Cogs and Levers A blog full of technical stuff

MZ EXE files

28 Mar 2015

Executable files in MS-DOS come in a few different formats. The original 16-bit version of this file format is referred to as the DOS MZ Executable.

In today’s post, we’re going to dissect the internals of this format.

MZ

This particular gets its name “MZ” due to the first two bytes of the file 0x4d and 0x5a. Translated to ASCII text, these two bytes form the characters “MZ”. This is the opening signature (or magic number) for a file of this format.

The header

The first chunk of an EXE file is the header information. It stores relocation information important to the execution of the file. A few important notes when reading the header:

  • All values spanning more than one byte are stored LSB first
  • A block is 512 bytes in size
  • A paragraph is 16 bytes in size
Offset Description
0x00-0x01 The values 0x4d and 0x5a translating to the ASCII string “MZ”. This is the magic number for the file
0x02-0x03 The number of bytes used in the last block of the EXE. A zero value indicates that the whole block is used
0x04-0x05 The number of blocks that form part of the EXE
0x06-0x07 The number of relocation entries. These are stored after the header
0x08-0x09 The number of paragraphs in the header
0x0A-0x0B The number of paragraphs required for uninitialized data
0x0C-0x0D The number of paragraphs of additional memory to constrain this EXE to
0x0E-0x0F Relative value for the SS register
0x10-0x11 Initial SP register value
0x12-0x13 Word checksum
0x14-0x15 Initial IP register value
0x16-0x17 Relative value for the CS register
0x18-0x19 Offset of the first relocation item
0x1A-0x1B Overlay number

An example

Take the following “Hello, world” program written in x86 assembly language:

section .text

start:

  mov   ax, seg hello
  mov   ds, ax

  mov   dx, hello
  mov   ah, 09h
  int   21h

  mov   ah, 4ch
  xor   al, al
  int   21h

section .data

  hello db 'Hello, world!', 13, 10, '$'

I assembled this file with NASM:

$ nasm -f obj hello2.asm -o hello2.obj

I then transferred the resulting obj file from my linux machine over to a dos machine and ran TLINK which was part of the Turbo Assembler product.

> tlink hello2.obj

Once we’ve assembled and linked this file to produce a 16-bit dos executable, we can pull it apart again with objdump.

$ objdump -s -D -b binary -mi8086 HELLO2.EXE

The output of this dump is quite detailed. I’ve removed a fair bit of it for brevity:

HELLO2.EXE:     file format binary

Contents of section .data:
 0000 4d5a2200 02000100 20000000 ffff0000  MZ"..... .......
 0010 00000000 00000000 3e000000 0100fb50  ........>......P
 0020 6a720000 00000000 00000000 00000000  jr..............
 0030 00000000 00000000 00000000 00000100  ................
 0040 00000000 00000000 00000000 00000000  ................   
  . . .
  . . .

 0200 b801008e d8ba0200 b409cd21 b44c30c0  ...........!.L0.
 0210 cd214865 6c6c6f2c 20776f72 6c64210d  .!Hello, world!.
 0220 0a24                                 .$              

Disassembly of section .data:

00000000 <.data>:
   0: 4d                    dec    %bp
   1: 5a                    pop    %dx
   2: 22 00                 and    (%bx,%si),%al
   4: 02 00                 add    (%bx,%si),%al
   6: 01 00                 add    %ax,(%bx,%si)
   8: 20 00                 and    %al,(%bx,%si)
   a: 00 00                 add    %al,(%bx,%si)
   c: ff                    (bad)  
   d: ff 00                 incw   (%bx,%si)
  ...
  17: 00 3e 00 00           add    %bh,0x0
  1b: 00 01                 add    %al,(%bx,%di)
  1d: 00 fb                 add    %bh,%bl
  1f: 50                    push   %ax
  20: 6a 72                 push   $0x72
  ...
  3e: 01 00                 add    %ax,(%bx,%si)
  ...
 200: b8 01 00              mov    $0x1,%ax
 203: 8e d8                 mov    %ax,%ds
 205: ba 02 00              mov    $0x2,%dx
 208: b4 09                 mov    $0x9,%ah
 20a: cd 21                 int    $0x21
 20c: b4 4c                 mov    $0x4c,%ah
 20e: 30 c0                 xor    %al,%al
 210: cd 21                 int    $0x21
 212: 48                    dec    %ax
 213: 65                    gs
 214: 6c                    insb   (%dx),%es:(%di)
 215: 6c                    insb   (%dx),%es:(%di)
 216: 6f                    outsw  %ds:(%si),(%dx)
 217: 2c 20                 sub    $0x20,%al
 219: 77 6f                 ja     0x28a
 21b: 72 6c                 jb     0x289
 21d: 64 21 0d              and    %cx,%fs:(%di)
 220: 0a 24                 or     (%si),%ah

Focusing on the top representation, we get a direct view of the values in the header.

0000 4d5a2200 02000100 20000000 ffff0000  MZ"..... .......
0010 00000000 00000000 3e000000 0100fb50  ........>......P
0020 6a720000 00000000 00000000 00000000  jr..............
0030 00000000 00000000 00000000 00000100  ................
0040 00000000 00000000 00000000 00000000  ................

(0x00-0x01) 4d5a

The first two bytes are indeed “MZ”, or 0x4d 0x5a. So we’ve got the correct signature.

(0x02-0x03) 2200

This is the number of bytes used in the last block of the EXE. Remember, we’ve got LSB first when we’re dealing with multi-byte values, so this is 0x22 bytes. If you take a look at the resulting code listing above, you’ll see that the code for the executable starts at address 0x200 and ends at 0x220. At the address of 0x220, 2 additional bytes are used.

This is our 0x22 bytes as it is the first, last and only block that we have!

(0x04-0x05) 0200

This is the number of blocks (remember: 512 bytes chunks) that comprise of our EXE. We have 2. Our header is using the first block, our code and data is in the second.

(0x06-0x07) 0100

We have 1 relocation item. A relocation item is just a 16-bit value for the offset followed by a 16-bit value for the segment.

(0x08-0x09) 2000

There are 0x20 paragraphs in the header.

0x20 = 32 (decimal)
paragraph size = 16 bytes

32 * 16 = 512 bytes

This calculates out. 512 bytes in the header. We can see that the file offset starts at 0x00. Code doesn’t appear until 0x200. 0x200 is 512 in decimal.

(0x0A-0x0B) 0000

Our program didn’t define any uninitialized data, only a pre-initialized string: “Hello, world”.

(0x0C-0x0D) ffff

This is the default mode of operation for memory constraints. It says, use everything (i.e. don’t place any constraint).

(0x0E-0x0F) 0000

No translation to the stack segment (SS) will go on here. This value gets added to the segment value of where the program was loaded at and that’s how SS is initialized. The program that we’ve written didn’t define a stack, so no translation required.

(0x10-0x11) 0000

SP’s initial value

(0x12-0x13) 0000

This is the word checksum. It’s seldom used.

(0x14-0x15) 0000

The instruction pointer will start at 0x0000.

(0x16-0x17) 0000

This value would adjust CS.

(0x18-0x19) 3e00

This is the address of the first relocation item in the file. If we take a look back at the dump now, we can see the value sat at that address:

0030 ________ ________ ________ ____0100  ................
0040 0000____ ________ ________ ________  ................

This takes the format of offset:segment here, so we’ve got 0000:0100. This will be used at execution time and will also influence the resulting stack segments and offsets.

(0x1A-0x1B) 0000

Overlay number. Zero indicates that this is the main program.

The rest

Everything from here looks pretty familiar. We can see our assembly code start off and our string defined at the end.

16 bit COM files

26 Mar 2015

COM files are plain binary executable file format from the MS-DOS era (and before!) that provide a very simple execution model.

The execution environment is given one 64kb segment to fit its code, stack and data segments into. This memory model is sometimes referred to as the “tiny” model.

In today’s post, we’re going to write a really simple program; compile it, disassemble it and dissect it. Here’s our program that very helpfully prints “Hello, world!” to the console and then exits.

ORG 100h

section .text

start:
	mov		dx, msg
	mov		ah, 09h
	int		21h

	ret

section .data

	msg DB 'Hello, world!', 13, 10, '$'

Nothing of great interest here. The only thing worth a mention is the ORG directive. This tells the assembler (and therefore the execution environment once executed) that our program starts at the offset 100h. There’s some more information regarding 16bit programs with nasm here.

nasm’s default output format is plain binary so, assembly is very simple:

$ nasm hello.asm -o hello.com

Running our program in dosbox and we’re given our prompt as promised. Taking a look at the binary on disk, it’s seriously small. 24 bytes small. We won’t have much to read when we dissassemble it!

Because this is a plain binary file, we need to give objdump a little help in how to present the information.

$ objdump -D -b binary -mi386 -Maddr16,data16 hello.com

The full output dump is as follows:

hello.com:     file format binary


Disassembly of section .data:

00000000 <.data>:
   0:	ba 08 01             	mov    $0x108,%dx
   3:	b4 09                	mov    $0x9,%ah
   5:	cd 21                	int    $0x21
   7:	c3                   	ret    
   8:	48                   	dec    %ax
   9:	65                   	gs
   a:	6c                   	insb   (%dx),%es:(%di)
   b:	6c                   	insb   (%dx),%es:(%di)
   c:	6f                   	outsw  %ds:(%si),(%dx)
   d:	2c 20                	sub    $0x20,%al
   f:	77 6f                	ja     0x80
  11:	72 6c                	jb     0x7f
  13:	64 21 0d             	and    %cx,%fs:(%di)
  16:	0a 24                	or     (%si),%ah

Instructions located from 0 through to 7 correspond directly to the assembly source code that we’ve written. After this point, the file is storing our string that we’re going to print which is why the assembly code looks a little chaotic.

Removing the jibberish assembly language, the bytes directly correspond to our string:

	"H"
   8:	48                   	
   	"e"
   9:	65                   	
   	"l"
   a:	6c                   	
   	"l"
   b:	6c                   	
   	"o"
   c:	6f                   	
   	", "
   d:	2c 20                	
   	"wo"
   f:	77 6f                	
   	"rl"
  11:	72 6c                	
  	"d!", 13
  13:	64 21 0d             	
  	10, "$"
  16:	0a 24

So, our string starts at address 8 but the first line of our assembly code; the line that’s loading dx with the address of our string msg has disassembled to this:

   0:	ba 08 01             	mov    $0x108,%dx

The address of $0x108 is going to overshoot the address of our string by 0x100! This is where the ORG directive comes in. Because we have specified this, all of our addresses are adjusted to suit. When DOS loads our COM file, it’ll be in at 0x100 and our addresses will line up perfectly.

sysstat utilities

21 Mar 2015

sysstat is a collection of utilities for Linux that provide performance and activity usage monitoring. In today’s post, I’ll go through a brief explanation of these utilities.

iostat

iostat(1) reports CPU statistics and input/output statistics for devices, partitions and network filesystems.

Linux 3.13.0-46-generic (thor) 	21/03/15 	_x86_64_	(8 CPU)

avg-cpu:  %user   %nice %system %iowait  %steal   %idle
           1.53    0.01    0.46    0.09    0.00   97.92

Device:            tps    kB_read/s    kB_wrtn/s    kB_read    kB_wrtn
sda              15.87       216.84       169.79     755449     591528

iostat provides a top level cpu report in its first line with a breakdown percentages for the amount of time the cpu is spent:

  • In user space (%user)
  • In user space with nice priority (%nice)
  • In kernel space (%system)
  • Waiting on I/O (%iowait)
  • Forced to wait from the hypervisor (%steal)
  • Doing nothing (%idle)

Secondly, a breakdown by device is given of disk activity. In this chart, it shows the disk devices’:

  • Transfer per second (tps)
  • Amount of data read per second (kB_read/s)
  • Amount of data written per second (kB_wrtn/s)
  • Total read (kB_read)
  • Total write (kB_wrtn)

mpstat

mpstat(1) reports individual or combined processor related statistics.

Linux 3.13.0-46-generic (thor) 	21/03/15 	_x86_64_	(8 CPU)

15:23:58     CPU    %usr   %nice    %sys %iowait    %irq   %soft  %steal  %guest  %gnice   %idle
15:23:58     all    1.36    0.01    0.41    0.08    0.00    0.00    0.00    0.00    0.00   98.14

mpstat goes a little deeper into how the cpu time is divided up among its responsibilities. By specifying -P ALL on the command line to it, you can get a report per cpu:

Linux 3.13.0-46-generic (thor) 	21/03/15 	_x86_64_	(8 CPU)

16:05:10     CPU    %usr   %nice    %sys %iowait    %irq   %soft  %steal  %guest  %gnice   %idle
16:05:10     all    1.58    0.00    0.42    0.06    0.00    0.00    0.00    0.00    0.00   97.94
16:05:10       0    2.05    0.00    0.74    0.04    0.00    0.00    0.00    0.00    0.00   97.17
16:05:10       1    2.62    0.02    0.58    0.03    0.00    0.00    0.00    0.00    0.00   96.76
16:05:10       2    2.84    0.00    0.59    0.03    0.00    0.00    0.00    0.00    0.00   96.54
16:05:10       3    2.31    0.00    0.67    0.02    0.00    0.00    0.00    0.00    0.00   97.00
16:05:10       4    0.83    0.00    0.18    0.10    0.00    0.00    0.00    0.00    0.00   98.89
16:05:10       5    0.65    0.02    0.20    0.10    0.00    0.00    0.00    0.00    0.00   99.03
16:05:10       6    0.71    0.00    0.20    0.08    0.00    0.00    0.00    0.00    0.00   99.01
16:05:10       7    0.64    0.00    0.17    0.06    0.00    0.00    0.00    0.00    0.00   99.13

pidstat

pidstat(1) reports statistics for Linux tasks (processes) : I/O, CPU, memory, etc.

Linux 3.13.0-46-generic (thor) 	21/03/15 	_x86_64_	(8 CPU)

16:06:19      UID       PID    %usr %system  %guest    %CPU   CPU  Command
16:06:19        0         1    0.00    0.01    0.00    0.02     0  init
16:06:19        0         7    0.00    0.02    0.00    0.02     3  rcu_sched

. . .
. . .

pidstat will give you the utilisation breakdown by process that’s running on your system.

sar

sar(1) collects, reports and saves system activity information (CPU, memory, disks, interrupts, network interfaces, TTY, kernel tables,etc.)

sar requires that data collection is on to be used. The settings defined in /etc/default/sysstat will control this collection process. As sar is the collection mechanism, other applications use this data:

sadc(8) is the system activity data collector, used as a backend for sar.

sa1(8) collects and stores binary data in the system activity daily data file. It is a front end to sadc designed to be run from cron.

sa2(8) writes a summarized daily activity report. It is a front end to sar designed to be run from cron.

sadf(1) displays data collected by sar in multiple formats (CSV, XML, etc.) This is useful to load performance data into a database, or import them in a spreadsheet to make graphs.

nfs and cifs

NFS and CIFS also have monitoring utilities.

nfsiostat-sysstat(1) reports input/output statistics for network filesystems (NFS).

cifsiostat(1) reports CIFS statistics.

These certainly come in handy when you’ve got remote shares running from your machine.

Basic docker usage

15 Mar 2015

Docker is a platform that allows you to bundle up your applications and their dependencies into a distributable container easing the overhead in environment setup and deployment.

The Dockerfile reference in the docker documentation set goes through the important pieces of building an image.

In today’s post, I’m just going to run through some of the commands that I’ve found most useful.

Building a container

# build an image and assign it a tag
sudo docker build -t username/imagename:tag .

Controlling containers

# run a single command
sudo docker run ubuntu /bin/echo 'Hello world'

# run a container in a daemonized state
sudo docker run -d ubuntu /bin/sh -c "while true; do echo hello world; sleep 1; done"

# run a container interactively
sudo docker run -t -i ubuntu /bin/bash

# connect to a running container
sudo docker attach container_id

# stop a running container
sudo docker stop container_name

# remove a container
sudo docker rm container_name

# remove an image
sudo docker rmi image_name

When running a container, -p will allow you to control port mappings and -v will allow you to control volume locations.

Getting information from docker

# list images
sudo docker images

# list running containers
sudo docker ps

# list all containers
sudo docker ps -a

# inspecting the settings of a container
sudo docker inspect container_name

# check existing port mappings
sudo docker port container_name 

# retrieve stdout from a running container
sudo docker logs container_name
sudo docker logs -f container_name

XML literals in scala

24 Feb 2015

A really handy feature that has been included in the Scala programming language is xml literals. The xml literals feature allows you to declare blocks of xml directly into your Scala code. As you’ll see below, you’re not limited to static xml blocks and you’re also given the full higher-order function architecture to navigate and process your xml data.

Definition and creation

You can create an xml literal very simply inside of your Scala code:

val people = 
	<people>
		<person firstName="John" 
				lastName="Smith" 
				age="25" 
				gender="M" />
		<person firstName="Mary" 
				lastName="Brown" 
				age="23" 
				gender="F" />
		<person firstName="Jan" 
				lastName="Green" 
				age="31" 
				gender="F" />
		<person firstName="Peter" 
				lastName="Jones" 
				age="23" 
				gender="M" />
	</people>

Scala then creates a variable of type Elem for us.

Xml literals can also be constructed or generated from variable sources

val values = <values>{(1 to 10).map(x => <value number={x.toString} />)}</values>

Take note that the value of x needs to be converted to a string in order to be used in an xml literal.

Another form of generation can be accomplished with a for comprehension:

val names = 
	<names>
	{for (name <- List("Sam", "Peter", "Bill")) yield <name>{name}</name>}
	</names>

Working with literals

Once you have defined your xml literal, you can start to interact with the data just like any other Seq typed structure.

val peopleCount = (people \ "person").length
val menNodes = (people \ "person").filter(x => (x \ "@gender").text == "M")
val mensNames = menNodes.map(_ \ "@firstName")

println(s"Number of people: $peopleCount")
println(s"Mens names: $mensNames")

The usage of map and filter certainly provide a very familiar environment to query your xml data packets.

Transform with RewriteRule

The scala.xml.transform package include a class called RewriteRule. Using this class, you can transform (or re-write) parts of your xml document.

Taking the sample person data at the top of this post, we can write a transform to remove all of the men out of the set:

val removeMen = new RewriteRule {
	override def transform(n: Node): NodeSeq = n match {
		case e: Elem if (e \ "@gender").text == "M" => NodeSeq.Empty
		case n => n
	}
}

We test if the gender attribute contains an “M”, and if so we empty out the node. To apply this transform to the source data, we use the RuleTransformer class.

val noMen = new RuleTransformer(removeMen).transform(people)

Another rule we can write, would be to remove any person who was over the age of 30:

val removeOver30s = new RewriteRule {
	override def transform(n: Node): NodeSeq = n match {
		case e: Elem if e.label == "person" && (e \ "@age").text.toInt > 30 => NodeSeq.Empty
		case n => n
	}
}

Pretty much the same. The only extra complexity is ensuring that we have an age attribute and getting it casted to an integer for us to perform arithmetic testing.

The RuleTransformer class accommodates if we want to use these two transforms in conjunction with each other.

val noMenAndOver30s = new RuleTransformer(removeMen, removeOver30s).transform(people)