAW_DATA:                                            ;start : 400 (1024) to 5FF (1535)
    25.                             use32                                                   ;we are using 32-bit instruction
    26.                             push   0x40                 ;6A 40                      ;MB_OK + MB_ICONASTERIK + MB_APPLMODAL
    27.                             push   msgCaption           ;68 0D 10 40 00             ;push msgCaption
    28.                             push   msgText              ;68 00 00 40 00             ;push msgText
    29.                             push   0                    ;6A 00                      ;push HWND_DESKTOP
    30.                             call   dword [0x0040307A]   ;FF 15 7A 30 40 00          ;call MessageBoxA
    31.                             push   0                    ;6A 00                      ;push zero for ExitProcess parameter
    32.                             call   dword [0x0040305C]   ;FF 15 5C 30 40 00          ;call ExitProcess
    33.                        
    34.                             ;we have used 1C (28) bytes here
    35.                             ;1052 to 1535 should be filled
    36.                             ;(1535 - 1052) + 1 = 484 bytes
    37.                             rb     484
    38.  
    39.                      ;file offset   = 0x600
    40.                      ;memory offset = 0x403000 = (IMAGE_OPTIONAL_HEADER.ImageBase) + (SECTION_3.VirtualAddress)
    41.                      ;=========================================================================================
    42.                      org 0x3000
    43.                      SECTION_3_RAW_DATA:                                     ;start : 600 (1536) to 7FF (2047)
    44.                             IMAGE_IMPORT_DESCRIPTOR_1:
    45.                                    .OriginalFirstThunk  dd     0x00003054    ;3000 3003
    46.                                    .TimeDateStamp       dd     0             ;3004 3007
    47.                                    .ForwarderChain      dd     0             ;3008 300B
    48.                                    .Name                dd     0x0000303C    ;300C 300F
    49.                                    .FirstThunk          dd     0x0000305C    ;3010 3013
    50.                             IMAGE_IMPORT_DESCRIPTOR_2:
    51.                                    .OriginalFirstThunk  dd     0x00003072    ;3014 3017
    52.                                    .TimeDateStamp       dd     0             ;3018 301B
    53.                                    .ForwarderChain      dd     0             ;301C 301F
    54.                                    .Name                dd     0x00003049    ;3020 3023
    55.                                    .FirstThunk          dd     0x0000307A    ;3024 3027
    56.                        
    57.                                           ;terminated with IMAGE_IMPORT_DESCRIPTIOR that filled with 0 zeros
    58.                             rd     5      ;the structure size of IMAGE_IMPORT_DESCRIPTOR
    59.                                                                              ;3028 to 303B
    60.                        
    61.                      ;Our DLL Name
    62.                      .KERNEL32     db     'KERNEL32.DLL',0                   ;303C to 3048
    63.                      .USER32       db     'USER32.DLL',0                     ;3049 to 3053
    64.  
    65.                      IMAGE_THUNK_DATA32_1:
    66.                             .ForwarderString     dd     0x00003064           ;3054 3057
    67.                             .Function            dd     0                    ;3058 305B
    68.                             .Ordinal             dd     0x00003064           ;305C 305F
    69.                             .AddressOfData       dd     0                    ;3060 3063
    70.  
    71.                             IMAGE_IMPORT_BY_NAME_1:
    72.                                    .Hint         dw     0                    ;3064 3065
    73.                                    .Name         db     'ExitProcess',0      ;3066 3071
    74.  
    75.                      IMAGE_THUNK_DATA32_2:
    76.                             .ForwarderString     dd     0x00003082           ;3072 3075
    77.                             .Function            dd     0                    ;3076 3079
    78.                             .Ordinal             dd     0x00003082           ;307A 307D
    79.                             .AddressOfData       dd     0                    ;307E 3081
    80.  
    81.                             IMAGE_IMPORT_BY_NAME_2:
    82.                                    .Hint         dw     0                    ;3082 3083
    83.                                    .Name         db     'MessageBoxA',0      ;3084 308F
    84.  
    85.                      ;308F = 143 bytes used
    86.                      ;must filled 2047 - (1536 + 143) = 368 + 1 = 369 bytes
    87.                      rb 367
    88.                      db 0
    Извините, что я так быстро закончил, но мне уже надоело писать :)

    Ссылки на использованную литературу:


    1. Create PE from scratch http://flatassembler.net/viewtopic.php?t=1309
    2. LUEVELSMEYER's description about PE file format
    3. Microsoft PSDK July 2000 Edition
    4. Iczelion's PE Tutorial
     
    Последнее редактирование: 14 дек 2016
  13. Mikl___

    Mikl___ Супермодератор Команда форума

    Публикаций:
    14
    Регистрация:
    25 июн 2008
    Сообщения:
    3.708

    Win32 API. Урок 11. Больше о диалоговых окнах

    исходный текст и ехе-файл здесь
    Код (ASM):
    1. format PE GUI
    2. include 'win32ax.inc'
    3. MI_OPEN   equ  1
    4. MI_EXIT   equ  2
    5. MAXSIZE         equ 260
    6. OUTPUTSIZE      equ 512
    7. start:    xor ebx,ebx
    8.           mov edi,wTitle
    9.           mov esi,400000h
    10.           ; +------------------------------+
    11.           ; | registering the window class |
    12.           ; +------------------------------+
    13.           invoke RegisterClass,esp,ebx,window_procedure,ebx,\
    14.           ebx,esi,ebx,10011h,COLOR_WINDOW+1,30,edi
    15.           ; +--------------------------+
    16.           ; | creating the main window |
    17.           ; +--------------------------+
    18.           push ebx esi ebx ebx
    19.           shl esi,9
    20.           invoke CreateWindowEx,WS_EX_CLIENTEDGE,edi,edi,WS_OVERLAPPEDWINDOW+WS_VISIBLE,\
    21.           esi,esi,esi,esi
    22.           mov ebp,esp
    23.           ; +---------------------------+
    24.           ; | entering the message loop |
    25.           ; +---------------------------+
    26. message_loop: invoke GetMessage,ebp,ebx,ebx,ebx
    27.           invoke DispatchMessage,ebp
    28.           jmp message_loop
    29.           ; +----------------------+
    30.           ; | the window procedure |
    31.           ; +----------------------+
    32. proc window_procedure hWnd, uMsg, wParam, lParam
    33. local dlgOpenBuffer [MAXSIZE]:BYTE
    34.                         xor ebx,ebx
    35.                mov eax,[uMsg]
    36.                lea esi,[dlgOpenOfn]
    37.                dec eax
    38.                je .wmCREATE
    39.                dec eax;cmp  [uMsg],WM_DESTROY
    40.                je .wmDESTROY
    41.                sub eax,WM_COMMAND-WM_DESTROY;cmp  [uMsg],WM_COMMAND
    42.                je .wmCOMMAND
    43.                leave
    44.                jmp [DefWindowProc]
    45. .wmCREATE:   mov  [esi+OPENFILENAME.lpstrFile],esp;dlgOpenBuffer
    46.                jmp  .wmBYE            
    47. .wmCOMMAND:mov ecx,OUTPUTSIZE/4
    48.                mov edi,strMsg
    49.                rep stosd;invoke    RtlZeroMemory,strMsg,OUTPUTSIZE
    50.                mov eax,[wParam]
    51.                dec ax          ;cmp ax,IDM_OPEN=1
    52.                jnz .0
    53.                invoke GetOpenFileName,esi
    54.                or eax,eax
    55.                jz .wmBYE
    56.                mov ecx,OUTPUTSIZE
    57.                lea edi,[strMsg]
    58.                mov esi,FullPathName
    59.                call StringOut1
    60.                mov esi,[dlgOpenOfn.lpstrFile]
    61.                call StringOut1
    62.                mov esi,FullName
    63.                call StringOut1
    64.                movzx esi,[dlgOpenOfn.nFileOffset]
    65.                add esi,[dlgOpenOfn.lpstrFile]
    66.                call StringOut1
    67.                mov esi, ExtensionName
    68.                call StringOut1
    69.                movzx esi,[dlgOpenOfn.nFileExtension]
    70.                add esi,[dlgOpenOfn.lpstrFile]
    71.                call StringOut1
    72.                invoke MessageBox,[hWnd],strMsg,wTitle,ebx
    73.                jmp .wmBYE
    74. .0:            invoke DestroyWindow,[hWnd]
    75. .wmBYE:    ret
    76. .wmDESTROY: invoke  ExitProcess,ebx
    77. endp
    78. proc StringOut1
    79. @@:     movsb
    80.         cmp byte [esi],0
    81.         loopnz @b
    82.         retn
    83. endp
    84. ;---------------------------------------------
    85.      wTitle         db   'Iczelion Tutorial #11: More about Dialog Box',0
    86.      dlgOpenTitle   db   'Open File',0
    87.      dlgOpenOfn     OPENFILENAME sizeof.OPENFILENAME,0,400000h,dlgOpenFilter,\
    88.                         0,0,0,0,256,0,0,0,0,OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST \
    89.                                         or OFN_LONGNAMES or OFN_EXPLORER or OFN_HIDEREADONLY,0,0,0,0,0
    90.      dlgOpenFilter  db   'All Files (*.*)',0,'*.*',0
    91.                     db   'Text Files (*.txt)',0,'*.txt',0,0
    92.      FullPathName   db   'The Full Filename with Path is : ',0
    93.      FullName       db   10,'The Filename is : ',0
    94.      ExtensionName  db   10,'The Extension is : ',0
    95.      strMsgSize     equ  512
    96.      strMsg:        times strMsgSize db 0
    97. data import
    98.      library   KERNEL32, 'KERNEL32.DLL',\
    99.                USER32,   'USER32.DLL',\
    100.                COMDLG32, 'COMDLG32.DLL'
    101.      import    KERNEL32,\
    102.                ExitProcess,        'ExitProcess'
    103.      import    USER32,\
    104.                RegisterClass,      'RegisterClassA',\
    105.                CreateWindowEx,     'CreateWindowExA',\
    106.                DefWindowProc,      'DefWindowProcA',\
    107.                MessageBox,         'MessageBoxA',\
    108.                GetMessage,         'GetMessageA',\
    109.                DestroyWindow,      'DestroyWindow',\
    110.                DispatchMessage,    'DispatchMessageA'
    111.      import    COMDLG32,\
    112.                GetOpenFileName,    'GetOpenFileNameA'
    113. end data
    114. section '.rsrc' resource data readable
    115.      directory RT_MENU,appMenu
    116.      resource  appMenu,\
    117.                30,LANG_NEUTRAL,menuMain
    118.      menu menuMain
    119.           menuitem  '&File',0,MFR_POPUP + MFR_END
    120.           menuitem       'Op&en',MI_OPEN,0
    121.                          menuseparator
    122.           menuitem       'E&xit',MI_EXIT,MFR_END
    Результат
    [​IMG]
     

    Вложения:

    • 11.png
      11.png
      Размер файла:
      45,9 КБ
      Просмотров:
      2.743
    • tut_11.zip
      Размер файла:
      2,5 КБ
      Просмотров:
      1.097
    Последнее редактирование: 17 дек 2016