API automate rebuilding PE?

[chickenbutt]

Can someone give me some code or the API calls that save people from having to write PE code? Like say I wanted to modify existing PE's code section and rebuild? Without all the binary searches and operations.

I believe you can do it with virtual map calls and the IMAGE structs, but I'm not sure. Thanks. Any language is fine.

[Killboy]

There are frameworks like TitanEngine (has SDK bindings for C/C++/Delphi/LUA/MASM/Python). It's a nobrainer to add a new section to an existing binary, it's also able to realign the PE (if that's what youre referring to by 'rebuild')

Other libs include:

PeLib (C++)

pefile (Python)

yzpelib (MASM)

There is no Windows API for this, if you want to go about this manually, this is the one and only doc you'll need:

Microsoft PE and COFF Specification

Also, The Art of Disassembly might be interesting, as it explains the PE specs with more erotic illustration.

All the mentioned libraries only abstract from the parsing, I think it's always better to know what is done behind the curtains and write a few tools like that myself and then switch to those kind of libs to save time (and not knowledge!)

Edited May 20, 2011 by Killboy

[chickenbutt]

Thanks. I know the spec, I just want to do it for the x86 non-MSIL PE. I think I'll use one off those libs.

[Aguila]

There are a few windows APIs for PE modifying. But they are not enough for most operations:

/>http://msdn.microsoft.com/en-us/library/ms680181%28v=VS.85%29.aspx

CheckSumMappedFile is useful

[chickenbutt]

There are a few windows APIs for PE modifying. But they are not enough for most operations:

/>http://msdn.microsoft.com/en-us/library/ms680181%28v=VS.85%29.aspx

CheckSumMappedFile is useful

Yeah I think you use these libs or image structs to get PE data, section data is all binary work, and you gotta mind byte endianness. That sucks because it takes a long time unless you have people working on a SVN or something..Then you still gotta generate VM data and debug your stubs and stuff