Create a micro PE file that can run in XP

A few days ago, I spoke to my friends about the technology and mentioned how to create a micro-PE file. He said that most of the versions circulating on the Internet cannot run under XP SP3, so I came to my heart and said: "You don't have to worry about it."
Later, it took half a day to finally create a micro pe that can be run under xp. A dialog box pops up, 292 bytes. Of course, this may be far from the limit, but I did it myself, I 'd like to share some of my experiences with you. The minipe described in this article can be downloaded at: http://download.csdn.net/source/774041

Step 1 prepare PE files
First, create a PE file. In order to be as small as possible, we compile it in assembly language. The Code is as follows:

. 386
. Model flat, stdcall
Option Casemap: None

. Data
Bydata dB 90 h

. Code
Start:

End
If the Code does not do anything, an error will be reported when it is run (because the entrypoint of the PE file actually points to a region that does not exist). We will fill in the code later. This PE file contains only one data section. In Windows XP, the PE file must contain at least one section. Otherwise, it cannot be run. This is why we need to define bydata.
To make the generated PE file as small as possible, we use the/align: 4 option when linking, the specified file and node are 4-byte aligned. (The later version of the Microsoft incremental linker may not support 4-byte alignment. For example, in version 8.0 I tested, it must be at least 16-byte alignment. To use this option, we should use a lower version of the linker. I use the self-contained linker of masm32v9, and the version is 5.12 .)
In this way, the generated PE file is only 460 bytes, which is a good start, because most extremely simple assembler programs are generated at around kb. If it is written in a high-level language, it will be higher. The file content is as follows:
00000000 H: 4D 5A 90 00 03 00 00 04 00 00 00 ff 00 00 00; MZ ?........ ..
00000010 H: B8 00 00 00 00 00 00 40 00 00 00 00 00 00 00; [email protected]
00000020 H: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000030 H: 00 00 00 00 00 00 00 00 00 A8 00 00 00 ;............?..
00000040 H: 0e 1f Ba 0e 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ;..?.??? L? Th
00000050 H: 69 73 20 70 72 6f 67 72 61 6D 20 63 61 6e 6e 6f; Is program canno
00000060 H: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20; t be run in DOS
00000070 H: 6d 6f 64 65 2E 0d 0d 0a 24 00 00 00 00 00 00 00; Mode .......
00000080 H: 5D 17 1D dB 19 76 73 88 19 76 73 88 19 76 73 88;]...? VS? VS? VS?
00000090 H: E5 56 61 88 18 76 73 88 52 69 63 68 19 76 73 88; listen? Vs rabbitich.?
201700a0h: 00 00 00 00 00 00 00 50 45 00 00 4C 01 01 00; ...... PE...
1000000b0h: 77 B8 1A 49 00 00 00 00 00 00 00 E0 00 0f 01; W? I ........?..
201700c0h: 0b 01 05 0C 00 00 00 00 04 00 00 00 00 00 00 ;................
000000d0h: C8 01 00 00 C8 01 00 C8 01 00 00 00 00 40 00; [email protected]
201700e0h: 04 00 00 00 04 00 00 00 00 00 00 00 00 00 ;................
201700f0h: 04 00 00 00 00 00 00 CC 01 00 00 C8 01 00 00 ;........?..?..
00000100 H: 00 00 00 00 00 00 00 00 00 10 00 00 00 ;................
00000110 H: 00 00 10 00 00 10 00 00 00 00 00 00 ;................
00000120 H: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000130 H: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000140 H: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000150 H: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000160 H: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000170 H: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000180 H: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000190 H: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
000001a0h: 2E 64 61 61 00 00 00 00 00 00 C8 01 00 00;. Data .......?..
000001b0h: 04 00 00 00 00 C8 01 00 00 00 00 00 00 00 00 ;....?..........
000001c0h: 00 00 00 00 40 00 00 C0 90 00 00 00; [email protected] protected...

Step 2 remove the data section content
See the last 4 bytes of the file, 90 00 00, which is exactly the bydata defined by US (the linker uses a 4-byte pair, followed by 3 bytes with 0 ), this is certainly not what we need. We define bydata, just to let the linker generate a PE file with at least one section. So we should remove it first, and delete the last four bytes directly in ultraedit, and change the virtual size of section 000001a8 to 0. In this way, the file is reduced by four bytes.

Step 3 Remove Dos Stub
Our goal is to run in Windows XP. Dos Stub is redundant, but the linker does not have the option to remove Dos Stub, so we have to do this manually, the file offset 0x3c (e_lfanew of image_dos_header) specifies the PE File Header position. Here it is 0x000000a8, which deletes the data from the file offset 0x3c to 0xa8 and moves the subsequent data forward, correct some data, for example, e_lfanew to 0x40. Here, the size of Dos Stub is 0xa8-0x40 = 0x68. Remove it and our file is 104 bytes smaller. The content is as follows:
00000000 H: 4D 5A 90 00 03 00 00 04 00 00 00 ff 00 00 00; MZ ?........ ..
00000010 H: B8 00 00 00 00 00 00 40 00 00 00 00 00 00 00; [email protected]
00000020 H: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000030 H: 00 00 00 00 00 00 00 00 00 00 40 00 00 00; [email protected]
00000040 H: 50 45 00 00 4C 01 01 00 77 B8 1A 49 00 00 00 00; pe... W? I ....
00000050 H: 00 00 00 E0 00 0f 01 0b 01 05 0C 00 00 00 00 00 ;....?..........
00000060 H: 09 00 00 00 00 00 00 60 01 00 60 01 00 ;........'...'...
00000070 H: 60 01 00 00 00 00 40 00 00 00 00 04 00 00 00 00; '[email protected]
00000080 H: 04 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000090 H: 64 01 00 00 60 01 00 00 00 00 00 00 00 00 00; D ...'...........
201700a0h: 00 00 10 00 00 00 00 00 10 00 00 00 10 00 00 ;................
000000b0h: 00 00 00 00 10 00 00 00 00 00 00 00 00 00 ;................
201700c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................
000000d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................
1000000e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................
201700f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000100 H: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000110 H: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000120 H: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000130 H: 00 00 00 00 00 00 00 00 2E 64 61 74 61 00 00 00; ...... data...
00000140 H: 00 00 00 00 60 01 00 00 00 00 00 60 01 00 ;....'.......'...
00000150 H: 00 00 00 00 00 00 00 00 00 00 40 00 00 C0; [email protected]

Step 4 overlap the dos and PE file headers
In Windows, the PE Loader only cares about e_magic and e_lfanew in the DOS file header. There are so many useless projects, why not move the PE File Header forward, then click the space. Of course, if the length of the PE File Header exceeds the DOS file header, moving forward will certainly overwrite e_lfanew. E_lfanew cannot be entered randomly. What should I do? We move the PE file header to the file offset 0x04, and then change e_lfanew to 0x04. Now the PE Loader can correctly locate the PE file header from e_lfanew, let's take a look at the PE file header. The offset in the PE file header is 0x3c-0x4 = 0x38, which is exactly the sectionalignment value of image_opetion_header. The section alignment is exactly the same. Here, if the alignment value is not 4 when you link the PE file, you have to change it to 4.
This step is also very simple. copy the data with the file offset 0x40 to 0x04. At this time, the total size of our PE file is 292 Bytes: sizeof (image_nt_headers) + sizeof (image_section_header) + 4. The file content is as follows:
00000000 H: 4D 5A 90 00 50 45 00 00 4C 01 01 00 77 B8 1A 49; MZ? Pe... l... W? I
00000010 H: 00 00 00 00 00 00 00 E0 00 0f 01 0b 01 05 0C ;........?......
00000020 H: 00 00 00 00 09 00 00 00 00 00 60 01 00 00 ;............'...
00000030 H: 60 01 00 00 60 01 00 00 00 00 40 00 04 00 00 00; '...' [email protected]
00000040 H: 04 00 00 00 04 00 00 00 00 00 00 00 00 00 ;................
00000050 H: 00 00 00 00 64 01 00 60 01 00 00 00 00 00; ...... D ...'.......
00000060 H: 02 00 00 00 00 00 10 00 00 00 00 10 00 ;................
00000070 H: 00 10 00 00 00 00 00 00 00 00 00 00 ;................
00000080 H: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000090 H: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
000000a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................
201700b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................
201700c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;..............

Create a micro PE file that can run in XP