learn pe, just for fun from the biggest china

[UtillMasm]

;makedata.asm
.586
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib
.data
hOutFile dd 0
BytesWritten dd 0
.const
szCaption db 'Info',0
szContext db 'success',0
szOutFileName  db 'pe.exe',0
.code
include pe.asm
start:invoke CreateFile,offset szOutFileName,GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL
mov hOutFile,eax
invoke WriteFile,hOutFile,offset REMOTE_CODE_START,REMOTE_CODE_LENGTH,addr BytesWritten,NULL
invoke MessageBox,0,offset szContext,offset szCaption,MB_OK
invoke ExitProcess,0
end start

;pe.asm
REMOTE_CODE_START equ this BYTE
PE_HEADER_START equ this BYTE
DOS_HEADER:
e_magic db 'MZ'
e_cblp dw 0
e_cp dw 0
e_crlc dw 0
e_cparhdr dw 0
e_minalloc dw 0
e_maxalloc dw 0
e_ss dw 0
e_sp dw 0
e_csum dw 0
e_ip dw 0
e_cs dw 0
e_lfarlc dw 0
e_ovno dw 0
e_res dw 4 dup(0)
e_oemid dw 0
e_oeminfo dw 0
e_res2 dw 10 dup(0)
e_lfanew dd NT_HEADERS-401000h
Dos_Stub:
mov ah,4ch
int 21h
NT_HEADERS:
Signature dd 4550h
Machine dw 14ch
NumberOfSections dw 2
TimeDateStamp dd 0
PointerToSymbolTable dd 0
NumberOfSymbols dd 0
SizeOfOptionalHeader dw 0E0h
Characteristics dw 010fh
Magic dw 10Bh
MajorLinkerVersion db 0
MinorLinkerVersion db 0
SizeOfCode dd 200h
SizeOfInitializedData dd 0
SizeOfUninitializedData dd 0
AddressOfEntryPoint dd 1000h
BaseOfCode dd 1000h
BaseOfData  dd 0   
ImageBase dd 400000h
SectionAlignment dd 1000h 
FileAlignment dd 200h 
MajorOperSystemVersion dw  0   
MinorOperSystemVersion dw  0   
MajorImageVersion  dw  0   
MinorImageVersion  dw  0   
MajorSubsystemVersion  dw  4
MinorSubsystemVersion  dw  0
Win32VersionValue dd 0   
SizeOfImage dd 3000h     
SizeOfHeaders dd 200h 
_CheckSum dd 0
SubSystem    dw  2
DllCharacteristics  dw  0
SizeOfStackReserve dd 100000h   
SizeOfStackCommit dd 1000h
SizeOfHeapReserve dd 100000h
SizeOfHeapCommit dd 1000h
LoaderFlags dd 0
NumberOfRvaAndSizes dd 10h
DirectoryData1 dq 0
ImportTableAdress dd  IMPORT_START-401000h-400h+2000h
ImportTableSize dd IMPORT_LENGTH
DirectoryData2 dq 14 dup(0)     
SECTION_HEADER1:
Name1 db  'CODE', 0, 0, 0,0   
VirtualSize dd CODE_LENGTH
VirtualAddress dd 1000h
SizeOfRawData dd 200h
PointerToRawData dd CODE_START-401000h   
PointerToRelocations  dd  0
PointerToLinenumbers  dd  0
NumberOfRelocations    dw   0
NumberOfLinenumbers    dw   0
_Characteristics dd   0E0000020h
SECTION_HEADER2:
Name2 db  'IMPORT', 0, 0     
VirtualSize2 dd IMPORT_LENGTH     
VirtualAddress2 dd 2000h
SizeOfRawData2 dd 200h
PointerToRawData2 dd IMPORT_START-401000h   
PointerToRelocations2  dd  0
PointerToLinenumbers2  dd  0
NumberOfRelocations2    dw   0
NumberOfLinenumbers2    dw   0
_Characteristics2 dd   0E0000020h
PE_HEADER_END equ this BYTE
PE_HEADER_LENGTH equ offset PE_HEADER_END - offset PE_HEADER_START
ZeroSpace1 db 200h-PE_HEADER_LENGTH dup(0)     
CODE_START equ this BYTE
lea eax, [szContextR-200h]   
lea ebx,[szCpationR-200h]
push MB_OK
push  ebx
      push eax
      push 0
      call DWORD ptr [IAT_1-1000h-400h+2000h]   
      push 0
      call DWORD ptr  [IAT_2-1000h-400h+2000h]
       szContextR db 'Congratulations! You make it!',0dh,0ah
       db '      By:moonife',0
       szCpationR db 'OK',0
CODE_END  equ this BYTE
CODE_LENGTH  equ  offset CODE_END - offset  CODE_START
ZeroSpace2 db 200h-CODE_LENGTH  dup(0) 
IMPORT_START equ this BYTE
IID_1:
OriginalFirstThunk  dd IAT_1-401000h-400h+2000h
TimeDateStemp  dd 0
ForwarderChain dd 0
DllName dd DllName1-401000h-400h+2000h
FirstThunk dd  IAT_1-401000h-400h+2000h
IID_2:
OriginalFirstThunk2  dd IAT_2-401000h-400h+2000h
TimeDateStemp2  dd 0
ForwarderChain2 dd 0
DllName2 dd _DllName2-401000h-400h+2000h
FirstThunk2 dd  IAT_2-401000h-400h+2000h
IID_END:
IIDEND  dd 5 dup(0)
IAT_1:
AddressOfData1 dd IIBN_1-401000h-400h+2000h
AddressOfDataEnd1 dd 0
IAT_2:
AddressOfData2 dd IIBN_2-401000h-400h+2000h
AddressOfDataEnd2 dd 0
IIBN_1:
Hint1  dw  0
Nama1  db  'MessageBoxA',0
DllName1 db  'user32.dll',0,0
IIBN_2:
Hint2  dw  0
Nama2  db  'ExitProcess',0
_DllName2 db 'kernel32.dll',0,0
IMPORT_END  equ  this BYTE
IMPORT_LENGTH equ offset IMPORT_END - offset IMPORT_START
ZeroSpace3 db 200h- IMPORT_LENGTH dup(0)
REMOTE_CODE_END equ this byte
REMOTE_CODE_LENGTH equ offset REMOTE_CODE_END-offset REMOTE_CODE_START

[UtillMasm]

C:\china>\masm32\bin\ml /c /coff /I\masm32\include makedata.asm
Microsoft (R) Macro Assembler Version 6.14.8444
Copyright (C) Microsoft Corp 1981-1997.  All rights reserved.

Assembling: makedata.asm

C:\china>\masm32\bin\link /subsystem:windows /libpath:\masm32\lib makedata.obj

Microsoft (R) Incremental Linker Version 5.12.8078
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.


C:\china>start makedata.exe
C:\china>start pe.exe

because now china is in Anti enemy the french. so chinese peaple is very busy :wink

[Vortex]

UtillMasm,

While I appreciate your efforts to study the PE specification, would you like please to stay away from politics here? This is The Campus subforum, a technical area where you should focus your attention on assembly programming.

[UtillMasm]

ok, i'm sorry.
it's a bad joke. even it's true.

:wink

[mitchi]

I really don't get what's between PE specs and China  :red

[Mark Jones]

Note that the executable created does not adhere to the PE specifications exactly. While it may run on some operating systems, tools such as FileAlyzer crash when inspecting the file, and some anti-virus scanners report the file as suspicious.

[PBrennick]

It definitely needs work, but it is a good start. Study the docs and try again.

Paul

[Vortex]

Hi UtillMasm,

Create PE from scratch

[Farabi]

Dos_Stub:
mov ah,4ch
int 21h

Can that part modified? This is interesting.

[dedndave]

of course it can be modified
that portion only executes in DOS mode, however
normally, it displays the message, "This program cannot be run in DOS mode"

[PBrennick]

4ch is the instruction used to execute a program and as you have already been told it is used in DOS mode. There are many ways to achieve the same results via the API if you are in Windows mode. Also, if you are working in DOS mode, the value contained in AL determines whether you wish to load or load and execute a program or load and execute an overlay. Other preparations are necessary, also, such as setting the values in the PSP. This is all from memory and I may not have stated it very well. Michael is the one to answer specific questions and do it better than I can.

hth,
Paul

[FORTRANS]

Hello,

   Actually DOS int 21H function 4BH is the load and execute function you
described.  Function 4CH is program exit, so this program will simply return
to the command prompt if is run in real mode DOS.  As dedndave says,
there is usually a bit more to a DOS stub.

Regards,

Steve N.

[PBrennick]

Yeah, well I was braindead when I wrote that, I guess.  :bg

It's hard to remember them when they are not a part of my normal programming any longer. Thank you for the correction.

Paul

[Vortex]

UtilMasm,

You should create a DOS stub displaying the message :

This program cannot be run in DOS mode

Your current stub exists silently which does not give any information to the user.