Add and delete a section for PE

Add or delete a section in PE

During the past two days, I wrote a program to add and delete sections. I found that there are many skills and a lot of things to be aware of. Now I want to write my experiences, hope to make it easy for friends who are learning PE files.

For more information about the PE format and basic knowledge, see other related articles.

Add Section

The premise of adding a section is that there is sufficient space between the last section and the first section.) Add a new section in 40 bytes. Generally, there is 40 bytes of space, but if there is no space, you need to find a way to free up 40 bytes of space.
There are usually two ways to increase space

Re-orchestrate PE Headers
Generally, image_dos_header and image_nt_header are not close to each other. There are some other data in the middle, such as DoS placeholder programs, which are basically useless, you can overwrite the data of the NT header and section to expand the free space of the PE Header and Add a new section.
The e_flanew of image_dos_header points to the offset between the NT header and the file header. You only need to modify the value of e_flanew to move the NT header forward.

Advantage: compared with the extended PE Header, you do not need to modify the pointertorawdata point of all sections, and do not need to move all blocks.
Disadvantage: only a limited new section can be added to the size of the new section.

Expand PE Header
In this method, the size of the sizeofheader is usually extended to the file alignment byte 0 x, and the pointertorawdata of all sections is worth adding 0x200 bytes, and then all block data is moved backward to 0x200 bytes. Of course, the sizeofheader must also be 0 x bytes.

Advantage: using this method, you can add a new section infinitely.
Disadvantage: many changes are required.

Note: bind the input table
When space is available, you may not be able to add a new section. You also need to check the bound input table. The bound input table is different from other section tables. The bound input table is stored next to the last section, bind the input table and it must be in the PE Header area directed by image_data_directory [11.
My PE editing tools, loardpe, petools, and studpe all ignored this problem. After adding a section, they all covered the bound input table data, and there was no image_data_directory [11]. as a result, the PE file cannot run after the partition is added.

If you do not want to retain the bound input, set the data in image_data_directory [11] to 0 when adding the section.
If you want to retain the bound input table, copy the bound data first, add the section, copy the data to the end of the section, and modify the orientation of image_data_directory [11.

Image_section_header structure content
The name of the new block. Note that the block size cannot exceed 8 bytes.
Virtualaddress: Specifies the memory address of the block after the PE file is loaded. The address must be "Memory Page alignment" and be placed next to the previous block. The formula is the value after the virtualaddress + virtualsize Memory Page of the previous partition is aligned.
The actual size of data in the virtualsize block. The data size after file alignment can be calculated based on the actual size of the data.
The data size after the data file alignment in the sizeofrawdata block. The size after file alignment can be calculated based on virtualsize.
The file offset of the pointertorawdata block to the file header does not have to be close to each other in the file, but the start address must be "file alignment.
For characteristics block attributes, you can set attributes based on the actual purpose of the added block. If you are not sure about the attributes, set e0000060 to be readable, writable, executable, including code, including initialization data.

After adding a section, you also need to add the block data of this sction. First, you need to expand the file size, which is the size after the block data file is aligned.

Add the sizeofimage of image_optional_header32 to the virtualaddress of the new block data.
Add 1 to numberofsection of image_file_header.


Delete section

To delete a section, you need to consider more;

The Delete section cannot be deleted by name. It must be deleted by serial number because a section with the same name is allowed.

If the deleted section is in the middle, the pointertorawdata file offset of the subsequent section can be moved up, but the virtualaddress virtual address cannot be moved up simply, because if the VA of a certain section changes, all RVA in this section will also change, and it will be too heavy to fix these RVA. The solution is to expand the virtualsize of the previous section of the section to be deleted, that is, add the virtualsize of the section to be deleted. In this way, the virtualaddress of all sections after the Section remains unchanged, only pointertorawdata can be modified. Of course, sizeofimage does not need to be adjusted. The PE image size is not changed, but only the PE file size is changed.

If the last section is deleted, you can reduce sizeofimage after the section is deleted. There is no va problem.

If the deleted section is related to data_directory of image_nt_header, such as the relocation table and TLS table, you must clear the virtualaddress and virtualsize of the data directory.

Finally, if there is bound data, you need to move an image_section_header size in the file, and then correct the data directory table pointing.