NASM - Erstellung eines Win64-Bit Images für die Verwendung mit mehr als 2 Funccalls

**Kas Ob.**

This is working and i added few imports not used but for the sake of example to replicate, and hope it is clear

Code:

nasm -f bin Win64.asm -o Win64.exe

Code:

			; win64.asm

SECTIONS   equ 2

TIME_DATE   equ 0

IMAGE_BASE         equ    0x000140000000 ;0x400000 ; org

SECTION_ALIGNMENT   equ      0x200

FILE_ALIGNMENT     equ       0x200

BSS_SIZE equ 0

%define nagoa_round(size) ((size + SECTION_ALIGNMENT - 1) & ~(SECTION_ALIGNMENT - 1))

bits 64

org IMAGE_BASE

section .text

;;******************************************************************************************************

;; if the header is part of the image, define it as section .text because .text is put

;; first in the image, and rename the code section as section .code

header:

   dw "MZ"                    ; e_magic

   dw 0                       ; e_cblp

   dw 0                       ; e_cp

   dw 0                       ; e_crlc

   dw 0                       ; e_cparhdr

   dw 0                       ; e_minalloc

   dw 0                       ; e_maxalloc

   dw 0                       ; e_ss

   dw 0                       ; e_sp

   dw 0                       ; e_csum

   dw 0                       ; e_ip

   dw 0                       ; e_cs

   dw 0                       ; e_lsarlc

   dw 0                       ; e_ovno

   dq 0                       ; e_res

   dw 0                       ; e_oemid

   dw 0                       ; e_oeminfo

   dd 0,0,0,0,0                    ; e_res2

   dd imageHeader - IMAGE_BASE   ; e_lfanew

imageHeader:

   dd "PE"                ; Signature

   dw 0x8664              ; Machine

   dw SECTIONS            ; NumberOfSections

   dd TIME_DATE           ; TimeDateStamp

   dd 0                   ; PointerToSymbolTable

   dd 0                   ; NumberOfSymbols

   dw optionalHeader.SIZE   ; SizeOfOptionalHeader

   dw 0x022               ; Characteristics

optionalHeader:

    dw 0x20B                       ; Magic

    db 0                           ; MajorLinkerVersion

    db 0                           ; MinorLinkerVersion

    dd nagoa_round(RAW_CODE.SIZE)   ; SizeOfCode

    dd nagoa_round(RAW_DATA.SIZE)   ; SizeOfInitializedData

    dd nagoa_round(BSS_SIZE)       ; SizeOfUninitializedData

    dd entryPoint                  ; AddressOfEntryPoint

    dd code                         ; BaseOfCode

    ;dd data - IMAGE_BASE           ; BaseOfData

    dq IMAGE_BASE                  ; ImageBase

    dd SECTION_ALIGNMENT           ; SectionAlignment

    dd FILE_ALIGNMENT              ; FileAlignment

    dw 4                           ; MajorOperatingSystemVersion

    dw 0                           ; MinorOperatingSystemVersion

    dw 0                           ; MajorImageVersion

    dw 0                           ; MinorImageVersion

    dw 4                           ; MajorSubsystemVersion

    dw 0                           ; MinorSubsystemVersion

    dd 0                           ; Win32VersionValue

    dd (RAW_HEADER.SIZE + RAW_CODE.SIZE + RAW_DATA.SIZE); SizeOfImage

    dd RAW_HEADER.SIZE             ; SizeOfHeaders

    dd 0                           ; CheckSum

    dw 2                           ; Subsystem

    dw 0                           ; DllCharacteristics

    dq 0x40000                     ; SizeOfStackReserve

    dq 0x6000                      ; SizeOfStackCommit

    dq 0x100000                    ; SizeOfHeapReserve

    dq 0x1000                      ; SizeOfHeapCommit

    dd 0                           ; LoaderFlags

    dd 16                          ; NumberOfRvaAndSizes

   dd 0, 0                        ; IMAGE_DIRECTORY_ENTRY_EXPORT

   dd Import_Directory_Table, Import_Directory_Table_Size                        ; IMAGE_DIRECTORY_ENTRY_IMPORT

   dd 0, 0                        ; IMAGE_DIRECTORY_ENTRY_RESOURCE

   dd 0, 0                        ; IMAGE_DIRECTORY_ENTRY_EXCEPTION

   dd 0, 0                        ; IMAGE_DIRECTORY_ENTRY_SECURITY

   dd 0, 0                        ; IMAGE_DIRECTORY_ENTRY_BASERELOC

   dd 0, 0                        ; IMAGE_DIRECTORY_ENTRY_DEBUG

   dd 0, 0                        ; IMAGE_DIRECTORY_ENTRY_COPYRIGHT

   dd 0, 0                        ; IMAGE_DIRECTORY_ENTRY_GLOBALPTR

   dd 0, 0                        ; IMAGE_DIRECTORY_ENTRY_TLS

   dd 0, 0                        ; IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG

   dd 0, 0                        ; IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT

   ;dd Import_Address_Table, Import_Address_Table_Size                        ; IMAGE_DIRECTORY_ENTRY_IAT

   dd 0,0

   dd 0, 0                        ; IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT

   dd 0, 0                        ; IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

   dd 0, 0                        ; reserved

optionalHeader.SIZE equ $ - optionalHeader

sectionHeaders:

    db ".text", 0, 0, 0            ; Name

    dd nagoa_round(RAW_CODE.SIZE)   ; VirtualSize

    dd code                        ; VirtualAddress

    dd RAW_CODE.SIZE               ; SizeOfRawData

    dd RAW_CODE.OFFSET             ; PointerToRawData

    dd 0                           ; PointerToRelocations

    dd 0                           ; PointerToLinenumbers

    dw 0                           ; NumberOfRelocations

    dw 0                           ; NumberOfLinenumbers

    dd 0x60000020                  ; Characteristics

    db ".data", 0, 0, 0            ; Name

    dd nagoa_round(RAW_DATA.SIZE)   ; VirtualSize

    dd data                        ; VirtualAddress

    dd RAW_DATA.SIZE               ; SizeOfRawData

    dd RAW_DATA.OFFSET             ; PointerToRawData

    dd 0                           ; PointerToRelocations

    dd 0                           ; PointerToLinenumbers

    dw 0                           ; NumberOfRelocations

    dw 0                           ; NumberOfLinenumbers

    dd 0xC0000040                  ; Characteristics

align FILE_ALIGNMENT, db 0

RAW_HEADER.SIZE equ $ - header

;;******************************************************************************************************

;;   F I R S T   . c o d e   S E C T I O N

;;******************************************************************************************************

VS_CODE   EQU ( ( ( 1 + ( (RAW_HEADER.SIZE-1) >> 12 ) ) * SECTION_ALIGNMENT ) )

section .code vstart=VS_CODE

   code:

   entryPoint:

      mov rcx,500

      call [rel Sleep]

      mov r9d, 0x00240040 ; uType

      lea r8, [rel title] ; lpCaption

      lea rdx, [rel content] ; lpText

      xor ecx, ecx ; hWnd

      call [rel MessageBoxA]

      mov rcx,500

      call [rel Sleep]

      mov r9d, 0x00240040 ; uType

      lea r8, [rel TITLE_W] ; lpCaption

      lea rdx, [rel CONTENT_W] ; lpText

      xor ecx, ecx ; hWnd

      call [rel MessageBoxW]

      jmp  [rel ExitProcess]

   align SECTION_ALIGNMENT, db 0

;;******************************************************************************************************

;;   F I R S T   . d a t a   S E C T I O N

;;******************************************************************************************************

VS_DATA   EQU ( VS_CODE + ( ( 1 + ( (RAW_CODE.SIZE-1) >> 12 ) ) * SECTION_ALIGNMENT ) )

section .data vstart=VS_DATA

data :

    Import_Address_Table:

      DLL_1:

        Sleep:          dq I_Sleep

        ExitProcess:    dq I_ExitProcess

        GetStdHandle:   dq I_GetStdHandle

        dq               0

      DLL_2:

      MessageBoxA    dq I_MessageBoxA

      MessageBoxW    dq I_MessageBoxW

      dq               0

   Import_Address_Table_Size equ $ - Import_Address_Table

      align 0x20, db 0

        Import_Directory_Table:  

            KERNEL32.originalfthk     dd DLL_1_thunk_table

            KERNEL32.timedate         dd 0  

            KERNEL32.forwarder        dd 0  

            KERNEL32.name             dd dll_name_1

            KERNEL32.firstthunk       dd DLL_1

            USER32.originalfthk     dd DLL_2_thunk_table

            USER32.timedate         dd 0  

            USER32.forwarder        dd 0  

            USER32.name             dd dll_name_2

            USER32.firstthunk       dd DLL_2

      align 0x20, db 0            ; should be always at the end of Import_Directory_Table

      Import_Directory_Table_Size equ $ - Import_Directory_Table

      DLL_1_thunk_table :

         dq  I_Sleep

         dq   I_ExitProcess

         dq   I_GetStdHandle

         dq  0

      DLL_2_thunk_table :

         dq  I_MessageBoxA

         dq   I_MessageBoxW

         dq  0

        I_Sleep:           

            dw                0

            db                'Sleep', 0  

            align             2 , db 0 

        I_ExitProcess:    

            dw                0  

            db                'ExitProcess', 0

            align             2 , db 0 

        I_GetStdHandle:

            dw                0  

            db                'GetStdHandle', 0

         align             2 , db 0 

        I_MessageBoxA:

            dw                0  

            db                'MessageBoxA', 0

         align             2 , db 0 

        I_MessageBoxW:

            dw                0  

            db                'MessageBoxW', 0

         align             2 , db 0 

        dll_name_1:             db 'kernel32.dll', 0

        dll_name_2:            db 'user32.dll', 0

    STRING_TABLE:

   %define u(x) __?utf16le?__(x) 

   %define w(x) __?utf32le?__(x)

   title:

         db "Hello world !!!", 0

         align             2 , db 0 

   content:

         db "ABCDEFGHIJKL", 0

         align             2 , db 0    

   TITLE_W:         

         dw u("Hello World !!! in Unicode"),0

         align             2 , db 0 

   CONTENT_W:

         db u("ABCDEFGHIJKL"), 0

         align             2 , db 0 

   align SECTION_ALIGNMENT, db 0

;;******************************************************************************************************

;;   L A S T   . c o d e   S E C T I O N

;;******************************************************************************************************

section .code

align FILE_ALIGNMENT, db 0

RAW_CODE.OFFSET   equ RAW_HEADER.SIZE

RAW_CODE.SIZE   equ $ - $$

;;******************************************************************************************************

;;   L A S T   . d a t a   S E C T I O N

;;******************************************************************************************************

section .data

align FILE_ALIGNMENT, db 0

RAW_DATA.OFFSET   equ RAW_CODE.OFFSET + RAW_CODE.SIZE

RAW_DATA.SIZE   equ $ - $$

;;******************************************************************************************************

IMAGE_END equ $

;; -- eof --

It can use some cleaning, and it is two sections instead of one, this will minimize the confliction in page protection, but you can remove one and consolidate them in one section.

ps. i liked the idea of generating an EXE in from one file, no linker and no library, you called it flat and indeed seems flat, it was nice journey.

**Kas Ob.**

i used Notepad++ and many tabs and now the text is dancing around

**paule32.jk**

no problem for the formats of source code.
Thank you very much for your efforts !
I overlook the source on the fly, and I can create a Flat image, that work.
How did you get it working ?

For your interesst:
in the Time, you present your Source Solution, I worked on a Compiler/Transpiler that is used AsmJit, wich you can use, to create Assembly Code with C++.
My Environment is MSYS2 MinGW32/64.

It emulate a POSIX BASH Shell, with powerful Tools.

I create a Bash Shell script, to compile, and link the Applications.
It comes with a Lexer/Parser (pc.exe) - that should read-up Pascal Syntax, and form a

AsmJit Assembly file.
This Assembly file can then reverse create AsmJit Assembly. So you have Pascal scripts that will be transpile to Assembly. And when you have Assembly source file, it will transpiled back to AsmJit, so you can do things like execute, and/or code injections.

Feel free, and drop a message - if you have Questions.

**Kas Ob.**

Zitat von paule32.jk:

no problem for the formats of source code.
Thank you very much for your efforts !
I overlook the source on the fly, and I can create a Flat image, that work.
How did you get it working ?

You are welcome,
I have played with the PE headers for years, so this wasn't a problem, years ago when i am bored i just go and download viruses and trojans just to disassemble them and see how they work, it was fun and still, alas life doesn't have mercy and spare you time, any way if you are interested but be careful, i mean extra careful and use protection like dissect and run the on VM like Hyper-V, of course if you wish then see this

https://github.com/Endermanch/MalwareDatabase
Again many scary things are there, but the things of manipulated are unimaginable.

Back to this PE header, first i tried to search the internet, very little i found, i thought there must be a ready solution like yours, but i couldn't found anything else than two examples, one on StackOverflow

https://stackoverflow.com/questions/...-assembly-nasm also and few threads on NAsm forum

https://forum.nasm.us/index.php?topic=1663.15

But this forum looks down now, it seems someone forgot to pay the hosting or something !!! and i can't recognize which is links from history as i spend hours in nice journey just reading more and more on PE and playing, never got to my mind to use NASM in such way, as i always use MASM with NotePad++ or RadAsm the IDE.
One section will definitely work but will have some serious red flags, also my implementation above is far from right to the one section, see memory pages should have right protection flag, but the sections above are 512b each and they are location on one page, Windows had no problem running it.
Also found this strange thing that Windows is in few places are very forgiving for wrong/incorrect/invalid values, addresses and alignment, but mostly aggressive with zero tolerance.

Anyway big chunk of that part is from the snippet in the nasm forum, which is existed in few threads and used as template, so i used it, the strange thing is, that thread called solved didn't work on my Windows 10 and didn't generate valid 32bit exe, so i changed and fixed the parameters to x64 and one extra DLLs imports.
For analyzing the content of the EXE i used Interactive Disassembler from HexRays, they have free (and limited) version

https://hex-rays.com/ida-free/ but it is powerful, yet it deceived me as fixed a lot of the errors without my permission, very useful to walk everything in EXE not only assembly but structures and headers.
Also if you not familiar with Ghidra

https://ghidra-sre.org/ then you are missing a lot, you will love it, and love its decompiler, yes full decompiler.

Zitat von paule32.jk:

For your interesst:
in the Time, you present your Source Solution, I worked on a Compiler/Transpiler that is used AsmJit, wich you can use, to create Assembly Code with C++.
My Environment is MSYS2 MinGW32/64.

It emulate a POSIX BASH Shell, with powerful Tools.

I create a Bash Shell script, to compile, and link the Applications.
It comes with a Lexer/Parser (pc.exe) - that should read-up Pascal Syntax, and form a

AsmJit Assembly file.
This Assembly file can then reverse create AsmJit Assembly. So you have Pascal scripts that will be transpile to Assembly. And when you have Assembly source file, it will transpiled back to AsmJit, so you can do things like execute, and/or code injections.

Feel free, and drop a message - if you have Questions.

That is very interesting indeed, and it is nice and useful, i am sure will enjoy digging in it, and will come back with any questions or just nagging.

**Kas Ob.**

One more thing, NASM looks may or less more powerful than MASM, both have great and extremely useful macro system, so in theory adding a DLL and with a list of import could be to just adding string to a list passed to a macro (defined function), was going to read and test it but it will take lot of reading and i wasn't sure it was worth it, thought you want it once for one dll and few imports.
Building these three lists to add a DLL and it imports and align may be doable.

**paule32.jk**

beside NASM there are many examples for YASM - which seems be compatible.
NASM is the netwide Assembler.

And I will see, how the macros can help, too.
But, Thank you for your Effort.

NASM - Erstellung eines Win64-Bit Images für die Verwendung mit mehr als 2 Funccalls

AW: NASM - Erstellung eines Win64-Bit Images für die Verwendung mit mehr als 2 Funcca

AW: NASM - Erstellung eines Win64-Bit Images für die Verwendung mit mehr als 2 Funcca

AW: NASM - Erstellung eines Win64-Bit Images für die Verwendung mit mehr als 2 Funcca

AW: NASM - Erstellung eines Win64-Bit Images für die Verwendung mit mehr als 2 Funcca

AW: NASM - Erstellung eines Win64-Bit Images für die Verwendung mit mehr als 2 Funcca

AW: NASM - Erstellung eines Win64-Bit Images für die Verwendung mit mehr als 2 Funcca

Forumregeln

Kas Ob. Registriert seit: 3. Sep 2023 346 Beiträge	#12 AW: NASM - Erstellung eines Win64-Bit Images für die Verwendung mit mehr als 2 Funcca 31. Okt 2023, 15:58 i used Notepad++ and many tabs and now the text is dancing around Kas
	Zitat

paule32.jk Registriert seit: 24. Sep 2022 Ort: Planet Erde 356 Beiträge Delphi 11 Alexandria	#16 AW: NASM - Erstellung eines Win64-Bit Images für die Verwendung mit mehr als 2 Funcca 1. Nov 2023, 12:41 beside NASM there are many examples for YASM - which seems be compatible. NASM is the netwide Assembler. And I will see, how the macros can help, too. But, Thank you for your Effort. Frag doch einfach Alles was nicht programmiert werden kann, wird gelötet
	Zitat