Manually add pe section and modify oep

I always wanted to learn how to move the pe file. After studying several articles, especially those in the cold morning, I tried to add a section and modify the oep myself, write it out for progress with the same dish as me.

1. Add operations required by pe section

1. Determine the alignment granularity of the segments in the memory and the alignment granularity of the segments in the files, which are pe + 0038 h and 3ch respectively.
 
That is to say, the alignment granularity of memory and files is 1000 h.
2. Add data at the end of the file.
Because the file alignment granularity is 1000 h, we add h data at the end of the file.
 
3. Add new section information at the end of the section table
 
Add a. peng section to the end of the last section.
2E 70 65 6E 67 00 00 00 --------. the ASCII code of the peng.
00 18 00 00 --------- actual VirtualSize (casually written ).
00 B0 00 00 --------- RVA address of the VirtualAddress dd section (because. in the data section, the RVA address is 7000, the size is 3E24, and the total value is AE24. For the sake of alignment, B000 represents 00B00000.
00 20 00 00 ----- SizeOfRawData size after alignment in the file (H bytes are added at the end of the file, which is counted as above)
00 A0 00 00 ---- the address of the physical file offset from the PointerToRawData file. The address just added is A000, so it is written as 00 A0 00. Why is it not the above 00 B0 00? At first, I took it for granted, but the program is always wrong. Later I figured it out, because we added H bytes starting from A000, not B000. If we had to write B000, we had to add H bytes at the end, otherwise, the Section written in SizeOfRawData contains 2000 pieces of data.
After
00000000 PointerToRelocations
00000000 PointerToLinenumbers
0000 NumberOfRelocations dw
0000 NumberOfLinenumbers dw
Attributes of the 00 60 Characteristics section can be read, executable, and code.
4. output the number of modified sections in pe + 6.
 
It turns out to be 03 00, and changed to 04 00.
5. Modify the memory image size at pe + 50.
 
Changed from 00 B0 00 to 00 D0 00 00. Why is the original image B000 size? Note that, in the figure below,. data is the last section. The RVA address is 7000, the size is 3E24, and the sum is AE24. According to the alignment principle, the total size is B000.
 
Therefore, the size of the new memory image should be B000 + 1800 = C800 aligned with D000.
6. Test
When loaded with lordpe, The. peng segment is correctly displayed and the running program is normal.
 
Ii. Modify OEP

1. view and modify OEP at pe + 28.
 
If the original OEP is at 1203, write down the address and change it to B000 (note that it is not A000, oep is RVA, and at first I made a mistake and the program crashed ),
 
2. Enable OD
 

It will stay at the new oep, change it to jmp 00401203, and save it.
3. Test
Normal Operation!
OK!