PE expansion section of PE Knowledge Review

PE Knowledge Review PE expanded festival One, why expand the Festival

As we said above, the blank area adds our code. But sometimes we don't have enough space to do it. Therefore, the expansion section is needed.

The expansion of the festival is actually very simple. Modify the size of the section data to be aligned. and add 0 data to the PE file to fill.

First Look at our section table.

typedefstruct_image_section_header {BYTE name[image_sizeof_short_name];//8 byte name. You can get up. The compiler can also be given a. Not important.Union {DWORD physicaladdress;           DWORD VirtualSize; //The section data does not have an aligned size. That is, there is no alignment. How large is the section data.} Misc;　　　　　　　　　　DWORD virtualaddress; //The address of the first byte loaded into memory. That is, the virtual address. Where the section begins in memory. VA + ImageBase in memory is the true section start positionDWORD Sizeofrawdata;// Modify the value of this property to enlarge the section. and add the corresponding 0 data to the PE file to populate. DWORD Pointertorawdata;//The offset in the file. Is the file alignment member multiplier.DWORD pointertorelocations;//It's all about debugging.DWORD pointertolinenumbers;//WORD numberofrelocations;    WORD numberoflinenumbers;　　　　　　　　　　DWORD characteristics; //Section's Properties} Image_section_header, *pimage_section_header;

Second, the expansion of the actual combat and attention issues

PE expansion section is usually the last section. The reason is that you do not have to modify the offset and other properties. It's easy to expand in the last section.

The property that we want to modify in our section table is to modify the data after the section is aligned.

Formula: Set the control we added as a multiple of X

Set the value to be modified to M

Then M = (section. Sizeofrawdata or knots. VirtualSize is aligned with the size of the alignment) + x.

Look at the formula is very complex, is actually the section of the alignment of the data. Follow the memory alignment and modify it. and add the size of our new space.

For example the original size: 0x600, you want to enlarge 0x100 bytes. Then the modified value is 0x700. 0x700 to be stored in memory alignment.

Also modify the Sizeofimage (memory PE mirror size) in the extension header

Three, the expansion of the festival Combat 1. Add data

Find a PE file. Add data at the last file offset. For example, we want to enlarge 0x1000. Then add the 0x1000 size.

Start position 89f0 add 0x1000 size. So the end position is 0x99f0.

In order to confirm that our section data is mapped to memory. We have 0 data we populate as FFFF

2. Modify section Table Properties

Because we added a 0x1000 byte size. Therefore, you need to modify the size of the section table in the file. That is, the section. Sizeofrawtodata

At this point we have not modified before.

, the data size is 0x0600 before it is modified. Then the in-memory section mapping will not have our FFFF data. Watch the memory section start at 0x01c000 so we go in memory.

Section data location look. Is there any data that our FFF fills

And there is no FF data for us. We modified the file section to align the data to 0x1600. Because the 0x1000 data was added.

Again in memory to see that we have mapped the memory. The first one is the F0 end. Below is our data.

Note, however, that changes cannot be viewed directly after the modification. Because PE cannot run. We must modify the Sizeofimage property in the extension header. This way our memory image size is the true size.

I have modified it. The section is mapped to memory. So you can view it.

3. Modify the Sizeofimage property

My Szieofimage property. The original value is stored in memory alignment. That is, 0x01d000. So when I add 0x1000 bytes of data, it doesn't actually exceed the value of sizeofimage. So it can be mapped to memory that way. If you add more data than the Sizeofimage

Then we need to align the memory. Plus our expanded data. Then the memory is aligned.

4. Program operation.

The program runs correctly and the data we add is mapped to memory.

PE expansion section of PE Knowledge Review