{"id":19054842,"url":"https://github.com/zhuagenborn/windows-tiny-pe","last_synced_at":"2026-05-13T20:31:47.540Z","repository":{"id":115570265,"uuid":"442801031","full_name":"Zhuagenborn/Windows-Tiny-PE","owner":"Zhuagenborn","description":"🗜️ A 208-byte, manually created tiny Windows x86 PE file that can run on Windows XP and pop up a message box.（手动创建的微型Windows x86可执行文件，仅为208字节，可以在Windows XP运行并弹出消息框。）","archived":false,"fork":false,"pushed_at":"2024-02-06T13:20:18.000Z","size":5,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-13T02:25:53.334Z","etag":null,"topics":["pe","reverse-engineering","windows"],"latest_commit_sha":null,"homepage":"","language":"Assembly","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Zhuagenborn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-12-29T14:41:16.000Z","updated_at":"2025-03-30T03:29:11.000Z","dependencies_parsed_at":null,"dependency_job_id":"da0a0a2e-0c24-40c2-a6ee-b38723ed49c7","html_url":"https://github.com/Zhuagenborn/Windows-Tiny-PE","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Zhuagenborn/Windows-Tiny-PE","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Zhuagenborn%2FWindows-Tiny-PE","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Zhuagenborn%2FWindows-Tiny-PE/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Zhuagenborn%2FWindows-Tiny-PE/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Zhuagenborn%2FWindows-Tiny-PE/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Zhuagenborn","download_url":"https://codeload.github.com/Zhuagenborn/Windows-Tiny-PE/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Zhuagenborn%2FWindows-Tiny-PE/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32999188,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-13T13:14:54.681Z","status":"ssl_error","status_checked_at":"2026-05-13T13:14:51.610Z","response_time":115,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["pe","reverse-engineering","windows"],"created_at":"2024-11-08T23:39:58.244Z","updated_at":"2026-05-13T20:31:47.524Z","avatar_url":"https://github.com/Zhuagenborn.png","language":"Assembly","funding_links":[],"categories":[],"sub_categories":[],"readme":"# *Windows* Tiny PE\n\n[![Windows](badges/Microsoft-Windows.svg)](https://www.microsoft.com/en-ie/windows)\n![License](badges/License-MIT.svg)\n\n## Introduction\n\nA manually created tiny **Windows x86 PE** file that can run on *Windows XP* and pop up a message box. It is only **208** bytes.\n\n```\n4D 5A 50 50 50 50 FF 15 B0 00 40 00 50 45 00 00\n4C 01 01 00 AA AA AA AA AA AA AA AA AA AA AA AA\n70 00 0F 01 0B 01 01 00 4D 65 73 73 61 67 65 42\n6F 78 41 00 02 00 00 00 AA AA AA AA 0C 00 00 00\n00 00 40 00 04 00 00 00 04 00 00 00 AA AA AA AA\nAA AA AA AA 04 00 AA AA 00 00 00 00 D0 00 00 00\nBC 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n02 00 00 00 75 73 65 72 33 32 00 00 BC 00 00 00\n00 00 00 00 BB BB BB BB BB BB BB BB D0 00 00 00\n00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00\n26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n00 00 00 00 00 00 00 00 84 00 00 00 B0 00 00 00\n```\n\n## Detailed Design\n\n### MS-DOS Header\n\nThe `IMAGE_DOS_HEADER` structure is located from `0x00` to `0x3F`.\n\n```c\ntypedef struct _IMAGE_DOS_HEADER {\n    WORD   e_magic;\n    WORD   e_cblp;\n    WORD   e_cp;\n    WORD   e_crlc;\n    WORD   e_cparhdr;\n    WORD   e_minalloc;\n    WORD   e_maxalloc;\n    WORD   e_ss;\n    WORD   e_sp;\n    WORD   e_csum;\n    WORD   e_ip;\n    WORD   e_cs;\n    WORD   e_lfarlc;\n    WORD   e_ovno;\n    WORD   e_res[4];\n    WORD   e_oemid;\n    WORD   e_oeminfo;\n    WORD   e_res2[10];\n    LONG   e_lfanew;\n  } IMAGE_DOS_HEADER;\n```\n\n```\n4D 5A 50 50 50 50 FF 15 B0 00 40 00 50 45 00 00\n4C 01 01 00 AA AA AA AA AA AA AA AA AA AA AA AA\n70 00 0F 01 0B 01 01 00 4D 65 73 73 61 67 65 42\n6F 78 41 00 02 00 00 00 AA AA AA AA 0C 00 00 00\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n```\n\n`e_lfanew` (`0x3C`) is `0x0000000C`. It is an offset where *PE Header* is placed.\n\n### PE Header\n\n*PE Header* is an `IMAGE_NT_HEADERS` structure consisting of a PE signature, an `IMAGE_FILE_HEADER` structure and an `IMAGE_OPTIONAL_HEADER` structure.\n\n```c\ntypedef struct _IMAGE_NT_HEADERS {\n    DWORD Signature;\n    IMAGE_FILE_HEADER FileHeader;\n    IMAGE_OPTIONAL_HEADER32 OptionalHeader;\n} IMAGE_NT_HEADERS32;\n```\n\n#### Signature\n\nThe PE signature `\"PE\\0\\0\"` is at `0x0C`.\n\n```\n.. .. .. .. .. .. .. .. .. .. .. .. 50 45 00 00\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n```\n\n#### COFF File Header\n\nThe `IMAGE_FILE_HEADER` structure is located from `0x10` to `0x23`.\n\n```c\ntypedef struct _IMAGE_FILE_HEADER {\n    WORD    Machine;\n    WORD    NumberOfSections;\n    DWORD   TimeDateStamp;\n    DWORD   PointerToSymbolTable;\n    DWORD   NumberOfSymbols;\n    WORD    SizeOfOptionalHeader;\n    WORD    Characteristics;\n} IMAGE_FILE_HEADER;\n```\n\n```\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n4C 01 01 00 AA AA AA AA AA AA AA AA AA AA AA AA\n70 00 0F 01 .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n```\n\n- `NumberOfSections` (`0x12`) is `0x0001`, meaning there is only one section.\n- `SizeOfOptionalHeader` (`0x20`) is `0x0070`. It is the size of the following `IMAGE_OPTIONAL_HEADER` structure.\n\n#### Optional Header\n\nThe `IMAGE_OPTIONAL_HEADER` structure is located from `0x24` to `0x93`.\n\n```c\ntypedef struct _IMAGE_OPTIONAL_HEADER {\n    WORD    Magic;\n    BYTE    MajorLinkerVersion;\n    BYTE    MinorLinkerVersion;\n    DWORD   SizeOfCode;\n    DWORD   SizeOfInitializedData;\n    DWORD   SizeOfUninitializedData;\n    DWORD   AddressOfEntryPoint;\n    DWORD   BaseOfCode;\n    DWORD   BaseOfData;\n    DWORD   ImageBase;\n    DWORD   SectionAlignment;\n    DWORD   FileAlignment;\n    WORD    MajorOperatingSystemVersion;\n    WORD    MinorOperatingSystemVersion;\n    WORD    MajorImageVersion;\n    WORD    MinorImageVersion;\n    WORD    MajorSubsystemVersion;\n    WORD    MinorSubsystemVersion;\n    DWORD   Win32VersionValue;\n    DWORD   SizeOfImage;\n    DWORD   SizeOfHeaders;\n    DWORD   CheckSum;\n    WORD    Subsystem;\n    WORD    DllCharacteristics;\n    DWORD   SizeOfStackReserve;\n    DWORD   SizeOfStackCommit;\n    DWORD   SizeOfHeapReserve;\n    DWORD   SizeOfHeapCommit;\n    DWORD   LoaderFlags;\n    DWORD   NumberOfRvaAndSizes;\n    IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];\n} IMAGE_OPTIONAL_HEADER32;\n```\n\n```\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. 0B 01 01 00 4D 65 73 73 61 67 65 42\n6F 78 41 00 02 00 00 00 AA AA AA AA 0C 00 00 00\n00 00 40 00 04 00 00 00 04 00 00 00 AA AA AA AA\nAA AA AA AA 04 00 AA AA 00 00 00 00 D0 00 00 00\nBC 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n02 00 00 00 75 73 65 72 33 32 00 00 BC 00 00 00\n00 00 00 00 .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n```\n\n- `ImageBase` (`0x40`) is `0x00400000`. It is a memory address where the file should be loaded at.\n- `AddressOfEntryPoint` (`0x34`) is `0x00000002`. It is the beginning offset of executable code.\n- `NumberOfRvaAndSizes` (`0x80`) is `0x00000002`, meaning there are two `IMAGE_DATA_DIRECTORY` structures. But in fact, only the data directory of *Import Table* is effective.\n\n### Import Table\n\n#### Data Directory\n\nThe `IMAGE_DATA_DIRECTORY` structure of *Import Table* is located from `0x8C` to `0x93`.\n\n```c\ntypedef struct _IMAGE_DATA_DIRECTORY {\n    DWORD   VirtualAddress;\n    DWORD   Size;\n} IMAGE_DATA_DIRECTORY;\n```\n\n```\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. BC 00 00 00\n00 00 00 00 .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n```\n\n`VirtualAddress` (`0x8C`) is `0x000000BC`. It is the offset of an array of `IMAGE_IMPORT_DESCRIPTOR` structures. Each `IMAGE_IMPORT_DESCRIPTOR` stores information about an import library. The array is terminated by an empty structure.\n\n#### Import Descriptor\n\nThere is only one `IMAGE_IMPORT_DESCRIPTOR` structure at `0xBC`.\n\n```c\ntypedef struct _IMAGE_IMPORT_DESCRIPTOR {\n    union {\n        DWORD   Characteristics;\n        DWORD   OriginalFirstThunk;\n    } DUMMYUNIONNAME;\n    DWORD   TimeDateStamp;\n    DWORD   ForwarderChain;\n    DWORD   Name;\n    DWORD   FirstThunk;\n} IMAGE_IMPORT_DESCRIPTOR;\n```\n\n```\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. 00 00 00 00\n00 00 00 00 00 00 00 00 84 00 00 00 B0 00 00 00\n```\n\n- `Name` (`0xC8`) is `0x00000084`. It is the offset of the library name.\n- `FirstThunk` (`0xCC`) is `0x000000B0`. It is the offset of an array of `IMAGE_THUNK_DATA` structures. Each `IMAGE_THUNK_DATA` stores information about an import function. The array is terminated by an empty structure.\n\nAt `0x84`, we can find the library name: `user32`.\n\n```\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. 75 73 65 72 33 32 00 .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n```\n\nAt `0xB0`, there is only one `IMAGE_THUNK_DATA` structure.\n\n```c\ntypedef struct _IMAGE_THUNK_DATA32 {\n    union {\n        DWORD ForwarderString;\n        DWORD Function;\n        DWORD Ordinal;\n        DWORD AddressOfData;\n    } u1;\n} IMAGE_THUNK_DATA32;\n```\n\n```\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n26 00 00 00 .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n```\n\nThis function is imported by its name, corresponding to an `IMAGE_IMPORT_BY_NAME` structure at `0x26`.\n\n```c\ntypedef struct _IMAGE_IMPORT_BY_NAME {\n    WORD   Hint;\n    CHAR   Name[1];\n} IMAGE_IMPORT_BY_NAME;\n```\n\n```\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. 01 00 4D 65 73 73 61 67 65 42\n6F 78 41 00 .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n```\n\nIts name is `MessageBoxA`.\n\n### Code\n\nAccording to `AddressOfEntryPoint` of `IMAGE_OPTIONAL_HEADER`, the executable code starts at `0x02` and ends at `0x0B`.\n\n```\n.. .. 50 50 50 50 FF 15 B0 00 40 00 .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..\n```\n\nThe assembly instructions are:\n\n```asm\npush    eax\npush    eax\npush    eax\npush    eax\ncall    MessageBoxA\n```\n\nThe destination of `call` is `0x004000B0`, which is the image base (`0x00400000`) plus the offset (`0xB0`) of `IMAGE_THUNK_DATA` for `MessageBoxA`. Its original data `0x00000026` will be replaced with the actual function address after the load is completed.\n\n## License\n\nDistributed under the *MIT License*. See `LICENSE` for more information.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzhuagenborn%2Fwindows-tiny-pe","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzhuagenborn%2Fwindows-tiny-pe","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzhuagenborn%2Fwindows-tiny-pe/lists"}