Hi all,

What's the minimum indispensible PE stuff that a Windows 2000 and XP needs?

Greets,
Maverick
Posted on 2002-02-02 17:00:12 by Maverick
Think it is 1024 bytes. I am not sure!!!
Posted on 2002-02-02 19:12:25 by CodeLover
Maverick,

1024 bytes is correct, the minimum is 2 sections for the file to be a standard PE file. There have been a few versions that are smaller by fiddling or removing the DOS header but they will not run on all versions of 32 bit windows.

Regards,

hutch@movsd.com
Posted on 2002-02-02 19:24:35 by hutch--
The above is true, but in reality you'll rarely see a windows PE smaller than 2 - 2.5K. Most win progs have the header section, an import section, at least 1 data section, a code section, and maybe a resource section. If you can keep each section smaller than 512 bytes, not an easy task for anything beyond a hello world program, you end up with 4 or 5 X 512. My starter skeleton, with not much more than a small menu, toolbar with tips, a simple dialog, and a couple of message boxes, clocks in at 6.5K.

You can use the /FILEALIGN:512 link option to shrink your PE. Don't mess with the /ALIGN option. Anything less than 4096 will cause windows to bitch when it tries to load the file. Win manages memory in 4K pages, and needs to align each section on a page boundary when it loads the .EXE.

PS - So my 6.5K starter, with 5 sections, all less than 4K each, takes 20K of memory to load. A 1K PE with 2 sections would take 8K. Not that this has anything to do with the original question... ... ...

:)
Posted on 2002-02-03 03:54:22 by S/390
Hi All,
Thanks for all your replies.

I won't use any linker (since it's me that have to code a linker for my own compiler), what I really need is to know what is the smallest (and what to stuff in) PE that will run without problems in Windows 2000 and XP (maybe possibly also NT).
F0dder said that we *must* import at least from KERNEL32 to not get an error. So be it. What else?

Can anybody be so nice to post here a PE EXE with a dos stub and the *very* minimum (that unfortunately means LoadLibraryA and GetProcAddress) import from KERNEL32 to have it loaded? Of course, just one section, etc..

Greets,
Maverick
Posted on 2002-02-03 04:36:32 by Maverick
PS: it has to work also on Windows9x of course.

Thank You!
Posted on 2002-02-03 04:40:10 by Maverick
It would be educational to look in the Bonus archive of Hugi 24:
http://www.hugi.de/main.php?page=hugi24
Posted on 2002-02-03 10:54:47 by bitRAKE
You need at least one section. And no, you don't need 2 sections
to have a "standard" PE executable.

Set importdirectory RVA/Size to correct values.
Be *sure* that SizeOfImage is correct.
Some people claim that section.VirtualSize is not important. This is wrong.
section.RawSize does not have to be FileAlign rounded, but the actual amount of bytes in the section (on disk) must.
FileAlign must be a power of two, and at least 512 bytes.
MemAlign must be a power of two, and at least 4096. And I wouldn't set it to anything but 4096.
Base/SizeOfCode/Data/BSS are not used.
subsystem version are important.

If you set resource directory RVA/Size, be sure that it points to valid data.
Under win2k you can set it to <whatever> and fix up runtime, but
this fails miserably under 9x (one of the few situations where 9x
seems to do more strict checking than NT based OSes :P).

...
there's more stuff as well, but this is some initial stuff.
Posted on 2002-02-03 16:06:41 by f0dder
hmmm,

MZ header needs to be 128 bytes to run on all windows versions, then there is the PE header and section data. Merge the .text and .rcdata sections and voila, 1024 bytes.

If a file does not run on all windows versions, is it a PE file ? I have seen a number of files that will run on one windows version or another, either by removing the MZ header or writing a custom one that is smaller than 128 bytes and you can on some versions compact the trailing space but these types of files will not run on all versions.

Regards,

hutch@movsd.com
Posted on 2002-02-03 16:48:32 by hutch--

If a file does not run on all windows versions, is it a PE file?

Yeah... it's a PE file... but it sucks then ;).
Posted on 2002-02-03 16:58:42 by f0dder
f0dder,

perhaps you have an unusual idea about what a "Portable executable" is when its not portable across different windows versions and it does not execute on some of them. :tongue:

Regards,

hutch@movsd.com
Posted on 2002-02-03 17:03:51 by hutch--
Well... I think the "portable" in PE refers to the fact that it can be
used on different architectures, not necessarily that one PE file runs
on all archs. I'd like to see a win64 or alpha PE run on a IA32 box :P.

To me, a PE file is... well, a file that has the PE structure. The official
documents do not give enough information on which fields are
required and which are totally ignored. Thus you can't *really* say
it's not a PE file if it doesn't run on <whatever>.

I do think PEs that don't run on all win32 platforms are stupid. Of
course it's fun to create them and see just how small you can get
them, but some people seem to think that *every* byte counts... and
do not realize that FileAlign!=4096 is bad, that section combining
is bad, and that executable compression is bad, and want to use these
techniques on all their executables.
Posted on 2002-02-03 17:11:27 by f0dder
Well,

I wonder if the format on modified PE files is so local to any particular version of windows that it does not run on another that it conforms to ANY form of portable. Maybe "portable" in this context means portable across the local disk drive on the computer where the file actually runs ?

As far as section combining and compression, unless your code is so large that it needs 16k alignment to try and pick up some speed to make up for its other performace losses, I have yet to see a problem with either.

It may not be "theologically pure" but it works well, is reliable and runs on all versions of windows.

Regards,

hutch@movsd.com
Posted on 2002-02-03 17:23:20 by hutch--
a little offtopic but, if your program isn't to cpomplex, you could use NE(if i remember) and shrink exe up to 250 bytes(im not sure...)....
Posted on 2002-02-04 03:09:46 by me8
Hmm, NE was used for win16 programs... I'm not too familiar with
the format, but I doubt you can stuff 32bit code in there :).
Posted on 2002-02-04 09:26:53 by f0dder
Please, can anybody post a *minimum size* Windows9x/2000/XP compatible EXE which does just a RET, and imports only KERNEL32's LoadLibrary and GetProcAddress?

I need to analyze its PE.

Greets,
Maverick
Posted on 2002-03-03 09:36:25 by Maverick
i.e. only one section, etc.. just the really very very very minimum. All the linkers I tryed produce also the .data section. :(
Posted on 2002-03-03 09:36:58 by Maverick
With the ms linker you can use /MERGE to collapse all the sections.
Don't forget using /SECTION:<whatever>,rwe to make your section
read/write/execute.
Posted on 2002-03-03 13:12:23 by f0dder
Yes,

Both NE and LE are Microsoft designed 16 bit formats for win 3.0/11 and do not have the capacity to handle 32 bit flat memory model code.

PE files were "ported" to the format used by 32 bit windows by the VAX guys who Microsoft hired to assist in building 32 bit windows.

Regards,

hutch@movsd.com
Posted on 2002-03-03 14:55:40 by hutch--
LE will work fine for 32bit flat code, it's just that there's no windows
loader for it (outside the VxD loader). LE is a pretty flexible format,
it can mix 16 and 32bit code. It supports DLLs. It's also the default
format used by the 32bit dos-extended watcom tools.
Posted on 2002-03-03 15:07:07 by f0dder