PE new section of PE Knowledge Review

PE knowledge Review of PE new section One, why new section. And the steps to add a new section

For example, the previous lecture. Our PE file can add code in a blank area. But this is caused by a disadvantage. Because your blank section property may be read-only, it cannot be performed. If you modify the properties. Then a new section can be used to implement our code.

Wait a minute.

1. Steps to add a new section

1. Add a section at the last section location. If there is no blank position. You need to enlarge the expansion head and fix the offset of the section yourself.

2. Modify the number of section tables in the file header.

3. Add a new section table to modify the properties of the Section table. Section. virtualaddress. This member specifies where the section is to be expanded in memory. So it needs to be modified.

4. Modify the Section Table file Offset section. Pointertorawdata we specify where in memory to expand the section. You also need to specify where this section is to be expanded in the file.

5. Modify the size of the section data in the section table when it is aligned.  Section. Sizeofrawdata. Our new section. You need to add a section of data to the PE file. The size of the data is added according to the file alignment. and fill in this member.

6. Modify the PE image size of the expansion head. Sizeofimage. This member is the key. If the mirror size is not modified by memory alignment. Then our section will not be mapped into memory. Or the PE file cannot be executed at all.

Second, according to the new section step. Add a section manually. 1. Add a section Table

When you add a section table. You need to add it after the last section. Whichever PE file is an example

Because the sizeofheaders in the extension header indicates the size of the DOS header and +nt header + Section table. Store according to file alignment. So it's the section data at 400. The last section table is. rsrc. We have enough space below to add a new section table. So we copy this section table. paste it after him. Paste a new. rsrc Section table.

We have the name of the People for this festival AAAA

　　

2. Modify the number of section tables. In the file header properties.

There is a property in the header that records the number of our day tables. We have added a new section. Then you need to add 1 to the original number. Locate the File Header Record Section table. and add one.

Originally 7, now change to 8.

3. Fix the offset in the section table.

We have added a section table. So we're going to show you where to start in memory. The location to expand in the file. And the size of the section data.

The corresponding three members were:

Section. virtualaddress

Section. Sizeofrawdata

Section. Pointertorawdata

Section 3.1. Virtualladdress modification

First the first member. Section. Virtualladdress. We are aligned according to the document. Align with the previous section table.

For example, when the previous section table is aligned, the expanded position is 0x1c000 then we'll change to 0x1d000

　　Section 3.2. Sizeofrawdata modification

This member is the size of the section data according to the file alignment. Depending on how much data we add to this section. We can add 0x1000 bytes to the PE file.

New section start position changed to FFFFF convenient for us to view.

We have added the 0x1000 section data. Then this member is changed to 0x1000.

　　Section 3.3. pointerrawtodata File Offset Modification

The last thing to change is where the section unfolds in the file. This we need to look at a section of the file offset. and the section data size. calculated.

For example, the previous section offset position is 10.  Then the section data is 100. So the section data is from 10 ~ 100 is the previous section. Our festival unfolds from 100 positions.

For example:

　　

The previous section begins with the 8400-section data-aligned size is 0x600 they add up to be 0x8a00. So our offset position starts at 0x8a00.

4. Modify the image size of the PE in the expansion header Sizeofimage

We have added 0x1000 section data size. Then our image size is also mapped with 0x1000 size. Note: To align to memory.

Our original image size is stored in the same way as memory alignment. Is 0x1d000. So the data we added to the 0x1000 is 0x1e000 size. We changed it to 0x1e000.

Save File

5. Save the file in memory to see if it is mapped.

First run:

　　

can run successfully.

Go to memory to see if the section table is mapped. The offset of our section in memory is 0x1d000 plus our imagebase is the 0x41d000 position.

Jump to the past and found that we just fill in the FFFF data. The map has been successfully mapped. We have added a section to this PE file.

Iii. Summary

Add a section based on the above combat. Make a summary.

1. A section table 0x28 bytes. Added in the last section table location. If the sizeofheaders has enough space.

2. Modify the number of section tables in the file header. File. Sectionnumber = Number of original sections + number of new sections you added. For example, the original is 7. You added a section. That's 8.

3. Modify the Section properties:

Section. Virtualladdress the expanded location in memory. Align in memory. You can refer to the previous section. virtualladdress location. We make changes.

Section. Sizeofrawdata the size of the data according to the file alignment. Section. Sizeofrawdata = The section data size you added. Follow the file alignment to store. For example, add 0x1000. So the size is 0x1000.

The offset in the section. pointertorawdata file. section. Pointertorawdata = () the previous section. Pointertorawdata + previous section. Sizeofrawdata. )

4. Modify the expansion head sizeofimage PE mirror size. Extension header. Sizeofimage = Memory Alignment (original Sizeofimage value + your row increment data size is aligned in memory)

PE new section of PE Knowledge Review