Shelling experience (2) -- how to optimize

After the PE is shelled, the file length is generally increased for the following reasons:

1. After shelling, the body of the shell still exists;
2. After shelling, a new import and reloc sections are created;
3. Some shelling programs merge some sections of the original program with some sections added to the shell and move them to other locations.
4. When shelling, because dump memory is used, the PE image alignment in the memory is generally larger than the original PE file, the actual dump size of each section is larger than that of the original PE file.

Solution:
(1) After shelling, convert each valid Section into a temporary file. For example, you can save the. text section to a single text_tem.bin. Other sections are also saved to each file. Unused sections (such as shell bodies) are discarded.
(2) Remove unnecessary parts in the text_tmp.bin section, which is usually the excess part of the last alignment memory image. You can use the binary editor to view the last part, which is generally the entire 00 part.
(3) Reconstruct the PE Header to minimize the number of valid sections.
(4) re-construct PE: connect the new PE Header,. Text,. Import,. Export,. Data, And. reloc to a new PE file. If you want to minimize the size of the PE, you can also consider merging some sections into one before the connection (for example. data ,. import ,. export ,. reloc and so on ).
(5) Adjust the new PE file according to the PE format. This process is complex, including:
1. Align the starting RVA of each section according to the Team requirements of the new PE Header Middle Section
2. Re-calculate and adjust the RVA-related areas in each section based on the new PE Header. For example
In resource section, the corresponding relocation items in each RVA, reloc, and import and export
.
3. Align the new PE file according to the file alignment requirements.
(6) test the new PE. If there is an error, trace the debugging and re-Execute step (5) until it runs normally.

You can write a tool to adjust the related RVA in (5), such as computing and adjusting the resource section and reloc section. If the adjustment is better, the new PE is almost the same as the old one, and will be even smaller. I have made some adjustment tools to automatically adjust the resource section and reloc section and move them to any available section of the new PE. These tools are easy to write, you can write it as needed, and write these tools to greatly increase your understanding of the PE format. Note that the starting address of most tables (sections) generally requires the address of the dual-word boundary (that is, the starting address is an integer multiple of 4, for example, 0x634b4 is valid and 0x634b1-0x634b3 is invalid ), such as resource table and reloc table. Nothing else can be noticed, as long as you are careful.