Under The Hood - Matt Pietrek

Stupid PE File Tricks

If you're an aficionado of all things PE file related, you'll get a kick of this article:

http://www.phreedom.org/solar/code/tinype/

It shows all the wild twists and contortions to make a legal 97 byte Win32 PE file.

I think the smallest Win32 binary I ever created was 1KB, but that was just by playing tricks with the linker and my tinycrt library. I never tooks steps like locating code bytes in unused fields in the PE header.

 

Published Tuesday, November 07, 2006 2:42 PM by Matt Pietrek

Comments

 

Heath Stewart said:

Okay, that is just darn cool - but the (ab)uses are scary!

November 7, 2006 6:19 PM
 

oldnewthing said:

Technically, 4 is an illegal value for e_lfanew. e_lfanew must be at least 64 according to the extended exe spec. Note also that the exe stub is corrupted so running this in a DOS box will result in "undesired behavior". Still, a neat exercise.

November 7, 2006 8:40 PM
 

Solar Eclipse said:

It's not just the value of e_lfanew, a lot of the PE header fields are also invalid. I am sure that the specification doesn't allow for SizeOfOptionalHeader to be 4. The 97 byte file is not the smallest legal PE file, it's just the smallest one that can be executed by Windows XP. It doesn't even work on all versions of Windows.

I couldn't have done any of this without your articles about the PE format, they've been an invaluable help to all of us over the years. Thanks.

November 9, 2006 5:22 AM
 

Russ Osterlund said:

Another interesting observation when running the smallest 97-byte program is noting all that Windows brings to the party that is not even needed by the program.  For example, KERNEL32 is loaded eventhough it is not referenced by the program with or without an import table; the loader needs it.  Also, for some reason the "program" gets 3 heaps eventhough there is no memory allocation done.  There is a TEB and PEB as well.  Fascinating!

November 9, 2006 2:00 PM
 

Norman Diamond said:

Solar Eclipse said:

[a bunch of criticisms deleted]

Hey, you oughta watch your mouth.  If you keep criticising a talented programmer, the programmer might start looking for revenge.  Then you'll really be in trouble because I hold copyright on some of the most vicious flames I ever posted in notesfiles when attacking the author of some of my own bugs.

Um, oops, you weren't pointing out bugs, just the illegality.  Oh well.  Death to your program.  Let the execution begin.

Russ Osterlund said:

> KERNEL32 is loaded eventhough it is not referenced by the program with or without an import table; the

> loader needs it.

Um, so what?  The program does no I/O, but the loader needs to call I/O routines too.  Or do you mean that dll's not specified by the program should be unloaded as soon as the loader passes control to the program?

November 9, 2006 7:59 PM
New Comments to this post are disabled

This Blog

Syndication

Tags

No tags have been created or used yet.

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Microsoft
Page view tracker