Create a miniature PE file manually

Author: three cents a piece
Email: zhongts@163.com
Date: 2003.12.18

Recently, a micro PE file has been constructed. The following describes the construction method and some experiences to share with you. It is also a review of the PE format.

The final constructed file is 180 bytes in size and can be run in Win2k. A message box is displayed after the file is run. Download

Let's take a look at the content of the last generated file:

00000000 4D 5A 00 00 50 45 00 00 4C 01 01 00 75 73 65 72 MZ... pe... user
00000010 33 32 2E 64 6C 6C 00 00 70 00 0f 01 0b 01 6a 00 32. dll... P... J.
00000020 B8 8C 00 40 00 50 6a 00 EB 05 00 1E 00 00 00 ...... @. PPJ ........
00000030 FF 15 78 00 40 00 C3 00 00 00 40 00 04 00 00. X .@.....@.....
00000040 04 00 00 00 04 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 B4 00 00 00 00 00 00 00 00 00 ................
00000060 02 00 00 00 00 00 10 00 00 00 00 00 10 00 ................
00000070 00 10 00 00 00 00 00 C4 01 00 80 00 00 00 00 ................
00000080 00 00 00 00 9C 00 00 00 00 00 00 5A 54 53 B1 ...... (... ZTS.
00000090 E0 D0 B4 00 B4 00 00 00 00 00 B4 00 00 00 ................
201700a0 00 00 00 00 00 00 00 00 0C 00 00 00 78 00 00 00...
1000000b0 E0 00 00 E0 ....

The dumpbin display file structure is as follows:

File header values 14C machine (i386) 1 Number of sections 72657375 time date stamp sat Oct 26 21:21:57 2030 export file pointer to symbol table 6c6c Number of symbols 70 size of optional Header 10f characteristics relocations stripped executable line numbers stripped symbols stripped 32 bit word machineoptional header values 10b magic #106.00 linker version 40008cb8 size of code 6a505000 size of initialized data 5eb00 size of uninitialized data 1E RVA of entry point <---- 7815ff base of code c30040 base of Data 400000 image Base 4 Section alignment 4 file alignment 4.00 operating system version 0.00 image version 4.00 subsystem version 0 Win32 version B4 size of image 0 size of headers 0 checksum 2 Subsystem (Windows GUI) 0 DLL characteristics 100000 size of stack reserve 0 size of stack commit 100000 size of heap reserve 1000 size of heap commit 0 loader flags 800001c4 number of directories 0 [0] RVA [size] of Export directory 9C [28] RVA [size] of import directory <---- 0 [0] RVA [size] of Resource Directory 0 [0] RVA [size] of exception directory 0 [0] RVA [size] of certificates directory 0 [0] RVA [size] of base relocation directory 0 [0] RVA [size] of DEBUG directory 0 [0] RVA [size] of Architecture directory 0 [0] RVA [size] of special directory 0 [0] RVA [size] of thread storage directory 0 [0] RVA [size] of load configuration directory 0 [0] RVA [size] of bound import directory 0 [0] RVA [size] of import Address Table directory 0 [0] RVA [size] of delay import directory 0 [0] RVA [size] of reserved directory 0 [0] RVA [size] of reserved directory now start step 1. DOS headerimage_dos_header struct e_magic <-- 4D 5A... <-- enter 0 e_lfanew for all other items <-- 04 00 00 00image_dos_header ends

In order to make the file as small as possible, the PE Header is prepared to be placed in the file offset 4, which can still be placed forward, because the DOS header e_lfanew must point to the PE Header offset position. When it is placed at the offset of 4, the DOS header's e_lfanew exactly corresponds to the PE Header's sectionalignment. We only need to set the sectionalignment to 4 to achieve two purposes.

2. PE HeaderIMAGE_NT_HEADERS STRUCT        Signature                       <-- 50 45 00 00        FileHeader        OptionalHeaderIMAGE_NT_HEADERS ENDS

The mark * below indicates that the data cannot be entered at will. For specific data, refer to the data displayed in dumpbin above. Any data that is not marked with the * sign can be filled in, and our code will be inserted into these structures.

Image_file_header struct machine * Comment * timedatestamp Comment comment character * Comment * image_file_header comment struct magic * majorlinkerversion minorlinkerversion sizeofcode comment Comment comment character * baseofcode baseofdata imagebase * Comment * majoroper Atingsystemversion * kernel * majorimageversion * minorimageversion * majorsubsystemversion * minorsubsystemversion * win32versionvalue * sizeofimage * kernel * checksum subsystem * kernel * loaderflags kernel * kernel ends for Kernel You can leave only export directory and import directory as unnecessary members in ry. The size of the entire PE Header is 88 h bytes, and the size of optional Header is 70 h bytes. 3. section tableimage_section_header struct name1 <-- ZTS write Union MISC physicaladdress virtualsize <-- B4 00 00 00 ends virtualaddress <-- 00 00 00 00 00 sizeofrawdata <-- B4 00 00 00 00 pointertorawdata <-- 00 00 00 00 00 00 00 pointertorelocations <-- 00 00 00 00 pointertolinenumbers <-- 00 00 00 00 00 numberofrelocations <-- 00 00 00 numberoflinenumbers <-- 00 00 characteristics <-- E0 00 00 e0image_section_header ends

The content of the entire file is the content of the Section, and all the content of the final file will be fully mapped to the address of 400000 H.

Because the content of the file mapped to the memory is followed by 0, it is equivalent to the end of the section table with a full 0 element.

4. Import

The file only needs to input a function messageboxa from user32.dll. Therefore, the input table has a non-0 member and a complete 0 member. This is because we need to ensure that there is a full 0 member to end the input table, so we also put the input table at the end of the file. Like the section, when the file is mapped to the memory, the content after the file is 0, which is equivalent to a total of 0 members.

The size of a member in an input table is 20 bytes. In the section table, the unused fields are located in the input table, starting from sizeofrawdata. Originalfirstthunk, timedatestamp, and forwarderchain in the input table are useless fields, so they do not change the useful fields in the section table because they are inserted into the input table in the section table: sizeofrawdata and pointertorawdata.

There are also name and firstthunk. In the file, locate the offset 0ch and write it to user32.dll. Then point the name to the offset 0ch, which is the offset of timedatestamp in the file header. Find another 78 h offset in the file to put IAT, and then point firstthunk to 78 h offset, which is the offset of numberofrvaandsizes in the file header. Although the numberofrvaandsizes field mentioned above cannot fill in any data (marked with *), but this field can be used as long as it is not set to a value less than 2.

Enter the following information:

00000070                         C4 01 00 80 00 00 00 00 ................0000008000000090                                     B4 00 00 00 ................000000A0 00 00 00 00 00 00 00 00 0C 00 00 00 78 00 00 00 ............x...

To reduce the file size, the input messageboxa function is introduced by serial number.

After manually writing the input table, fill in the offset and size of the input table to the import directory Member of the datadirectory array. The offset is 9ch and the size is 28 h.

5. Code

After all the preparations are completed, you can start to write code. The Code also needs to be stored in useless fields from the file header. Looking for the file header, we found that there are still two areas that are not used. One is the 14 bytes starting with majorlinkerversion, with the offset of 1eh, and the other is the 8 bytes starting with baseofcode, with the offset of 30 h.

You need to write the code as follows:

0000001E: 6A00            push        000000020: B88C004000      mov         eax,40008C00000025: 50              push        eax00000026: 50              push        eax00000027: 6A00            push        000000029: EB05            jmp         00000003000000030: FF1578004000    call        dword ptr [00400078]00000036: C3              ret

Enter the hexadecimal value corresponding to the code at the 1eh offset and 30 h offset.

Save the file and all the work is finished. Finally, we will summarize the precautions:

1. If filealignment is less than 200 h, filealignment = sectionalignment> = 2

2. If filealignment is less than 200 h, virtualaddress = pointertorawdata is required.

3. virtualsize <= sizeofrawdata

4. sizeofheaders <sizeofimage

5. numberofrvaandsizes> = 2 the number of data directory structures must not be less than 2

6. Both the section table and the input table require a complete 0 member.

I wrote a little bit about it without wasting too much time. If there is a mistake, I hope you can give me some advice, so that cainiao like me can learn more.