Hello,

in the wide documentation about PE format, i saw that a lot of sizes in the header, needs to be a multiple of file/section alignment. i tried to set the alignment to half - but i got in one file "not valid win32 app", and in another file - some dll was not able to be loaded...

any ideas on why is this happend?

10X

when u change the section allineament, you must change the reloc of all the section like .text .data, you try to usa cff to do these easy wark: ht*p://pmode.net

the file has no relocations at all, (btw - why is that important? ).

PEditor added some "edited by PEditor" right on the file's import table...

anyway - just pay attantion if strange thigs happend when working with PEditor (although it is a vey cool tool).

Hi, if I remember correctly PEditor (v1.7, the old one) added its imprint into what it thought was the end of the PE header, but yeah sometimes it would overwrite something important in non-standard files.

I don't think LordPE Deluxe does this though, so you might want to update...

A Google search for "NT"+"PE"+"file alignment" reveals on the first hit a very useful information concerning PE files and file alignment. (Fetch it from the Google cache and I recommend you save it since it has since 404'd... and study it well).

According to that page, NT has a minimum file alignment of 512 bytes while 9x should accept any value down to 1. Section alignment for NT can be a minimum of 16 while on 9x it is 4096.

Very useful information. If anybody requests it I can upload the raw text of the page.

Scuse me, i didn't clean, when you change the section file alignment, you also must realign all the file, also section headers in this way:
raw size of all sections must be multiple of file alignment and virtual size must be a multiple of section alignment.
To repair the file, you can download this software: h*tp://pmode.net/CFF.php, and use the rebuilder with options: realign file and rebuild pe header

In addition,remember to correct SizeofHeaders and SizeofImage too.

sincerely yours

why should i change the SizeOfHeaders?

any way - all of the relations to file/section alignmet are about being a multiple of the size. when i change it - i'm changing it to be half of the original. but when i tried to change it from 1000h to 800h, i got "not valid win32 app" msg.

btw - i have checked some files randomly, and saw that the section alignment is allways 1000h. is this allways that way?

You'll probably cause more trouble than anything else if you mess with the 'Section Alignment'. This won't reduce the size of your file at all, just alters the memory it'll take up in its virtual image (not sure if you are already aware of this).
I have no evidence for this claim but I believe that NT will refuse to load any PE that does'nt have its 'Section Alignment' set to 1000h. Certainly I've never seen anything else used.

The PE Header specifies the size of each section down to the nearest byte, but in the disk image they are padded up to the nearest 'File Alignment'. Hence if you alter the value of 'File Alignment' you'll probably misalign your file (as it thinks the file sections are split at points where they aren't actually). Like everyone's saying, your easiest option is to use a PE editor to rebuild the sections for you.

For example, using LordPE's 'Rebuild PE' will get you all the levels of alignment you should ever really need. Set the options to

Realign file: 'Hardcore' (or 'Nice')
Don't check 'Dumpfix' 'cause I've never seen it do anything useful.
Check 'Validate PE' (because sometimes it screws up the file if you don't)
Leave everything else unchecked

and just throw your exe at the Rebuild tool. Job done.

Unfortunately, Google cache apparently has dropped the content by now, so it would be great if you could upload the text Thanks in advance

it worked perfectly here just a moment ago. The search, using:

"NT"+"PE"+"file alignment" (with the quote marks)

produced, as the first listed hit:

The world’s smallest PE Executable by Jonathan Clark

The "cached" link worked perfectly here. It is:

http://66.102.7.104/search?q=cache:EGMa526gJakJ:jonathanclark.com/diary.php%3Fbody%3Dsmallest_pe+%22NT%22%2B%22PE%22%2B%22file+alignment%22&hl=en

Regards,

this may be even better...
here is the whole web site

http://web.archive.org/web/20040204145636/jonathanclark.com/diary.php?body=smallest_pe

By the way, it seems that the smallest PE up to now (without hardcoded address for the imported MessageBoxA) is 153 bytes, from russian Server2000
(tested on XP SP1)
Regards, bilbo

Bilbo,

That smallest PE file doesn't run on W2K SP4, because there's only "user32" in the file and not "user32.dll" as W2K requires...

On the subject of small things... http://www.256b.com/

CoDe_InSiDe,
it's a pity it doesn't run on W2K...
but if the problem is only in what you said, could you please try this new one?
IMPORTANT: In this variant the import is performed by ORDINAL, not by name, and maybe on win2k the ordinals are different. So you need to DUMPBIN the exports from USER32.DLL, find the Ordinal corresponding to MessageBoxA, and patch it at offset 8C of the executable. For WinXP: ordinal 477 => DD 01 at offset 8C

Silver,
it's a pity the site is gone...
but only temporarily I hope...

Best regards, bilbo

Bilbo,

I've tried this new mini file and first it didn't work.
But it appears the ordinal is different on W2K -> MessageBoxA = Ordinal 452 (C401), if I change that at 0000008C then the file works

That tiny PE doesn't work on Win98 either... just PF'd the kernel.