;makedata.asm
.586
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib
.data
hOutFile dd 0
BytesWritten dd 0
.const
szCaption db 'Info',0
szContext db 'success',0
szOutFileName db 'pe.exe',0
.code
include pe.asm
start:invoke CreateFile,offset szOutFileName,GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL
mov hOutFile,eax
invoke WriteFile,hOutFile,offset REMOTE_CODE_START,REMOTE_CODE_LENGTH,addr BytesWritten,NULL
invoke MessageBox,0,offset szContext,offset szCaption,MB_OK
invoke ExitProcess,0
end start
;pe.asm
REMOTE_CODE_START equ this BYTE
PE_HEADER_START equ this BYTE
DOS_HEADER:
e_magic db 'MZ'
e_cblp dw 0
e_cp dw 0
e_crlc dw 0
e_cparhdr dw 0
e_minalloc dw 0
e_maxalloc dw 0
e_ss dw 0
e_sp dw 0
e_csum dw 0
e_ip dw 0
e_cs dw 0
e_lfarlc dw 0
e_ovno dw 0
e_res dw 4 dup(0)
e_oemid dw 0
e_oeminfo dw 0
e_res2 dw 10 dup(0)
e_lfanew dd NT_HEADERS-401000h
Dos_Stub:
mov ah,4ch
int 21h
NT_HEADERS:
Signature dd 4550h
Machine dw 14ch
NumberOfSections dw 2
TimeDateStamp dd 0
PointerToSymbolTable dd 0
NumberOfSymbols dd 0
SizeOfOptionalHeader dw 0E0h
Characteristics dw 010fh
Magic dw 10Bh
MajorLinkerVersion db 0
MinorLinkerVersion db 0
SizeOfCode dd 200h
SizeOfInitializedData dd 0
SizeOfUninitializedData dd 0
AddressOfEntryPoint dd 1000h
BaseOfCode dd 1000h
BaseOfData dd 0
ImageBase dd 400000h
SectionAlignment dd 1000h
FileAlignment dd 200h
MajorOperSystemVersion dw 0
MinorOperSystemVersion dw 0
MajorImageVersion dw 0
MinorImageVersion dw 0
MajorSubsystemVersion dw 4
MinorSubsystemVersion dw 0
Win32VersionValue dd 0
SizeOfImage dd 3000h
SizeOfHeaders dd 200h
_CheckSum dd 0
SubSystem dw 2
DllCharacteristics dw 0
SizeOfStackReserve dd 100000h
SizeOfStackCommit dd 1000h
SizeOfHeapReserve dd 100000h
SizeOfHeapCommit dd 1000h
LoaderFlags dd 0
NumberOfRvaAndSizes dd 10h
DirectoryData1 dq 0
ImportTableAdress dd IMPORT_START-401000h-400h+2000h
ImportTableSize dd IMPORT_LENGTH
DirectoryData2 dq 14 dup(0)
SECTION_HEADER1:
Name1 db 'CODE', 0, 0, 0,0
VirtualSize dd CODE_LENGTH
VirtualAddress dd 1000h
SizeOfRawData dd 200h
PointerToRawData dd CODE_START-401000h
PointerToRelocations dd 0
PointerToLinenumbers dd 0
NumberOfRelocations dw 0
NumberOfLinenumbers dw 0
_Characteristics dd 0E0000020h
SECTION_HEADER2:
Name2 db 'IMPORT', 0, 0
VirtualSize2 dd IMPORT_LENGTH
VirtualAddress2 dd 2000h
SizeOfRawData2 dd 200h
PointerToRawData2 dd IMPORT_START-401000h
PointerToRelocations2 dd 0
PointerToLinenumbers2 dd 0
NumberOfRelocations2 dw 0
NumberOfLinenumbers2 dw 0
_Characteristics2 dd 0E0000020h
PE_HEADER_END equ this BYTE
PE_HEADER_LENGTH equ offset PE_HEADER_END - offset PE_HEADER_START
ZeroSpace1 db 200h-PE_HEADER_LENGTH dup(0)
CODE_START equ this BYTE
lea eax, [szContextR-200h]
lea ebx,[szCpationR-200h]
push MB_OK
push ebx
push eax
push 0
call DWORD ptr [IAT_1-1000h-400h+2000h]
push 0
call DWORD ptr [IAT_2-1000h-400h+2000h]
szContextR db 'Congratulations! You make it!',0dh,0ah
db ' By:moonife',0
szCpationR db 'OK',0
CODE_END equ this BYTE
CODE_LENGTH equ offset CODE_END - offset CODE_START
ZeroSpace2 db 200h-CODE_LENGTH dup(0)
IMPORT_START equ this BYTE
IID_1:
OriginalFirstThunk dd IAT_1-401000h-400h+2000h
TimeDateStemp dd 0
ForwarderChain dd 0
DllName dd DllName1-401000h-400h+2000h
FirstThunk dd IAT_1-401000h-400h+2000h
IID_2:
OriginalFirstThunk2 dd IAT_2-401000h-400h+2000h
TimeDateStemp2 dd 0
ForwarderChain2 dd 0
DllName2 dd _DllName2-401000h-400h+2000h
FirstThunk2 dd IAT_2-401000h-400h+2000h
IID_END:
IIDEND dd 5 dup(0)
IAT_1:
AddressOfData1 dd IIBN_1-401000h-400h+2000h
AddressOfDataEnd1 dd 0
IAT_2:
AddressOfData2 dd IIBN_2-401000h-400h+2000h
AddressOfDataEnd2 dd 0
IIBN_1:
Hint1 dw 0
Nama1 db 'MessageBoxA',0
DllName1 db 'user32.dll',0,0
IIBN_2:
Hint2 dw 0
Nama2 db 'ExitProcess',0
_DllName2 db 'kernel32.dll',0,0
IMPORT_END equ this BYTE
IMPORT_LENGTH equ offset IMPORT_END - offset IMPORT_START
ZeroSpace3 db 200h- IMPORT_LENGTH dup(0)
REMOTE_CODE_END equ this byte
REMOTE_CODE_LENGTH equ offset REMOTE_CODE_END-offset REMOTE_CODE_START
C:\china>\masm32\bin\ml /c /coff /I\masm32\include makedata.asm
Microsoft (R) Macro Assembler Version 6.14.8444
Copyright (C) Microsoft Corp 1981-1997. All rights reserved.
Assembling: makedata.asm
C:\china>\masm32\bin\link /subsystem:windows /libpath:\masm32\lib makedata.obj
Microsoft (R) Incremental Linker Version 5.12.8078
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.
C:\china>start makedata.exe
C:\china>start pe.exe
because now china is in Anti enemy the french. so chinese peaple is very busy :wink
UtillMasm,
While I appreciate your efforts to study the PE specification, would you like please to stay away from politics here? This is The Campus subforum, a technical area where you should focus your attention on assembly programming.
ok, i'm sorry.
it's a bad joke. even it's true.
:wink
I really don't get what's between PE specs and China :red
Note that the executable created does not adhere to the PE specifications exactly. While it may run on some operating systems, tools such as FileAlyzer (http://www.safer-networking.org/en/filealyzer/index.html) crash when inspecting the file, and some anti-virus scanners (https://www.virustotal.com/analisis/61d1f3d6353f1d579be1da562c6e60f2) report the file as suspicious.
It definitely needs work, but it is a good start. Study the docs and try again.
Paul
Hi UtillMasm,
Create PE from scratch (http://board.flatassembler.net/topic.php?t=1309)
Quote
Dos_Stub:
mov ah,4ch
int 21h
Can that part modified? This is interesting.
of course it can be modified
that portion only executes in DOS mode, however
normally, it displays the message, "This program cannot be run in DOS mode"
4ch is the instruction used to execute a program and as you have already been told it is used in DOS mode. There are many ways to achieve the same results via the API if you are in Windows mode. Also, if you are working in DOS mode, the value contained in AL determines whether you wish to load or load and execute a program or load and execute an overlay. Other preparations are necessary, also, such as setting the values in the PSP. This is all from memory and I may not have stated it very well. Michael is the one to answer specific questions and do it better than I can.
hth,
Paul
Hello,
Actually DOS int 21H function 4BH is the load and execute function you
described. Function 4CH is program exit, so this program will simply return
to the command prompt if is run in real mode DOS. As dedndave says,
there is usually a bit more to a DOS stub.
Regards,
Steve N.
Yeah, well I was braindead when I wrote that, I guess. :bg
It's hard to remember them when they are not a part of my normal programming any longer. Thank you for the correction.
Paul
UtilMasm,
You should create a DOS stub displaying the message :
QuoteThis program cannot be run in DOS mode
Your current stub exists silently which does not give any information to the user.