I am trying to write simple PE packer by adding new section to the PE, that also requires to add new section table to the array of IMAGE_SECTION_HEADER in PE header.
But in order to do that, I need to resize PE header for one more IMAGE_SECTION_HEADER struct right? Many sources I saw doesn't do that (including comrade's), they just write new section table right after the last in array. But is it safe enough? Aren't program going to rewrite whatever PE data is there ?
Posted on 2004-03-19 15:28:43 by Mikky
word @ PE + 06h= section count, so any data after start of section data + (028h* the amount of sections) and before the start of the first section in the image is usable
Posted on 2004-03-19 18:10:51 by evlncrn8
of course its necessary to realign if there is no space for new section header
i just don't do it because i am lame
Posted on 2004-03-19 18:18:48 by comrade
I tried making additional space after section table, but looks like there are much more stuff to reallocate than I thought. First PE icon disappeared from explorer, secondly import table became useless since it was moved on new file offset and pe loader couldn't find it.
Looks like there's a lot of work just do make space for an additional section table... I have PE docs but does anyone have complete reference of all relative offset that need to be reallocated for this work?
Posted on 2004-03-19 18:25:12 by Mikky
You only need to move every section down 512 bytes, and change PointerToRawData as well in every section header
Posted on 2004-03-19 20:08:40 by comrade

You only need to move every section down 512 bytes, and change PointerToRawData as well in every section header


well thats if the file alignment is 200h..which typically aint OPT:WIN98 is typically on.

Anyways you mess up position dependent code if your try injecting a section when there isn't enough room due to the relocation concern so unless the file has relocation records or your making it position indpendent code do the section injection if you can and if you cannot then rely on adding to the last section.

oh yeh and to answer the original question at hand


they just write new section table right after the last in array. But is it safe enough? Aren't program going to rewrite whatever PE data is there ?


no. if data right after the last section header is is just 00s then its ok to right because they're just padded bytes to align it to its proper alignment. I havent really come accross and executable you cant add a new section too cept for packed apps like FSG which get all headers under 200h.
Posted on 2004-03-20 00:10:15 by archphase
Anyways you mess up position dependent code if your try injecting a section when there isn't enough room due to the relocation concern so unless the file has relocation records or your making it position indpendent code do the section injection if you can and if you cannot then rely on adding to the last section.


What do relocations have to do with appending a new section?
Posted on 2004-03-20 00:45:37 by comrade
If relocations are present, and you feel like adding a bunch of code, you can do some pretty funky section injection ;)
Posted on 2004-03-20 04:07:45 by f0dder

You only need to move every section down 512 bytes, and change PointerToRawData as well in every section header

Why 512 bytes? If I am putting my section at the end of file, and inserting my section table at the end of array then I just need to add sizeof (section table) to all PointerToRawData right?

Originally posted by archphase
no. if data right after the last section header is is just 00s then its ok to right because they're just padded bytes to align it to its proper alignment. I havent really come accross and executable you cant add a new section too cept for packed apps like FSG which get all headers under 200h.

Yea but I want to support packed exes and also many shareware programs have some kind of protection. Btw packers and other PE wrapper software doesnt try to mess up (eg. compress/encrypt) PE header right? (In that case I am doomed with my 100% compatability)

About relocations, to put it simply, if I create offset independent code (delta handle and stuff) for my section would there be any problems if file has relocation data and need to be realocated when not loaded on prefered offset?
Posted on 2004-03-20 17:42:58 by Mikky

Btw packers and other PE wrapper software doesnt try to mess up (eg. compress/encrypt) PE header right?

If they did that, the executable wouldn't run :)


About relocations, to put it simply, if I create offset independent code (delta handle and stuff) for my section would there be any problems if file has relocation data and need to be realocated when not loaded on prefered offset?

Nope, no problems.
Posted on 2004-03-21 07:43:19 by f0dder
Ok I somehow manage to add new section with inserting new section table into header. It works for some win32asm sample apps but it fails when I try to patch the calc.exe or notepad.exe from winXP. Looks like I messed up import data, but I am not sure how and where, here is the error for patched calc.exe



---------------------------
test2.exe - Unable To Locate Component
---------------------------
This application has failed to start because ??.dll was not found. Re-installing the application may fix this problem.
---------------------------
OK
---------------------------


Does PointerToRawData has to be aligned on file or section alignment boundary from PE header? Since I added 28h (size of section header) to all PointerToRawData which is file offset, do I have to do something with RVAs?
Posted on 2004-03-21 15:16:52 by Mikky
I think this has to do with "bound imports", since the bind table thingamajig is usually placed where you want to insert a new section struct.
Posted on 2004-03-21 15:21:10 by f0dder
Ok I tried fixing bound import offset by adding size of section table struct like this


; bound import
lea esi,[edi].IMAGE_OPTIONAL_HEADER32.DataDirectory
add esi,11*sizeof IMAGE_DATA_DIRECTORY ; esi ptr on IMAGE_BOUND_IMPORT_DESCRIPTOR
add [esi].IMAGE_DATA_DIRECTORY.VirtualAddress,28h ; fixup



Now I have different error when I start patched program



---------------------------
test2.exe - Application Error
---------------------------
The application failed to initialize properly (0xc0000005). Click on OK to terminate the application.
---------------------------
OK
---------------------------


But its a progress I guess, this is probably error from CreateProcess() but looks like there are still some stuff to be done, I dunno what exacly, here is what I did so far
1. fixed all sections PointerToRawData by adding 28h
2. Fixed bound import

(and other regular PE header stuff not important for the discussion)
Posted on 2004-03-21 18:08:26 by Mikky