OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: April 13, 2010 16:25 CDT by djnemo .

Hi all...

i code a simple PE Infector that find code cave in PE file and try to add code in cave.

The problem is when my code is bigger than cave?!!
adding new section is difficult for making New ImportTable,Strings and ... (i check all codeproject)
so the best solution for me is add my code in Code Section.

Is There any way to extend Code section, and How?
Thank you

HiPPiEkiLLeR		April 17, 2010 21:20.07 CDT
Hi, Yes it's possible as long as there is relocations present in the executable. However, it's not as simple as adding a section, or extending the last section, and requires good knowledge of PE format.

sjh717142		April 21, 2010 06:59.52 CDT
you can add a new section

djnemo		April 22, 2010 09:51.23 CDT
> sjh717142: you can add a new section Yes now i have to add new section in this case but i interest in Detail of Extending Code Section any one can help me in that !? Or do that before

HiPPiEkiLLeR		April 23, 2010 04:20.49 CDT
> djnemo: > Yes now i have to add new section in this case but i interest in Detail of Extending Code Section any one can help me in that !? > Or do that before There is Asm source + docs available from z0mbie's homepage: http://z0mbie.daemonlab.org/inf1sec.zip

RabidCicada		April 23, 2010 10:01.02 CDT
dj, You simply have to do your homework. There is a lot of housekeeping you'd have to do according to the PE format. First...look at this: https://www.openrce.org/reference_library/files/reference/PE%20Format.pdf First, you'd have to add your code in literally while making sure not to stomp on other data in the file. Each ImageSection is stored in the file and tracked with an IMAGE_SECTION_HEADER. All of the IMAGE_SECTION_HEADER's follow the DOS and PE Header data in the file. Then all the actual ImageSections (actual binary data etc) is stored following the headers. For various reasons data is stored in the file, and in memory "aligned" to certain boundaries. This data is important to update when adding a section or changing a current section. Alignment determines at what increment of memory data is allowed to be stored. Here's an example: File alignment is 400 bytes. This means you can only start a section at increments of 400 bytes. You have a 550 byte blob of data. You have a 250 byte blob of data. -If the 250 byte blob is stored at offset 0 then the 550 byte blob must be stored at offset 400 (next increment of 400 bytes). -If the 550 byte blob is stored at offset 0 then the 250 byte blob is stored at 800 (next increment of 400 bytes). If your code fits in the space between the literal end of the current section's data and the next alignment increment, then you are fine and don't have to worry about adjusting anything. Thats because the next section will still be "aligned" (because you didn't move it). There are two different alignment values you need to worry about. FileAlignment (from IMAGE_OPTIONAL_HEADER). This is the alignment used when stored on disk. If your code overflows the next fileAlignment increment then you will have to adjust every section that follows to start at the appropriate fileAlignment increment. You also MUST account for the same issue (overflowing the section) in virtual memory also by adjusting similar values in the headers based on SectionAlignment in the IMAGE_OPTIONAL_HEADER. Overflowing the virtualmemory alignment is more difficult to account for because you have to adjust other things. Note These two values are related but completely independant so you must watch both and make adjustments if you overflow either one. For the section you altered, you will need to: Extend the Size of your Section: Extend the Size of Data in the file on Disk: You can extend the size for the Code section in the SizeOfRawData attribute of the Code Section's IMAGE_SECTION_HEADER. Extend the Size of the Data as it appears in Virtual memory: You can extend the size for the Code section in the misc.virtualsize attribute of the Code Section's IMAGE_SECTION_HEADER. These two values can be different when your dealing with uninitialized variables in the file. A header will exist to reserve some virtual memory when the file is loaded into memory even though it has no actual data in the file. In this case the sizeOfRawData could be different than the misc.virtualsize element of IMAGE_SECTION_HEADER. For the code section these values typically match because you want to move exactly what you have on disk to memory (all your code). For the sections that you have to move you'll need to: Actually move the data itself to the next alignment increment[b] [b]Move the start location: Change the PointerToRawData from the IMAGE_SECTION_HEADER to point to the new location of the data. (I think...it's been a long time since I wrote my PE modifier program) There is lots more to worry about...but thats a start :). You also need to worry about Section Characteristics in the IMAGE_SECTION_HEADER. You also need to worry about relocations in the relocation table (especially when you alter the virtual memory layout). You also need to worry about.................

djnemo		April 27, 2010 06:43.25 CDT
Really thank you ALL to help me and specially RabidCicada Thank you very much OpenRCE :-*

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit