Hi.
Is it possible to use the free space between the sections/segments of a program in memory? Since segments have to start at special "boundaries", there is (almost) always some free space between the segments. Can i access this space, if yes, how?


Thanks in advance.
Posted on 2001-11-15 10:16:22 by darester
Are you going to code a virus? I know some use this feature, and one of them actually destroyed the BIOS of my MB some time ago.

'Bye, Kefren
Posted on 2001-11-15 10:27:35 by kefren
Well, this is certainly a thing that can be abused, for instance for
viral matters. But it can also be used for good, or at least fun.
Like, some people added unix file (ie, LF instead of CR+LF) to notepad :).

I believe this question is probably OK in here - after all, iczelion has
been working on PE tutorials which could, in theory, be used for evil.

Yes, free space between sections can be used. You will maximum
FILEALIGN-1 bytes available, which can be "a good deal" if you're
using 4k filesection alignment (the standard with newer linkers... or
was that 8k filesection alignment? 4k I think).
filesection alignment can be less than memsize alignment. memsize
alignment is usually 4k. It cannot be less, and is very seldomly larger.
If you're prepared to fix up a good deal of PE header information,
it is possible to extend filealign to use up to sectionalign bytes...
but then it's almost always easier to add an extra section, or extend
the last section and fix up section charateristics.

Now don't abuse this information for anything bad. Otherwise we'll
come after you and give you a spanking. And if you do make something
"bad", keep it on your own box.
Posted on 2001-11-15 11:29:47 by f0dder
darester,

you can see a program of mine that do exactly this, use this space in memory, in iczelion site... is called hideproc.zip, and it use code in kernel32.dll sections slack space to hook api routines and hide explorer.exe from tasklist.

f0dder explanation seens to be based in file modifications, not in memory as you asked, but the process is very similar.

ancev
Posted on 2001-11-15 13:09:01 by ancev
Ah, in memory :). That should be even easier.
Posted on 2001-11-15 13:45:30 by f0dder
Can you block fill this space so that it can't be use by nothing WHAT so EVER. IF SO HOW???
Posted on 2001-11-15 14:04:45 by cmax
cmax, you'd have to make sure all sections are SECTIONALIGN padded.
And you'd better fill with random data and not just zeroes.
Posted on 2001-11-15 14:21:11 by f0dder
If i had half of your knowledge I be a monsters. ( one of the good ones from monster inc. )
Thanks
Posted on 2001-11-15 14:32:39 by cmax
darester,

There is no problems using the space between section as long as you can keep track of what is space and what is part of the section. If you compress a PE EXE file with something like UPX, you get a free area that you can store settings in if you post patch it after compression.

In memory is a different matter, you will have to understand how the EXE file is loaded in memory and where the sections begin and end. You should already know that the disk image is smaller than the memory image and this is one of the ways you can use that memory space if you have a use for it.

As usual, don't do anything naughty or we will all frown upon you. :)

Regards,

hutch@movsd.com
Posted on 2001-11-16 04:33:53 by hutch--
thanks for all those replies so far.
No i don't want to write a virus or other destructive code, i was just wondering what you can do with this free space.

but now i have one more question :)
if there's for example free space between the code segment and the data segment, this free space would have the attributes of the code segment because it is IN the code segment, right? what can i do with this free space? can i store code and data in it or code only? and what about free space in a data segment? can i store code and data in it or data only?
can i change permissions of this free space with those Virtualxxx apis like VirtualProtectX?
Posted on 2001-11-16 10:25:41 by darester
You can store whatever you want and do with it whatever you want :)
Well. Intel processors don't have a way to check for EXECUTE right
per-page, and microsoft has not implemented a "check-if-page-is-executable"
in their scheduler, as it would slow down stuff. Thus, you can execute
from a non-exec section. To *write* data to a section, you'll have
to mark the section as writable, though. Probably with VirtualProtectEx.

And yes, slack space between .code and .next_section should have
attributes of .code.
Posted on 2001-11-16 10:31:37 by f0dder
thanks again for that quick answer
Posted on 2001-11-16 10:44:33 by darester
Hi again.
i've just read something about sections in Luevelsmeyer's tutorial about pe files that really confuses me...

f0dder, you said that there is no check if page is executable.
but in Luevelsmeyer's description of a pe file, there are special flags in the section header of a section that describe "execute" access rights:
"If bit 5 (IMAGE_SCN_CNT_CODE) is set, the section contains
executable code."
"If bit 29 (IMAGE_SCN_MEM_EXECUTE) is set, the process gets
'execute'-access to the section's memory."

First of all i'd like to know why there are such flags which describe execution access rights?They would be useless, if what you said was correct, f0dder.
I'd also like toknow what the difference between these two flags is? If a section contains executable code, it must be exectuable in memory, or not? so are they actually the same?

And the last question:
Again: there's a flag which contains information whether the section contains executable code:
"If bit 5 (IMAGE_SCN_CNT_CODE) is set, the section contains
executable code."
There's also a flag for initialized data.
So what if a program is loaded into memory and there is free space in a section which has Bit5 set (section contains executable code) but which does not have the bit set which says that the section contains initialized data. Could i still store data in this section in <m e m o r y>?
Or the other way round: a section was loaded into memory with the bit set that says that the section contains data but the bit which says that it contains executable code not set. could i store executable code in this section if there was free space?

I have an assumption (i don't know if that's correct):
Bit5 (section contains executable code) and the corresponding bits for (un)initialized which say that there is (un)initialized data in the section don't matter when mapping the file into memory. they are just some information flags for the pe loader. the only flags that matter are:
If bit 30 (IMAGE_SCN_MEM_READ) is set, the process gets
'read'-access to the section's memory.

If bit 31 (IMAGE_SCN_MEM_WRITE) is set, the process gets
'write'-access to the section's memory.

And maybe
If bit 29 (IMAGE_SCN_MEM_EXECUTE) is set, the process gets
'execute'-access to the section's memory.
Which i don't know (yet).


I hope someone can help me, that's really confusing for me.
Thanks in advance.

(I need this information to write some pe tools).
Posted on 2001-11-17 07:30:45 by darester
Yes, there are a bunch of PE flags that don't really matter :). The PE
loader might or might not use these flags when deciding whether
it wants to run your executable... It's been some time I messed
around with "what can I do and what must I do with these flags",
but it's always better to play safe. Even though there aren't scheduler
checks to see if we're executing in an executable page, those checks
might be implemented in later windows versions, or perhaps they
might make the PE loader check if the entrypoint is inside an executable
page. And some tools might be confused if it doesn't find the section
flag it expects (win32dasm is a very good example of this).

I'm not even sure if the initialized data flag matters. BSS sections
(ie, .data?) is, iirc, handled by have a non-zero VirtualSize and a
zero PhysicalSize (or RawSize, depending on what PE header files
you use ;)).

The read/write flags matter though. If you don't set the write flag,
you don't have write access. I'm not sure about the read flag, but
windows might decide to map the page as not-in-memory if you
don't set it... experiment with the flags and see what you come up
with =).

As long as you VirtualProtect(Ex) first, you can do more or less what
you want.
Posted on 2001-11-17 08:26:33 by f0dder
heh thanks again for your reply, you seem to know anything about computers :)

sorry for coming up with this one now, but i forgot about that in the last post (real quick):
in the last post i was asking about using the free space in memory, but what about the space in the file. if there is some free space in a section because of the section alignment in the file, which characteristic flags will i have to consider then?
an example: there's free space in a section which has executable code in it, so this bit is set:
If bit 5 (IMAGE_SCN_CNT_CODE) is set, the section contains
executable code.
So till now the section has executable code in it and it is probably marked executable and readable.
Now i want to add data to this section.
Will i have to set the following bit to be able to add data to this section?:
If bit 6 (IMAGE_SCN_CNT_INITIALIZED_DATA) is set, the section
contains data that gets a defined value before execution starts. In other words: the section's data in the file is meaningful.

If I understood that correctly, then i won't HAVE TO, but I should, right?

But i WILL HAVE TO set the following bit to be able to use this data in memory later (since code sections aren't writable by default):
If bit 31 (IMAGE_SCN_MEM_WRITE) is set, the process gets
'write'-access to the section's memory.

So in the end, this section has the bits set that say that it has code and initialized data in it and the bits that say that it will later have execute access, read access and write access.
Would that be the 100% correct way to achieve this?
Posted on 2001-11-17 08:43:38 by darester
Well, that sounds logical enough :). I don't know if you need to set
the "initialized data" bit, but you certainly have to set write bit
if you want to be able to write to the data. And one thing that is
very important, always remember the FileAlign and SectionAlign
can be different!. It's possible to change FileAlign to SectionAlign,
but you will have to fix up a LOT of RVAs. Changing SectionAlign
is more or less impossible.
Posted on 2001-11-17 09:23:31 by f0dder