Add a section to the PE file

Source: Internet
Author: User

Backgroundpreviously said to add a messagebox popup directly to the class HelloWorld.exe executable, but sometimes there is too much to add because the data is inserted with the code so that the executable itself does not have enough free space to hold the content. You need to add a section.

Make sure there's room behind the section head .Use the tool to see if there is any extra space behind the last section header, as a general rule. But if not, move the contents of the file behind the section header, which is quite complicated, not to mention here.typically combines the two tools of PE View and WinHex, such as the previous HelloWorld.exe
First Use PE view to view the start address of the last section header: 00000218 you can deduce the end of the last section header address: 0000023F
The box selection is the content of the last section header
you can see the section in the red box and there is enough space to add a section header information. Because this needs to be ensured after adding a section header, there is also a section header space, and its value is all 0

Overwrite a section header informationThe next step is to Add a section header information, and I'm going to copy the contents of the last section header of the executable file, and then overwrite it later. After you have selected the contents of the Winhex box, right-click Edit
Cope Block--Normally (direct CTRL + C after box selection)


Overwrite operation: Click the start address to overwrite, here is 2,401 like first right-click Edit, and then Clipboard Data write (can also direct CTRL + B)

but do not order here paste (Ctrl + V), because that is inserted into the file before the copied content, so that the back of the content will be shifted backwards, resulting in the file header information in the file offset parameter is incorrect.



here, save it first!

to modify the value of number of sectionsWhen you finish the work above, you will not see the newly added section header information when you view it with PE view.
so we need to change the value of number of Sections, in fact, add 1 to its value .
The file offset (000000D6) of the number of Sections is still to be checked with PE view

then use Winhex to go to 000000d6 to see (As for why not 0003 but 0300 of the problem, to see the basics know)

It would be nice to change the 3 direct plus 1 to 4. Save


this time again with the PE view, you will find a more section header information


Duplicate. Data section header, I'm used to changing the name of the new section header


At this point, you will find that the section area is also one more, but points open section area, you will find that. The DX section and the. Data section are the same, see the file offset to know



this is because. The contents of the DX section header are copied from the. Data section header, so the file offset is the same. I'll talk about this later.
get the value of File Alignment and section Alignmentwith PE View, open PE optional header information:

the value of section Alignment is 00001000the value of File Alignment is 00001000The above values are in hexadecimal, which is to be written down and used later.
add a section to a. DX section header in a filethis time it is necessary to use the value of file alignment, because the space in the size of the section must be an integer multiple of filealignment, in order to facilitate, here to get a filealignment file space.because when you add a section with Winhex, it is added as an integer number of bytes,conversion: 00001000 (hex) = 4096 (decimal)The action is to pull the Winhex to the lowest part, right-click on the last byte of the file, Edit-and Paste Zero Bytes

follow the prompts to walk, you will see the following input box, enter the amount of bytes needed to insert, remember that is the decimal,
here is the size of a filealignment, which is 4096. Click OK.


The blue Word is newly added, because it has not been saved, so Winhex is marked blue, to note the blue opening address, here is 0000a000, because this value is the new section. dx file Offset, The next step is to set the. DX section header information on pointer to RAW data.
remember to save.
Setsize of raw data and pointer to raw data for the new section headerLet's take a look at the file offset of these two properties with PE view:
The offsets are: 00000250 and 00000254, respectively. Use Winhex to find these two addresses:

change the value of the size of RAW data to 00001000, in fact, the 3 is changed to 1.the value of Pointer to Raw data is changed to 0000a000, which is already written down in the previous step. In fact, to change the 7 to a

save again and view it with a PE view:

This is not the same as seen in the previous, but also proves that the changes have been successful!
to set the RVA of a new section areafirst, look at the two parameters, which are the Virtual Size and RVA values for the previous section header: Virtual size:00003e08 rva:00007000these two values add up, get 0000ae08 , then the new section of the RVA will need to be greater than this value, in order to facilitate operation, generally rounding, set to: 0000b000 then look at the RVA of the new section header offset in the file:
locate 0000024C in the file, modify the above value to 0000b000, and then Save:


Setvirtual Size in the new section areaVirtual size Specifies the amount of memory space occupied by the corresponding section after it is loaded into memory, but its value is an integer multiple of the alignment. In this routine, section alignment is 00001000, And should not need more memory space, so directly set Virtaul size of 00001000 is good:First Use the PE View to find the location, familiar with should not be used:
the file offset for Virtual size is 00000248

Locate and modify the save directly. It's all right!


to modify the value of the size of imageThis parameter is in Image_optional_header, which is to specify how much memory space will be needed after all sections have been loaded. The problem with the change is that you find the address you specified, 00000120

and add the virtual Size (00001000) in the new section header to the original value, that is, change B to C, and then save


here, the program to run, no error, basically proved to be the correct operation!!
Modify the properties of the new section (permissions)The above action isSuccessadded a section area, not yet, we need to insert executable code and data into it. But there is a parameter in the section header that limits what this section can do, let's look at this parameter:
which Image_scn_cnt_initialized_dataIt says this section contains initialization data.the rest. Image_scn_mem_readand the Image_scn_mem_writeThis means that the program can read and write to this section.But in this case, if the code is inserted, no execution permission is not possible Oh!
If you do not know how to set, in fact, we can refer to. text in the section header characteristics : actually Image_scn_cnt_codeIt says that this section contains executable code, and then Image_scn_mem_executegives permission for this section to execute.just in the new section header characteristicsThe bitwise AND operation of the values, (actually add 20000020 directly, but this statement is not rigorous)
new section Area characteristicsThe file address is 00000264

Save again:


Specifically how to insert the code, that's another job, not to say here.




From for notes (Wiz)

Add a section to the PE file

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.