Dailydave mailing list archives
Re: tiny PE now at... 304 bytes. Is this the end?
From: "Dave Korn" <dave.korn () artimi com>
Date: Mon, 23 Oct 2006 14:48:22 +0100
On 21 October 2006 00:35, BobCat wrote:
On 10/20/06, Dave Korn <dave.korn () artimi com> wrote:It may be two bytes, but all it does is raise an exception. That's not "grabbing a file from the internet and executing it".I think it does actually get executed. That was the only spec. Not that it does anything useful...
No, you need to re-read the thread... the spec was more than that: " The challange was to create a PE that downloads a file from the Internet and executes it, which will be smaller than what his friends did. He got to 411 bytes. " Still, as long as we're going for utterly minimal programs, based on the old 16-bit .com format, that don't even have to do anything, I can beat you by 50%, trivially: Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\dk>dir foo.exe Volume in drive C has no label. Volume Serial Number is 5C59-B377 Directory of C:\Documents and Settings\dk 23/10/2006 14:42 1 foo.exe 1 File(s) 1 bytes 0 Dir(s) 6,313,840,640 bytes free C:\Documents and Settings\dk>od -t x1 foo.exe 0000000 c3 0000001 C:\Documents and Settings\dk>.\foo.exe C:\DOCUME~1\dk>debug foo.exe -u 100 100 0D3B:0100 C3 RET -g Program terminated normally -q C:\DOCUME~1\dk> Hey, my one doesn't even crash like yours does! :) However, you have raised a good point: the small downloader exe could probably be squeezed even more if it was put in a .com format rather than a .exe; the space saved on headers would be easily enough for a shellcode to look up loadlibrary and getprocaddress, but it depends what restrictions there are that I don't know about on 16-bit apps.
OTOH, what does "NTVDM does not support a ROM BASIC" mean? Sounds interesting...The program is just INT 18 http://lrs.uni-passau.de/support/doc/interrupt-57/RB-2177.HTM and there's no reason for a virtual ROM BASIC, so it's not there. Try that program on a 386 under OS/2 2.0 and the BIOS reports "NO ROM BASIC" in big block letters (in a window) which is what you saw if you did not have a boot device. Usually that is - many systems behaved this way back then. I never tried it on a machine with rom basic, which I think only the IBM PC and XT had.
Oh, blimey, it's a hangover from the old PCjr! I remember those things! (IIRC the PCjr was the only one that had rom basic, the standard AT/XT models didn't).
I wrote a 6 (iirc) byte program that under OS/2 would open a window with the BIOS setup running in it. Can't find it atm.
Now you're getting really obscure! cheers, DaveK -- Can't think of a witty .sigline today.... _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- tiny PE now at... 304 bytes. Is this the end? Gadi Evron (Oct 20)
- Re: tiny PE now at... 304 bytes. Is this the end? BobCat (Oct 20)
- Re: tiny PE now at... 304 bytes. Is this the end? Dave Korn (Oct 23)
- Re: tiny PE now at... 304 bytes. Is this the end? BobCat (Oct 23)
- Re: tiny PE now at... 304 bytes. Is this the end? Dave Korn (Oct 23)
- Re: tiny PE now at... 304 bytes. Is this the end? Dave Korn (Oct 23)
- Re: tiny PE now at... 304 bytes. Is this the end? BobCat (Oct 20)
- Re: tiny PE now at... 304 bytes. Is this the end? Alexander Sotirov (Oct 20)
- Re: tiny PE now at... 304 bytes. Is this the end? Gadi Evron (Oct 23)