Articles

Generating a Minimal Executable with Visual Studio and MASM

ByAdmin November 26, 2023December 21, 2023

Learn how to write an assembly program with MASM and link it to get a minimal executable. Just install Visual Studio and a Windows SDK, then follow the steps below.

First, we need to set up the prototypes in the assembly code as imports if we are using the Microsoft MASM assembler, rather than an open-source equivalent.

Also, define any constants. A simple “Hello World” program via a message box is a good example.

.586
.model flat, stdcall
option casemap :none

MessageBoxA PROTO STDCALL :DWORD,:DWORD,:DWORD,:DWORD
ExitProcess PROTO STDCALL :DWORD

MB_OK EQU 0
NULL EQU 0

.data
    message db 'Hello, World!', 0

.code
main PROC
    push MB_OK
    push offset message
    push offset message
    push NULL
    call MessageBoxA

    push 0
    call ExitProcess
main ENDP

end main

After the assembly file is written, we need to assemble the assembly before linking.

ml /c /coff /Fo"main.obj" "main.asm"

Next, we just need to link – but with a number of options (command switches).

link /SUBSYSTEM:WINDOWS /RELEASE /ALIGN:16 /OPT:REF /OPT:ICF /INCREMENTAL:NO /FUNCTIONPADMIN /MERGE:.rdata=.text /DEBUG:NONE /EMITPOGOPHASEINFO main.obj Kernel32.Lib User32.Lib

All of this will result in a fairly optimized and minimal executable, created by the Microsoft Visual Studio tools and Windows SDK.

The switch to remove debug information, /DEBUG:NONE /EMITPOGOPHASEINFO, is seemingly not documented.

To minimize the size of sections, for instance, .text and .data, the /ALIGN switch can be used with values set as powers of two.

All of this will result in a fairly optimized and minimal executable, created by the Microsoft Visual Studio tools and Windows SDK.

It also seems possible to generate smaller binaries based on the VS version used, the same file generated with VS 2017 is 850 bytes versus 1.1k bytes in VS 2022. The reasons for which, would need exploring further and any compatibility implications across windows versions.

You can also generate a pure C based executable too.

.386
.MODEL FLAT, STDCALL

;includelib ucrt.lib
;includelib legacy_stdio_definitions.lib

EXTERN printf: PROC

.data
    fmtStr db 'Foo bar baz', 0

.code
main PROC
    push offset fmtStr  ; Push the address of the format string onto the stack
    call printf         ; Call printf
    add esp, 4          ; Clean up the stack (4 bytes for 32-bit address)
    ret
main ENDP

END main

You can uncomment the library includes or pass them at the command line to the linker.

ml /c /coff /Fo"test1.obj" "test1.asm"
link /SUBSYSTEM:CONSOLE /RELEASE test1.obj ucrt.lib legacy_stdio_definitions.lib

If we actually disassemble the final executable in IDA. We will observe multiple subroutine calls leading to a call to __stdio_common_vfprintf; whereas we would naturally expect a call to printf.

This is due to the way modern C runtimes are implemented and the printf function being more complex than it appears. When we call it, the function must handle various format specifiers, width, precision, flags, and different types of arguments (integers, floats, strings, etc.) – which often requires a layered design for efficient and reusable code.

Articles

Detecting When Processes Start on Windows to Check Legitimacy

ByAdmin November 15, 2023November 15, 2023

It is useful to be able to monitor and detect when new processes start on Windows in real-time. This allows us to scan their memory or perform other checks to ensure they are legitimate or to identify potential malware. The most straightforward method is to poll the list of running processes and identify new ones…

Articles

Modifying a Binary via Powershell

ByAdmin December 21, 2023March 7, 2024

Creating or modifying a binary files in PowerShell can be done using various methods. One common approach is to use the Set-Content cmdlet along with a byte array. This approach is useful for creating or modifying binary files directly from PowerShell, especially when dealing with small files or when you need to automate the process…

Articles

Mastering Function Interception with Microsoft Detours

ByAdmin August 23, 2024August 23, 2024

Microsoft Detours is a library for intercepting, monitoring, and extending the functionality of binary functions on Windows. This guide dives deep into how you can leverage Detours for advanced software development, with numerous code snippets to illustrate key concepts. Introduction to Microsoft Detours Detours allows developers to insert custom code into existing functions without modifying…

Articles

Inter-Service Communication in Windows Services

ByAdmin June 9, 2024June 13, 2024

In modern software systems, particularly those running on Windows, it is crucial for various services operating in the background to communicate with each other. This necessity is heightened in complex software systems where different services are responsible for distinct aspects of the system’s functionality. Scenarios Modular Design In a modularly designed system, distinct services handle…

Articles

Deep Dive into Exploit Kits

ByAdmin November 15, 2023June 15, 2024

Exploit kits in cybersecurity are software packages designed to identify and exploit security vulnerabilities in systems and software. These kits actively scan for vulnerabilities in a user’s system, such as outdated software, unpatched security vulnerabilities, or poor configuration. What are Exploit Kits? Exploit kits are typically automated, allowing cyber-criminals to easily and effectively target a…

Articles

C2 Havoc: A Command and Control Framework

ByAdmin November 16, 2023November 16, 2023

C2 Havoc is primarily a command and control (C2) framework rather than a Remote Access Trojan (RAT). It is used mostly to manage compromised systems during cyber operations. And, more about coordinating and directing the activities of already compromised systems. C2 Havoc, in particular, is noted for its capabilities in post-exploitation scenarios, allowing attackers to…

Similar Posts