The MASM Forum

General => The Laboratory => Topic started by: hutch-- on January 10, 2023, 10:29:58 PM

Title: Win64 Size Test
Post by: hutch-- on January 10, 2023, 10:29:58 PM
Stripped down a bare 64 bit Window, set the PE file alignment to 64 and ended up with a working EXE file of 1920 bytes. If I remembered how to write a DOS stub, you could get it down a little further but I have not done one for years. Only 3 crapheap AV scanners did not like it but no garrantee it will work on all 64 bit Windows versions.

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    include \masm64\include64\masm64rt.inc

    .code
      classname db "Win64",0

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

entry_point proc

    call main
    .exit

entry_point endp

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

main proc

    LOCAL wc        :WNDCLASSEX
    LOCAL hInstance :QWORD

    mov hInstance,rvcall(GetModuleHandle,0)

    mov wc.cbSize,         SIZEOF WNDCLASSEX
    mov wc.style,          CS_BYTEALIGNCLIENT or CS_BYTEALIGNWINDOW
    mov wc.lpfnWndProc,    ptr$(WndProc)
    mov wc.cbClsExtra,     0
    mov wc.cbWndExtra,     0
    mrm wc.hInstance,      hInstance
    mov wc.hIcon,          0
    mov wc.hCursor,        rvcall(LoadCursor,0,IDC_ARROW)
    mrm wc.hbrBackground,  0
    mov wc.lpszMenuName,   0
    mov wc.lpszClassName,  ptr$(classname)
    mov wc.hIconSm,        0

    rcall RegisterClassEx,ptr$(wc)

    lea r11, classname

    invoke CreateWindowEx,WS_EX_LEFT or WS_EX_ACCEPTFILES, \
                          r11, r11, \
                          WS_OVERLAPPEDWINDOW or WS_VISIBLE,\
                          250,150,800,600,0,0,hInstance,0
    call msgloop

    ret

main endp

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

msgloop proc

    LOCAL msg    :MSG
    LOCAL pmsg   :QWORD

    mov pmsg, ptr$(msg)                     ; get the msg structure address
    jmp gmsg                                ; jump directly to GetMessage()

  mloop:
    ; rcall TranslateMessage,pmsg           ; not needed here
    rcall DispatchMessage,pmsg
  gmsg:
    xor r11, r11
    test rax, rvcall(GetMessage,pmsg,r11,r11,r11) ; loop until GetMessage returns zero
    jnz mloop

    ret

msgloop endp

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

WndProc proc hWin:QWORD,uMsg:QWORD,wParam:QWORD,lParam:QWORD

    LOCAL hDC :QWORD
    LOCAL ps  :PAINTSTRUCT
    LOCAL rct :RECT

    .switch uMsg
      .case WM_CREATE
        xor rax, rax
        ret

      .case WM_PAINT
        rcall BeginPaint,hWin,ptr$(ps)
        mov hDC, rvcall(GetDC,hWin)

        mov rct.left, 25
        mov rct.top, 25
        mov rct.right, 100
        mov rct.bottom, 50

        invoke DrawText,hDC,"How D",-1,ptr$(rct),DT_SINGLELINE

        rcall ReleaseDC,hWin,hDC
        rcall EndPaint,hWin,ptr$(ps)

      .case WM_CLOSE
        rcall PostQuitMessage,NULL

    .endsw

    rcall DefWindowProc,hWin,uMsg,wParam,lParam

    ret

WndProc endp

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    end

comment #
    --------------------------------------
    3 x crapheap AV scanners on VirusTotal
    --------------------------------------
    Cylance Unsafe
    SecureAge Malicious
    Trapmine Malicious.moderate.ml.score
#
Title: Re: Win64 Size Test
Post by: jj2007 on January 11, 2023, 12:40:59 AM
/MERGE:.data=.rdata /MERGE:.rdata=.text /stub:Hello16.obj

Saves 40h bytes :cool:

Plus the trick with the global wndclassex, which is good for another 40h bytes, see attachment.

Quote4 security vendors and no sandboxes flagged this file as malicious (https://www.virustotal.com/gui/file/33440bd10425586bdce97b2d7d89cacfde7d493222c8d3945d683df1009246b0?nocache=1)
Title: Re: Win64 Size Test
Post by: zedd151 on January 11, 2023, 02:40:09 AM
Quote from: jj2007 on January 11, 2023, 12:40:59 AM
Saves 40h bytes :cool:
Plus the trick with the global wndclassex, which is good for another 40h bytes, see attachment.
Saved some more bytes by trimming the zeros (101 to be exact) at the end of file.  :tongue: 
1,755 bytes ...
Pretty sure this version will get flagged as it is more unorthodox than even your version, jj.
Title: Re: Win64 Size Test
Post by: daydreamer on January 11, 2023, 03:21:08 AM
great :thumbsup:
1755 bytes gives plenty of space to code a 4096 byte(4k) demo
Title: Re: Win64 Size Test
Post by: jj2007 on January 11, 2023, 03:40:30 AM
Quote from: zedd151 on January 11, 2023, 02:40:09 AM
1,755 bytes ...

1728 bytes, and no foul tricks :biggrin:
Title: Re: Win64 Size Test
Post by: zedd151 on January 11, 2023, 05:20:39 AM
Quote from: jj2007 on January 11, 2023, 03:40:30 AM
1728 bytes, and no foul tricks :biggrin:
bravo! But how does it fare against AV software?
And does it run under Windows 10/11?


later ... Runs okay Windows 10.
Title: Re: Win64 Size Test
Post by: jj2007 on January 11, 2023, 05:52:16 AM
Quote from: zedd151 on January 11, 2023, 05:20:39 AMBut how does it fare against AV software?

Excellent (https://www.virustotal.com/gui/file/0ef2f606f320caf2d0343f98b62d7b3f1d0efbd10e7a4cf33d927739d02e3720?nocache=1)
Title: Re: Win64 Size Test
Post by: zedd151 on January 11, 2023, 06:06:06 AM
Quote from: jj2007 on January 11, 2023, 05:52:16 AM
Excellent (https://www.virustotal.com/gui/file/0ef2f606f320caf2d0343f98b62d7b3f1d0efbd10e7a4cf33d927739d02e3720?nocache=1)
  :thumbsup:
Quote from: daydreamer on January 11, 2023, 03:21:08 AMgreat :thumbsup: 1755 bytes gives plenty of space to code a 4096 byte(4k) demo
Great! Post an example ...  :biggrin:
Title: Re: Win64 Size Test
Post by: daydreamer on January 11, 2023, 06:43:59 AM
Quote from: zedd151 on January 11, 2023, 06:06:06 AM
Quote from: jj2007 on January 11, 2023, 05:52:16 AM
Excellent (https://www.virustotal.com/gui/file/0ef2f606f320caf2d0343f98b62d7b3f1d0efbd10e7a4cf33d927739d02e3720?nocache=1)
  :thumbsup:
Quote from: daydreamer on January 11, 2023, 03:21:08 AMgreat :thumbsup: 1755 bytes gives plenty of space to code a 4096 byte(4k) demo
Great! Post an example ...  :biggrin:
Havent made 64bit demo or ported 32bit to 64bit yet
[urlhttp://masm32.com/board/index.php?topic=6731.0[/url]
Havent even reached 4096bytes,two 3072bytes exe and one 3.5kb
Title: Re: Win64 Size Test
Post by: hutch-- on January 11, 2023, 08:18:10 AM
jj,

> /MERGE:.data=.rdata /MERGE:.rdata=.text /stub:Hello16.obj

I know how to USE a dos stub but I forget how to make them. Could be done with a hex editor but I had little motivation to do so.  :tongue:
Title: Re: Win64 Size Test
Post by: TimoVJL on January 11, 2023, 11:04:02 AM
http://masm32.com/board/index.php?topic=7608.msg83097#msg83097
Title: Re: Win64 Size Test
Post by: jj2007 on January 11, 2023, 11:33:11 AM
Here is a fascinating lecture (http://www.phreedom.org/research/tinype/).

With my limited knowledge, I can't push it below 1456 bytes :sad:
Title: Re: Win64 Size Test
Post by: jj2007 on January 11, 2023, 11:40:51 AM
Quote from: hutch-- on January 11, 2023, 08:18:10 AM
jj,

> /MERGE:.data=.rdata /MERGE:.rdata=.text /stub:Hello16.obj

I know how to USE a dos stub but I forget how to make them. Could be done with a hex editor but I had little motivation to do so.  :tongue:

You should ask this guy for instructions:

QuoteHere is the dos stub ... written as REAL men do in HEX. :) (http://www.asmcommunity.net/forums/topic/?id=4191)
Title: Re: Win64 Size Test
Post by: zedd151 on January 11, 2023, 11:48:56 AM
Quote from: jj2007 on January 11, 2023, 11:40:51 AMYou should ask this guy for instructions:
QuoteHere is the dos stub ... written as REAL men do in HEX. :) (http://www.asmcommunity.net/forums/topic/?id=4191)

:tongue:  Old memories fade fast.
Quote from: you may know whoHere is the dos stub for my tiny editor TheGun.exe, written as REAL men do in HEX. :)
Well it was over 20 years ago after all. I can barely remember what I did yesterday sometimes.  :tongue: 
Title: Re: Win64 Size Test
Post by: hutch-- on January 11, 2023, 01:08:26 PM
 :biggrin:

You would be surprised how much code I have written in  the last 20 years, I would like to blame it on senile decay but its a ratio of quantity. I only remember most of it, the useful stuff.  :skrewy:
Title: Re: Win64 Size Test
Post by: zedd151 on January 11, 2023, 01:25:01 PM
Quote from: hutch-- on January 11, 2023, 01:08:26 PM
... I would like to blame it on senile decay but its a ratio of quantity. ...
Can I steal that line for the next time anyone says I'm going senile, or am getting Alzheimers?   :biggrin:
Title: Re: Win64 Size Test
Post by: Gunther on January 11, 2023, 02:30:19 PM
zedd151,

Quote from: zedd151 on January 11, 2023, 01:25:01 PM
Can I steal that line for the next time anyone says I'm going senile, or am getting Alzheimers?   :biggrin:

give credit where credit is due. :cool:
Title: Re: Win64 Size Test
Post by: hutch-- on January 11, 2023, 03:07:03 PM
 :biggrin:

There is an inverse logic in claiming senile decay, if you can claim it, you are not senile (yet) but if you can't or don't remember, you may have already gone down that path.  :eusa_boohoo:

Now for those who share the modesty of being infallible, optional senility allows you to say "I have never made a mistake" and while no-one will believe you, its a case of who cares.  :tongue:
Title: Re: Win64 Size Test
Post by: zedd151 on January 11, 2023, 06:57:22 PM
Quote from: Gunther on January 11, 2023, 02:30:19 PM give credit where credit is due. :cool:
But of course.  :biggrin:

Quote from: hutch-- on January 11, 2023, 03:07:03 PM... and while no-one will believe you, its a case of who cares.
  :tongue:  
Title: Re: Win64 Size Test
Post by: daydreamer on January 12, 2023, 08:28:08 PM
Here I heard usage of "I got alzheimers lite", when someone forgot something  :greenclp:
Isn't minimum 64bit program just the opcode ret
Like in 32bit?
Or postquitmessage?

One phrase
-"I forgot to take my pill against senile decay"
Title: Re: Win64 Size Test
Post by: jj2007 on January 12, 2023, 08:48:41 PM
Quote from: daydreamer on January 12, 2023, 08:28:08 PM
Isn't minimum 64bit program just the opcode ret

I doubt it :biggrin:

Anyway, the specs for my 1456 byte proggie (http://masm32.com/board/index.php?topic=10602.msg117480#msg117480) were "a window with a WM_PAINT handler" :cool:
Title: Re: Win64 Size Test
Post by: hutch-- on January 12, 2023, 10:57:08 PM
I got what I was after with the test piece, running a 64 byte section alignment, runs on Win10 and only a few of the donkey AV scanners (he haw he haw) spat the dummy on it.
Title: Re: Win64 Size Test
Post by: daydreamer on January 14, 2023, 10:52:58 PM
Tiny .ico files helps for both 64bit and 32bit
92 bytes .ico files as main program icon Little extreme
But smaller .ico file double as program icon and invoke drawiconex or to put in button can save space
Title: Re: Win64 Size Test
Post by: hutch-- on January 15, 2023, 12:08:54 AM
Sounds like interesting stuff Magnus but I am not into 4k demos, I am into apps and tools.