PE Smallest Executable

You are here:

Home
Tutorial
PE Smallest Executable

code

Recently I faced a problem in my devs. I needed an executable that does nothing, but the smallest as possible (to include it in a shellcode). Here’s the C++ code:

#include windows.h
int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
    return 0;
}

Nothing complicated.
I followed this tutorial to reduce the size of the PE : http://thelegendofrandom.com/blog/archives/2231
And it led to a tiny PE (1kb). But not enough for me.

Then I followed a tutorial (link is down)
and took this reference poster : http://www.openrce.org/reference_library/files/reference/PE%20Format.pdf
Updated here: http://blog.dkbza.org/2012/08/pe-file-format-graphs.html

I removed lots of null bytes, and modified the parameters to adjust both size and section offset. To finish, I’ve loaded the PE into OllyDbg and modified the Entry point (which was not at the good place).

My PE is now 500 bytes, and fully functional.
Here’s a schematic of the final PE structure. It can help to understand how a PE is structured.

Links

Category: TutorialBy tigzy January 31, 2014

1499 views

Tags: payload pe portable executable research tutorial

Author: tigzy

Founder and owner of Adlice Software, Tigzy started as lead developer on the popular Anti-malware called RogueKiller. Involved in all the Adlice projects as lead developer, Tigzy is also doing research and reverse engineering as well as writing blog posts.