News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

Looking for the smallest possible .EXE

Started by aw27, October 06, 2017, 05:20:57 AM

Previous topic - Next topic

aw27

Fails in Vista 64-bit with:
Problem signature:
  Problem Event Name:   APPCRASH
  Application Name:   Small_PE32.exe
  Application Version:   0.0.0.0
  Application Timestamp:   00000000
  Fault Module Name:   ntdll.dll
  Fault Module Version:   6.0.6002.19594
  Fault Module Timestamp:   56ac2982
  Exception Code:   c0000005
  Exception Offset:   000355d6
  OS Version:   6.0.6002.2.2.0.256.1
  Locale ID:   1033
  Additional Information 1:   e51a
  Additional Information 2:   4c0d4d78887f76d971d5d00f1f20a433
  Additional Information 3:   e51a
  Additional Information 4:   4c0d4d78887f76d971d5d00f1f20a433


Fails in XP 64-bit with 0xC0000005

I did not test with others because have been done already.

sinsi

Windows 7 32/64 OK
Windows 10 64 OK

As per aw27, Vista 32/64 and XP64 error C0000005, but - Vista 32/64 print the correct figure 55, XP (and 2000, FWIW) print 128

hutch--

This is what I can get with Pelle's linker, alignment at 16 bytes, merge data with text and bare minimum code to make a MessageBox run, 768 bytes.

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    include \masm32\include64\masm64rt.inc

    .code

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

entry_point proc

    xor rcx, rcx
    mov r9, rcx
    lea r8, titl
    lea rdx, text
    call MessageBox

    xor rcx, rcx
    call ExitProcess

entry_point endp

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    text db "How D",0
    titl db "Title",0

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    end


The batch file.


@echo off

set appname=HowD

if exist %appname%.obj del %appname%.obj
if exist %appname%.exe del %appname%.exe

\masm32\bin64\ml64.exe /c %appname%.asm

\masm32\bin64\polink.exe /SUBSYSTEM:WINDOWS /MERGE:.data=.text /MACHINE:X64 /ALIGN:16 /ENTRY:entry_point /nologo /LARGEADDRESSAWARE %appname%.obj

dir %appname%.*

pause


Build your own stub file and you save an extra 64 bytes. 704 bytes and I think its still a legal 64 bit PE.


00000000 :4D 5A 90 00 03 00 00 00 - 04 00 00 00 FF FF 00 00
00000010 :B8 00 00 00 00 00 00 00 - 40 00 00 00 00 00 00 00
00000020 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000030 :00 00 00 00 00 00 00 00 - 00 00 00 00 40 00 00 00

Siekmanski

Thanks guys,

I have to learn a lot more about this topic.
I'll have to study, how other exe packers handle the PE collapsing and if they run on all windows versions.
It's interesting but worthless if it doesn't run on all machines.
Creative coders use backward thinking techniques as a strategy.

Siekmanski

A last request, to test this one.

To be sure, code alignment and file size makes a difference?
Code starts now at offset 128 and the file is padded with zeros to 1024 bytes.
Creative coders use backward thinking techniques as a strategy.

jj2007

The application failed to initialise properly, code C000005. On XP, that is - everything OK on 7-64.

hutch--

Mrinus,

2nd version on win10 64 professional.



Executing Small_PE32.exe

Result is: 55

Press any key to continue . . .

Mikl__

Tiny MessageBox x64 in FASM  Size of exe-file x64 is 298 bytesformat binary as 'exe'
include 'win64a.inc'

struc dbs [data]
{
  common
  . db data
  .size = $ - .
}

IMAGE_DOS_SIGNATURE equ 5A4Dh
IMAGE_NT_SIGNATURE equ 00004550h
PROCESSOR_AMD_X8664 equ 8664h
IMAGE_SCN_CNT_CODE equ 00000020h
IMAGE_SCN_MEM_WRITE equ 80000000h
IMAGE_SCN_MEM_READ equ 40000000h
IMAGE_SCN_CNT_INITIALIZED_DATA equ 00000040h
IMAGE_SUBSYSTEM_WINDOWS_GUI equ 2
IMAGE_NT_OPTIONAL_HDR64_MAGIC equ 20Bh
IMAGE_FILE_RELOCS_STRIPPED equ 1
IMAGE_FILE_EXECUTABLE_IMAGE equ 2
IMAGE_BASE equ 0x400000
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE equ 8000h
use64
org 0
;--------DOS-stub-------------------------------
Signature dw IMAGE_DOS_SIGNATURE,0
;-------PE-header--------------------------------------------------
ntHeader dd IMAGE_NT_SIGNATURE;'PE'
;image_header----
Machine dw PROCESSOR_AMD_X8664;CPU Type
Count_of_section dw 0;Number of sections
TimeStump dd 0;Information about the time when the PE-file was compiled
Symbol_table_offset dd 0;A pointer to the size of debug information
Symbol_table_count dd 0;A pointer to the COFF symbol table-PE-format
Size_of_optional_header dw begin-optional_header;The size of optional header
Characteristics dw IMAGE_FILE_RELOCS_STRIPPED or \
IMAGE_FILE_EXECUTABLE_IMAGE;file attributes
;-------Standard field NT
optional_header:
Magic_optional_header dw IMAGE_NT_OPTIONAL_HDR64_MAGIC;Status Display File
Linker_version_major_and_minor dw 9;Contain the linker version that created the file.
Size_of_code dd 0;The total size of the code sections
Size_of_init_data dd 0x70;The total size of initialized data
Size_of_uninit_data dd 0;The total size of the uninitialized data
entry_point dd start
base_of_code dd begin
;------Additional fields NT-----------------------------------------------
image_base dq IMAGE_BASE
section_alignment dd 4
file_alignment dd ntHeader
OS_version_major_minor dw 5,2
image_version_major_minor dd 0
subsystem_version_major_minor dw 5,2
Win32_version dd 0
size_of_image dd end_import
size_of_header dd begin
checksum dd 0
subsystem dw IMAGE_SUBSYSTEM_WINDOWS_GUI
DLL_flag dw IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
Stack_allocation dq 0x100000
Stack_commit dq 0x1000
Heap_allocation dq 0x100000
Heap_commit dq 0x1000
loader_flag dd 0
number_of_dirs dd (begin-export_RVA_size)/8
export_RVA_size dq 0
import_RVA_size dd _import,end_import-import
;--------code and data-----------------------------------------
begin:
MsgBoxText dbs 'Win64 Assembly is Great!',0
MsgCaption db "Win64 Iczelion's lesson #2: MessageBox",0
start:
push rbp; <-- not sub rsp,28h
xor ecx,ecx
mov edx,MsgBoxText+IMAGE_BASE
lea r8d,[rdx+MsgBoxText.size]; <-- not mov r8d,offset MsgCaption
xor r9d,r9d; MB_OK
call [MessageBox]
pop rbp
retn
;---------import---------------------------------------
Import_Table:
user32_table:
MessageBox  dq _MessageBox
_import:
dd 0,0,0,user32_dll,user32_table,0
user32_dll db "user32",0,0 ;<-- not "user32.dll"
dw 0
_MessageBox db 0,0,"MessageBoxA"
end_import:
Creator of tiny exe for Win32 Size of exe-file x86 is 97 bytes.686P
.model flat
include windows.inc
includelib user32.lib
includelib kernel32.lib
extern _imp__MessageBoxA@16:dword
extern _imp__WriteFile@20:dword
extern _imp__CreateFileA@28:dword
extern _imp__CloseHandle@4:dword
extern _imp__LoadLibraryA@4:dword
.code
start:  xor ebx,ebx
        push MB_ICONINFORMATION OR MB_SYSTEMMODAL;1040h
        push offset szInfoCap
        push offset namefile
        push ebx
    call _imp__MessageBoxA@16
    mov eax,_imp__LoadLibraryA@4
    sub eax,offset _LoadLibraryA-buffer+ImageBase+size _LoadLibraryA;400023h
    mov _LoadLibraryA,eax
    mov eax,_imp__MessageBoxA@16
    sub eax,offset _MessageBoxA-buffer+ImageBase+size _MessageBoxA;400035h
    mov _MessageBoxA,eax
    push ebx    ;NULL   
    push FILE_ATTRIBUTE_ARCHIVE
    push CREATE_ALWAYS
    push ebx
    push FILE_SHARE_READ or FILE_SHARE_WRITE
    push GENERIC_READ or GENERIC_WRITE
    push offset namefile
    call _imp__CreateFileA@28
    push eax    ;hFile для CloseHandle
    push ebx        ;lpOverlapped
        push offset SizeReadWrite   ;lpNumberOfBytesToWrite
    push sizeof_image;a4-buffer ;nNumberOfBytesToWrite=97
    push offset buffer  ;lpBuffer
    push eax    ;hFile for WriteFile
    call _imp__WriteFile@20
    call _imp__CloseHandle@4
QUIT:   retn
ImageBase equ 400000h
buffer  dd 'ZM','EP'
    dw 14Ch ;Machine (Intel 386)
    dw 0    ;NumberOfSection
EntryPoint: xor ebx,ebx ; ebx = 0
    mov edi,offset namedll-buffer+ImageBase
    push edi        ;push offset user32
    jmp short @f
    db 0,0  ;       UNUSED
    dw a4-optheader ;SizeOfOptionalHeader
    dw 103h ;Characteristics (no relocations, executable, 32 bit)
optheader:
    dw 10Bh ;Magic PE32
@@:
    db 0E8h         ;call LoadLibraryA
_LoadLibraryA dd 0
    push ebx        ;push 0
    push edi        ;push offset user32
    push edi        ;push offset user32
    push ebx        ;push 0
    jmp short @f
    db 0,0,0
    dd EntryPoint-buffer
@@:
    db 0E8h         ;call MessageBoxA
_MessageBoxA dd 0
    retn
    dw 0    ;           UNUSED
    dd ImageBase    ;ImageBase
    dd 4    ;SectionAligment
    dd 4    ;FileAligment
namedll db 'user32',0,0 ;       UNUSED
    dd 4    ;MinorSubsystemVersion  UNUSED
    dd 0    ;Win32VersionValue  UNUSED
    dd 68h  ;SizeOfimage
    dd sizeof_image;64h ;SizeOfHeader
    dd 0    ;CheckSum       UNUSED
    db 2    ;Subsystem (Win32 GUI)
a4:
;---------------------------------------------------------------------------
sizeof_image=$-buffer
szInfoCap db "Creator tiny MessageBox",0
namefile db 'tiny97.exe',0
SizeReadWrite dd 0
end start

aw27

@Siekmanski
The latest version does not improve.  :(

@Mikl__
:t

jj2007

Quote from: Siekmanski on October 13, 2017, 08:22:08 PMI'll have to study, how other exe packers handle the PE collapsing and if they run on all windows versions.

RichMasm is UPXed so that the MB package fits into the 512kB limit. There is also kkrunchy version 7 with better compression than UPX, but it is slow on decompression, so the load time increases a little bit.
126976 RichMasm.exe uncompressed
73728 UPXed
68608 KKrunchy --best
62464 KKrunchy 7 --best

Siekmanski

Thanks again,

@Mikl__, can you post the exe for the win32 example? Does it run on all windows versions?

@jochen, I have downloaded the sources for UPX and kkrunchy.  :t

@aw27, downloaded all the examples from phreedom.org http://www.phreedom.org/research/tinype/tinype.zip
Only tiny.c.1024 and tiny.c.45056 work on my Win8.1 machine, the rest return error codes: 5 or c0000018

My main goal is not to produce the smallest executable, but the smallest working PE loader which can be used for an exe packer/cruncher routine.
The clue is to make it work on all windows versions, I need to study this a bit more I'm afraid.  :biggrin:
Creative coders use backward thinking techniques as a strategy.

Mikl__

Hi, Siekmanski!
I do not know whether it will work on all 32-bit Windows versions. I checked on WinXP only...
If you create a tiny file creator in my asm-text, then you will have a tiny exe-file that can be run only on your system since it has not import and the address of the MessageBox function corresponds only to your version of the user32.dll

jj2007

Quote from: Siekmanski on October 14, 2017, 02:09:41 AM@jochen, I have downloaded the sources for UPX and kkrunchy.  :t

Upx  : 4/18, https://virusscan.jotti.org/en-US/filescanjob/0nvara556y
KK   : 2/17, https://virusscan.jotti.org/en-US/filescanjob/bw265a2sh9
KK7  : 8/17, https://virusscan.jotti.org/en-US/filescanjob/aa1iei3omx

KK7 hits the roof with false positives :P

Siekmanski


Virus Killers have become very paranoid....  :biggrin:

Just watched this informative movie about Portable Executable File Format on youtube https://www.youtube.com/watch?v=Vhiip1ZA-2w
Creative coders use backward thinking techniques as a strategy.

hutch--

I had a quick look and it looks like decent material but I found the guy hard to listen to and it runs for just over an hour so I might do it later.