Smallest PE question...

[jdoe]

Hi,

First, is the code below, the good way to write the smallest PE ?

Code Select Expand



.386

.MODEL FLAT, STDCALL

OPTION CASEMAP:NONE

.CODE

start:

               RET

END start





Second, looking at the compiled asm above in hex editor, I can see the DOS stub is 120 bytes long and IMAGE_NT_HEADERS start at offset 0xb8. But what can I do to make the a DOS stub of 64 bytes and make IMAGE_NT_HEADERS start at offset 0x80h.

Any hints or links are welcomed.


Compiling batch...

Code Select Expand


@ECHO OFF

SET PROJECT=DONOT
SET COMPILE=.\COMPILE

REM ##################################################################

ECHO.
ECHO Compiling %PROJECT% Project...

IF EXIST %COMPILE%\%PROJECT%.EXE DEL %COMPILE%\%PROJECT%.EXE

ML.EXE /c /coff /Fo %PROJECT%.OBJ %PROJECT%.ASM
IF ERRORLEVEL 1 GOTO LBL_ERROR

LINK.EXE /SUBSYSTEM:WINDOWS /OUT:%COMPILE%\%PROJECT%.EXE %PROJECT%.OBJ
IF ERRORLEVEL 1 GOTO LBL_ERROR

CALL :LBL_REMOVE
EXIT

REM ##################################################################

:LBL_ERROR
CALL :LBL_REMOVE
ECHO.
PAUSE
EXIT

:LBL_REMOVE
IF EXIST %PROJECT%.OBJ DEL %PROJECT%.OBJ


Thanks

[Tedd]

Code Select Expand

.386
.MODEL FLAT, STDCALL
OPTION CASEMAP:NONE

.CODE
start:
    push 0
    call ExitProcess
END start

RETurning from the process isn't advised; it may work in some cases, but you're supposed to ExitProcess.
However, calling an externel function (in kernel32.dll) means adding an import section to the PE file. You could do it by resolving the function address yourself, but this require use of LoadLibrary and GetProcAddress -- which are again functions in kernel32.dll so you'll be adding the import section anyway.
There are ways to resolve the address without external functions, but this requires yet more code, and isn't guaranteed to work the same on every version of windows.


There is a method to link your own DOS stub instead of the default one - a quick search should find it; I think it may even be on this board.

[QvasiModo]

You can skip the DOS stub altogether. Just put the 'MZ' signature at the beginning, and use a negative offset to point to the PE header (so the MZ and PE headers overlap). Of course then the app won't run on pure DOS, but I suppose that's not a problem :) besides, it's much better than no-imports programs which don't work correctly in all Windows versions.

[Vortex]

RETurning from the process isn't advised; it may work in some cases, but you're supposed to ExitProcess.

Tedd,

Jorgon says that there is no problem with the ret instruction to terminate an application.

http://www.old.masmforum.com/viewtopic.php?p=28159#28159

[QvasiModo]

I think terminating the application with a ret is the same as calling ExitThread (not ExitProcess). But being a single threaded application I guess it's all the same...

[jdoe]

I think terminating the application with a ret is the same as calling ExitThread (not ExitProcess). But being a single threaded application I guess it's all the same...

Doing test with a debugger, I end up with what QvasiModo said. ExitThread is called and there is no remaining thread or process open. So, for this basic PE, RET must be enough.

For the DOS stub, I can understand there is no easy way to do that with the MS linker.


Thanks for your replies guys