Code can be compiled directly ..
Compilation parameter: nasmw-fbin msgboxa. ASM-O msgboxa.exe
Download the latest NASM for Win32 Compiler
Latest Version: NASM 0.98.39
Code :--------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>
; Small PE Header demo for NASM
; Email: Anskya@Gmail.com
;
; Code Description: NASM compiles mini PE code. (c) 2006.3.20
; 1. self-constructed PE Header
; 2. self-built import table structure
;
; Thank: vecna [29A], nguga aka pedrogc made nagoa +. inc
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>
[Bits 32]
% Define code_base 1000 h; code base address
% Define rvadiff 1000 h-200 h; relatively low computing memory data and Hard Disk Data
% Define imagebase 00400000 h; code base address
% Define reloc rvadiff + imagebase; global offset -- a very important parameter
; Dos Stub Header
Mz_header:
. Magic DW "MZ"; 01 02--Dos Stub ID [Key Data]
. Cblp DW 435bh; 03 04 -- [non-Key Data]
. Cp dw sans DH; 05 06 -- [non-Key Data]
. Crlc DW 736eh; 07 08 -- we can write some personal information for these 10 bytes [non-critical data]
. Cparhdr DW 796bh; 09 10 -- [non-critical data]
. Minalloc DW 2161 h; 11 12 -- [non-Key Data]
Pe_header:
. Signature dd "pe"; 13 14 | 15 16----pe header start [Key Data]
. Machine DW 14ch; 17 18 ---- CPU required for running the file: image_file_machine_i386 [Key Data]
. Numberofsections DW 1; 19 20 ---- number of file sections [Key Data]
. Timedatestamp dd 0 h; 21 22 | 23 24 ---- file creation date and time [non-critical data]
. Pointertosymboltable dd 0 h; 25 26 | 27 28 ---- debugging information-[non-critical data]
. Numberofsymbols dd 0 h; 29 30 | 31 32 ---- debugging information-[non-critical data]
. Sizeofoptionalheader DW 0e0h; 33 34 ---- optionalheader structure size [Key Data]
. Characteristics DW 103 h; 35 36 ---- File Information Mark: for example, whether the file is exe or DLL [Key Data]
Optional_header:
. Magic DW 10bh; 37 38 ---- [Key Data]
. Majorlinkerversion db 0 h; 39 ---- [non-Key Data]
. Minorlinkerversion db 0 h; 40 ---- [non-Key Data]
. Sizeofcode dd 0 h; 41 42 | 43 44 ---- [non-Key Data]
. Sizeofinitializeddata dd 0 h; 45 46 | 47 48 ---- [non-Key Data]
. Sizeofuninitialeddata dd 0 h; 49 50 | 51 52 ---- [non-Key Data]
. Addressofentrypoint dd code + rvadiff; 53 54 | 55 56 ---- code base address + RVA = this value --- computing [Key Data]
. Baseofcode dd 0 h; 57 58 | 59 60 ---- code base address [non-Key Data]
;. Baseofdata dd data_base; data base address-replaced by. lfanew below ~ This value is useless.
. Lfanew dd 0ch; 61 62 | 63 64 ---- mark the start position of the. PE Header. Here it is written as C-see the above 13th bytes.
; End of the Dos Stub part --- ID: Start position of the PE Header ~ His position is fixed, so he can only write it at the end.
; Align 16, db 0
. Imagebase dd imagebase; 65 66 | 67 68 ---- memory ing base address -- 00400000 h by default [Key Data]
. Sectionalignment dd 01000 h; 69 70 | 71 72 ---- memory section alignment -- if this value is 4096 H, the starting address of each section must be a multiple,
. Filealignment dd 0200 h; 73 74 | 75 76 ---- file alignment [key data ]...
. Majoropersystemversion DW 0 h; 77 78 -- [non-critical data]
. Minoropersystemversion DW 0 h; 79 80 -- [non-critical data]
. Majorimageversion DW 0 h; 81 82 -- Win32 subsystem version. If the PE file is specially designed for Win32 [non-Key Data]
. Minorimageversion DW 0 h; 83 84 -- this subsystem version must be 4.0; otherwise, the dialog box will not have a three-dimensional [non-critical data]
. Majorsubsystemversion DW 4; 85 86 -- [Key Data]
. Minorsubsystemversion DW 0; 87 88 -- [Key Data]
. Reserved1 dd 0; 89 90 | 91 92 ---- [non-Key Data]
. Sizeofimage dd 2000 h; 93 94 | 95 96 ---- the size of the entire PE image in the memory. It is the size of all headers and segments after the section alignment. [Key Data]
. Sizeofheaders dd code; 97 98 | 99 100 --- the size of all headers + section tables, which is equal to the file size minus the size of all sections in the file, this value can be used as the file offset of the First Section of the PE file. [Key Data]
. Checksum dd 0 h; 101 102 | 103 104 ---- [non-Key Data]
. Subsystem DW 2; 105 106----pe file sub-system, 2 = Win32 GUI, 3 = Win32 console [Key Data]
. Dllcharacteristics DW 0; 107 108 ---- [non-Key Data]
. Sizeofstackreserve1 dd 100000 h; 109 110 | 111 112 ---- [Key Data]
. Sizeofstackcommit1 dd 2000 h; 113 114 | 115 116 ---- [Key Data]
. Sizeofstackreserve2 dd 100000 h; 117 118 | 119 120 ---- [Key Data]
. Sizeofstackcommit2 dd 2000 h; 121 122 | 123 124 ---- [Key Data]
. Loaderflags dd 0 h; 125 126 127 | 128 ---- [non-Key Data]
. Numberofrvaandsizes dd 10 h; 129 130 | 131 132 ---- [Key Data]
Data_directories:
. Exportrva dd 0 h; 133 134 | 135 136 ---- export table virtual offset [non-Key Data]
. Exportsize dd 0 h; 137 138 | 139 140 ---- import table length [non-Key Data]
. Importrva dd import + rvadiff; 141 142 | 143 144 ---- import table virtual offset [Key Data]
. Importsize dd code_end-import; 145 146 | 147 148 ---- import table length [Key Data]
; Import table structure part ~ This area needs to be carefully constructed [not thoroughly studied]
;. Misc_sectionz times 28 dd 0; other part ~ It's useless for us.
. Resourcerva dd 0 h; virtual offset of the resource table [non-Key Data]
. Resourcesize dd 0 h; resource table length [non-Key Data]
. Predictionrva dd 0 h; never used this stuff [non-critical data]
. Exceptionsize dd 0 h; never used this stuff [non-Key Data]
. Certificaterva dd 0 h; never used this stuff [non-Key Data]
. Certificatesize dd 0 h; never used this stuff [non-Key Data]
. Baserelocationrva dd 0 h; virtual offset of base address relocation table [non-Key Data]
. Baserelocationsize dd 0 h; length of base address relocation table [non-Key Data]
. Debugrva dd 0 h; virtual offset of debugging information [non-critical data]
. Debugsize dd 0 h; debugging information length [non-critical data]
. Descriptionrva dd 0 h; never used this stuff [non-Key Data]
. Descriptionsize dd 0 h; never used this stuff [non-Key Data]
. Machinerva dd 0 h; never played this stuff [non-critical data]
. Machinesize dd 0 h; never used this stuff [non-critical data]
. Tlsrva dd 0 h; thread processing data [Key Data]
. Tlssize dd 0 h; thread processing data length [Key Data]
. Loadconfigrva dd 0 h; never played this stuff [Key Data]
. Loadconfigsize dd 0 h; never played this stuff [Key Data]
. Boundimportrva dd 0 h; bind the imported table data [Key Data]
. Boundimportsize dd 0 h; bind the Data Length of the import table [Key Data]
. Iatrva dd 0 h; never played this stuff [Key Data]
. Iatsize dd 0 h; never played this stuff [Key Data]
. Delayimportdescriptor1 dd 0 h; never played this stuff [non-Key Data]
. Delayimportdescriptor2 dd 0 h; never played this stuff [non-Key Data]
. Comruntimeheader1 dd 0 h; COM + time Connection database Virtual offset Address [non-critical data]
. Comruntimeheader2 dd 0 h; length of the COM + time Connection database [non-critical data]
. Reserved1 dd 0 h; this stuff really hasn't heard of [non-Key Data]
. Reserved2 dd 0 h; this stuff really hasn't heard of [non-Key Data]
~~ PE Structure header information ~ Please follow the instructions to modify --- Thank you for yourself
Sections:
. Sectionname DB ". anskya", 0
. Virtualsize dd code_base; Virtual Volume
. Virtualaddress dd code_base; Virtual Address
. Sizeofrawdata dd code_end-code; Data Volume
. Pointertorawdata dd code; Data offset
. Pointertorelocations dd 0
. Pointertolinenumbers dd 0
. Numberofrelocations DW 0
. Numberoflinenumbers DW 0
. Characteristics dd 0e0000060h; Segment attribute... needless to say
Align 200 h, db 0; Alignment 0x200
Code:
Pushad
Sub eax, eax
Push eax; 0
Push 00400105 h; push the section name to the stack
Push 00400002 h; press the personal information behind MZ into the stack
Push eax; mb_ OK
Call [messageboxa]; call the address of the imported table
Popad
RET
Align 16, db 0
The following import table section... does not write or export the table for demonstration only... For more information, see <Software Encryption technology insider>
Import dd 0
Dd 0
DD-1
Dd dll001 + rvadiff
Dd api001 + rvadiff
Times 5 DD 0; 4*5 free space at 00
Dll001 dB 'user32. dll ', 0; import DLL name
Api001 dd api101 + rvadiff; Calculate the memory address of the import table
Dd 0
Api101 DW 0
DB 'messageboxa ', 0; import function
Messageboxa equ api001 + reloc + 4*0; function address declaration... api00n + reloc + 4 * n
Code_end: