I am now playing with section tables. Just a question, what are the equates for the characteristic portion of the IMAGE_SECTION_HEADER? And is it possible for me to make my section writable+readable+excutable? Can I have more than 2 sections in my exe file that are excutable?
Posted on 2003-05-15 05:55:25 by roticv
Roticv,

You can have more than two sections which are executable.You can do this
by assigning the read/write/execute flag value.An easy way to experiment
it is use a tool such as LordPE or StudPE.
Posted on 2003-05-15 06:53:44 by Vortex
IMAGE_SCN_TYPE_NO_PAD = 00000008h  

IMAGE_SCN_CNT_CODE = 00000020h
IMAGE_SCN_CNT_INITIALIZED_DATA = 00000040h
IMAGE_SCN_CNT_UNINITIALIZED_DATA = 00000080h
IMAGE_SCN_LNK_OTHER = 00000100h
IMAGE_SCN_LNK_INFO = 00000200h
IMAGE_SCN_LNK_REMOVE = 00000800h
IMAGE_SCN_LNK_COMDAT = 00001000h
IMAGE_SCN_NO_DEFER_SPEC_EXC = 00004000h
IMAGE_SCN_GPREL = 00008000h
IMAGE_SCN_MEM_FARDATA = 00008000h
IMAGE_SCN_MEM_PURGEABLE = 00020000h
IMAGE_SCN_MEM_16BIT = 00020000h
IMAGE_SCN_MEM_LOCKED = 00040000h
IMAGE_SCN_MEM_PRELOAD = 00080000h
IMAGE_SCN_ALIGN_1BYTES = 00100000h
IMAGE_SCN_ALIGN_2BYTES = 00200000h
IMAGE_SCN_ALIGN_4BYTES = 00300000h
IMAGE_SCN_ALIGN_8BYTES = 00400000h
IMAGE_SCN_ALIGN_16BYTES = 00500000h
IMAGE_SCN_ALIGN_32BYTES = 00600000h
IMAGE_SCN_ALIGN_64BYTES = 00700000h
IMAGE_SCN_ALIGN_128BYTES = 00800000h
IMAGE_SCN_ALIGN_256BYTES = 00900000h
IMAGE_SCN_ALIGN_512BYTES = 00A00000h
IMAGE_SCN_ALIGN_1024BYTES = 00B00000h
IMAGE_SCN_ALIGN_2048BYTES = 00C00000h
IMAGE_SCN_ALIGN_4096BYTES = 00D00000h
IMAGE_SCN_ALIGN_8192BYTES = 00E00000h
IMAGE_SCN_LNK_NRELOC_OVFL = 01000000h
IMAGE_SCN_MEM_DISCARDABLE = 02000000h
IMAGE_SCN_MEM_NOT_CACHED = 04000000h
IMAGE_SCN_MEM_NOT_PAGED = 08000000h
IMAGE_SCN_MEM_SHARED = 10000000h
IMAGE_SCN_MEM_EXECUTE = 20000000h
IMAGE_SCN_MEM_READ = 40000000h
IMAGE_SCN_MEM_WRITE = 80000000h
IMAGE_SCN_SCALE_INDEX = 00000001h

;)
Posted on 2003-05-15 11:59:54 by Tola
Thanks
Posted on 2003-05-16 00:34:21 by roticv
Okay I did some coding and was just wondering why after some editing to my exe file, windows say the file is an invalid win32 application. Here's my file. Thanks for help anyway :)
Posted on 2003-05-16 05:58:22 by roticv
- image size should be aligned
- the entry point is outside the image
- raw size of the last section is incorrect/needs padding
:grin:
Posted on 2003-05-16 06:43:45 by Tola
Ah thanks. I knew there were things that I forgotten to do. Anyway, what should my last section's raw size to be aligned to at least? and what should my image align to?
Posted on 2003-05-16 07:05:50 by roticv
section.rawsize member doesn't need to be aligned - however, the actual section bytes must!
Alignment is, of course, peheader.filealign. This value has to be at least 512 to work on
all windows versions.

peheader.sizeofimage alignment is peheader.memalign.
Posted on 2003-05-16 07:15:04 by f0dder
The section alignment is an important factor especially for NT/XP systems.
Posted on 2003-05-16 12:58:44 by Vortex
I aligned virtualsize to 200h using the following code


add ecx,511
and ecx,-512
Posted on 2003-05-16 22:56:41 by roticv
Thanks Tola. Once I fixed the sizeofimage, it works. :)
Posted on 2003-05-17 04:14:18 by roticv
The program I am working on is vodet. The password is the key for tean encryption. Since I know that it can be cracked easily (just change the cmp eax,deadc0de to mov eax,deadc0de), I am working on encrypting .code section. Bear with my silly questions :) And please report any bug found.
Posted on 2003-05-17 10:07:10 by roticv