試寫一個最精簡的 win32 exe program. 他啥事都不做,一上手就 NOP RET. 純粹為了看看 PE 結構而已。
下例顯示,程式本身只有一個 byte 一個 instruction 'RET' 而已。Assemble-link 出來卻有 1024 bytes, PE 結構之故也。
Assembler : masm32
Environment :
SET PATH=c:\masm32\BIN;c:\masm32;c:\Windows\System32;c:\Windows;
@rem MASM32
SET INCLUDE=c:\masm32\INCLUDE;
SET LIB=c:\masm32\LIB;
SET ML=/coff /Fm /link /SUBSYSTEM:WINDOWS
@rem NTSD
SET _NT_SYMBOL_PATH=SRV*D:\symbols*http://msdl.microsoft.com/download/symbols
Source code :
option casemap:none ;01
.386 ;02
.model flat,stdcall ;03
include windows.inc ;04 <=== copy from 著名網友 小木偶 先生的範例
include kernel32.inc ;05
include user32.inc ;06
includelib kernel32.lib ;07
includelib user32.lib ;08
.code
start: nop <=== 精簡成這樣
ret
end start
Assemble - link :
D:\Learnings\masm32\Pinocchio01>ml pinocchio01a.asm
Microsoft (R) Macro Assembler Version 6.14.8444
Copyright (C) Microsoft Corp 1981-1997. All rights reserved.
Assembling: pinocchio01a.asm
Microsoft (R) Incremental Linker Version 5.12.8078
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.
/SUBSYSTEM:WINDOWS
"pinocchio01a.obj"
"/OUT:pinocchio01a.exe" <=== ok, lt's see . . . . 這個程式真的可以執行,我相信它是我寫過最穩的一支程式了!哈!
"/MAP:pinocchio01a.map"
Result :
Pinocchio01a.exe 1,024 bytes
Hex dump :
-m 100 1000 5000:0
-d 5000:0 3FF
5000:0000 4D 5A 90 00 03 00 00 00-04 00 00 00 FF FF 00 00 MZ.............. <=== 就是這裡了
5000:0010 B8 00 00 00 00 00 00 00-40 00 00 00 34 00 FE 0A ........@...4...
5000:0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0030 00 00 00 00 00 00 00 00-00 00 00 00 A8 00 00 00 ................
5000:0040 0E 1F BA 0E 00 B4 09 CD-21 B8 01 4C CD 21 54 68 ........!..L.!Th
5000:0050 69 73 20 70 72 6F 67 72-61 6D 20 63 61 6E 6E 6F is program canno
5000:0060 74 20 62 65 20 72 75 6E-20 69 6E 20 44 4F 53 20 t be run in DOS
5000:0070 6D 6F 64 65 2E 0D 0D 0A-24 00 00 00 00 00 00 00 mode....$.......
5000:0080 5D 17 1D DB 19 76 73 88-19 76 73 88 19 76 73 88 ]....vs..vs..vs.
5000:0090 E5 56 61 88 18 76 73 88-52 69 63 68 19 76 73 88 .Va..vs.Rich.vs.
5000:00A0 00 00 00 00 00 00 00 00-50 45 00 00 4C 01 01 00 ........PE..L...
5000:00B0 8D 5F 08 49 00 00 00 00-00 00 00 00 E0 00 0F 01 ._.I............
5000:00C0 0B 01 05 0C 00 02 00 00-00 00 00 00 00 00 00 00 ................
5000:00D0 00 10 00 00 00 10 00 00-00 20 00 00 00 00 40 00 ......... ....@.
5000:00E0 00 10 00 00 00 02 00 00-04 00 00 00 00 00 00 00 ................
5000:00F0 04 00 00 00 00 00 00 00-00 20 00 00 00 02 00 00 ......... ......
5000:0100 00 00 00 00 02 00 00 00-00 00 10 00 00 10 00 00 ................
5000:0110 00 00 10 00 00 10 00 00-00 00 00 00 10 00 00 00 ................
5000:0120 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0130 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0140 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0150 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0160 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0170 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0180 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:01A0 2E 74 65 78 74 00 00 00-02 00 00 00 00 10 00 00 .text...........
5000:01B0 00 02 00 00 00 02 00 00-00 00 00 00 00 00 00 00 ................
5000:01C0 00 00 00 00 20 00 00 60-00 00 00 00 00 00 00 00 .... ..`........
5000:01D0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:01E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:01F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0200 90 C3 00 00 00 00 00 00-00 00 00 00 00 00 00 00 <== 放是放這裡,到時被 load 到 $401000 處去執行
5000:0210 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0220 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0230 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0240 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0250 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0260 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0270 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0280 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0290 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:02A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:02B0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:02C0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:02D0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:02E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:02F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0300 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0310 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0320 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0330 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0340 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0350 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0360 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0370 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0380 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:0390 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:03A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:03B0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:03C0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:03D0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:03E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5000:03F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
接下來都是亂碼
See map file :
pinocchio01a
Timestamp is 49085f8d (Wed Oct 29 21:05:17 2008)
Preferred load address is 00400000
Start Length Name Class
0001:00000000 00000002H .text CODE
Address Publics by Value Rva+Base Lib:Object
0001:00000000 _start 00401000 f pinocchio01a.obj <=== actual entry point
entry point at 0001:00000000
Static symbols
用 NTSD 瞧一瞧
0:000> lm
start end module name
00400000 00402000 image00400000 (deferred)
7c800000 7c91f000 kernel32 (deferred)
7c920000 7c9b4000 ntdll (export symbols) ntdll.dll
0:000> u 401000
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image004000
00
image00400000+1000:
00401000 90 nop <==== correct
00401001 c3 ret
00401002 0000 add [eax],al
00401004 0000 add [eax],al
00401006 0000 add [eax],al
00401008 0000 add [eax],al
0040100a 0000 add [eax],al
0040100c 0000 add [eax],al
0:000> g 401000
eax=00000000 ebx=7ffda000 ecx=0012ffb0 edx=7c92e4f4 esi=0007f7ec edi=00000000
eip=00401000 esp=0012ffc4 ebp=0012fff0 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
image00400000+1000:
00401000 90 nop
0:000> t
eax=00000000 ebx=7ffda000 ecx=0012ffb0 edx=7c92e4f4 esi=0007f7ec edi=00000000
eip=00401001 esp=0012ffc4 ebp=0012fff0 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
image00400000+1001:
00401001 c3 ret
0:000> t
eax=00000000 ebx=7ffda000 ecx=0012ffb0 edx=7c92e4f4 esi=0007f7ec edi=00000000
eip=7c817067 esp=0012ffc8 ebp=0012fff0 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\W
INDOWS\system32\kernel32.dll -
kernel32!RegisterWaitForInputIdle+49:
7c817067 50 push eax
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fff0 00000000 kernel32!RegisterWaitForInputIdle+0x49
0:000>
