CHAPTER 68. WINDOWS NT CHAPTER 68. WINDOWS NT
#include <windows.h>
int main()
{
MessageBox (NULL, "hello, world", "caption", MB_OK);
};
Let’s compile it in MSVC 2008.
cl no_crt.c user32.lib /link /entry:main
We are getting a runnable .exe with size 2560 bytes, that has a PE header in it, instructions callingMessageBox, two strings
in the data segment, theMessageBoxfunction imported fromuser32.dlland nothing else.
This works, but you cannot writeWinMainwith its 4 arguments instead ofmain(). To be precise, you can, but the
arguments are not prepared at the moment of execution.
By the way, it is possible to make the .exe even shorter by aligning thePE^2 sections at less than the default 4096 bytes.
cl no_crt.c user32.lib /link /entry:main /align:16
Linker says:
LINK : warning LNK4108: /ALIGN specified without /DRIVER; image may not run
We get an .exe that’s 720 bytes. It can be exectued in Windows 7 x86, but not in x64 (an error message will be shown
when you try to execute it). With even more efforts, it is possible to make the executable even shorter, but as you can see,
compatibility problems arise quickly.
68.2 Win32 PE.
PEis an executable file format used in Windows.
The difference between .exe, .dll and .sys is that .exe and .sys usually do not have exports, only imports.
ADLL^3 , just like any other PE-file, has an entry point (OEP) (the function DllMain() is located there) but this function usually
does nothing.
.sys is usually a device driver.
As of drivers, Windows requires the checksum to be present in the PE file and for it to be correct^4.
Starting at Windows Vista, a driver’s files must also be signed with a digital signature. It will fail to load otherwise.
Every PE file begins with tiny DOS program that prints a message like “This program cannot be run in DOS mode.”— if you
run this program in DOS or Windows 3.1 (OS-es which are not aware of the PE format), this message will be printed.
68.2.1 Terminology.
- Module—a separate file, .exe or .dll.
- Process—a program loaded into memory and currently running. Commonly consists of one .exe file and bunch of .dll
files. - Process memory—the memory a process works with. Each process has its own. There usually are loaded modules,
memory of the stack,heap(s),etc. - VA^5 — an address which is to be used in program while runtime.
- Base address (of module)— the address within the process memory at which the module is to be loaded.OSloader
may change it, if the base address is already occupied by another module just loaded before. - RVA^6 —theVA-address minus the base address. Many addresses in PE-file tables useRVA-addresses.
(^2) Portable Executable:68.2
(^3) Dynamic-link library
(^4) For example, Hiew(73 on page 706) can calculate it
(^5) Virtual Address
(^6) Relative Virtual Address