File crash after adding section

[FastLife]

Hello Tuts4you, I created a function which adds a new section to a exe file. Everything seems to be correct, but the new file crashed after adding the new section. After some study, i found the problem is the SizeOfRawData, because when I zero this out, the file runs smoothly.

 

So the problem is I don't know what Im doing wrong. Maybe someone could help me out with this?

 

If you want to see an example of a crashing-file after adding the new section, see attachment.

crashed_file.rar

[Extreme Coders]

The file did not run, because you did not add any section data in the file.

The raw size of the last section was 0x1000 and so you need at at least that most bytes.

 

Cheers.

 

itview_new (fixed).rar

 

[FastLife]

Thanks my friend, your right! Now it does works

 

However, for small files, the new section is empty as it should, but for large files, like 40 MB, the newly created section is filled with random bytes.

Do you know why the section sin't empty?

 

Let me post my source

bool AddSection(AnsiString sectionName, unsigned int sectionSize, DWORD permission)

{

	DWORD roffset = 0;

	DWORD rsize = 0;

	DWORD voffset = 0;

	DWORD vsize = 0;
	PIMAGE_SECTION_HEADER pSection = IMAGE_FIRST_SECTION(this->pINH) + this->pINH->FileHeader.NumberOfSections - 1;

	int sectionNameLenght = 0;
	rsize = PEAlign(sectionSize, this->pINH->OptionalHeader.SectionAlignment);;

	vsize = sectionSize;

	roffset = PEAlign(pSection->PointerToRawData + pSection->SizeOfRawData, this->pINH->OptionalHeader.FileAlignment);

	voffset = PEAlign(pSection->VirtualAddress + pSection->Misc.VirtualSize, this->pINH->OptionalHeader.SectionAlignment        );
	pSection++;

	memset(pSection, 0, (size_t)sizeof(IMAGE_SECTION_HEADER));

	pSection->PointerToRawData	= roffset;

	pSection->VirtualAddress	= voffset;

	pSection->SizeOfRawData		= rsize;

	pSection->Misc.VirtualSize	= vsize;

	pSection->Characteristics	= permission;
	this->pINH->FileHeader.NumberOfSections += 1;

	this->pINH->OptionalHeader.SizeOfImage = pSection->VirtualAddress + pSection->Misc.VirtualSize;

	// Assign new section-name

	memcpy(pSection->Name, sectionName.c_str(), sectionNameLenght);
	Return true;

}

DWORD PEAlign(DWORD dwTarNum, DWORD dwAlignTo)

{

	return (((dwTarNum + dwAlignTo - 1) / dwAlignTo) * dwAlignTo);

}

[Extreme Coders]

Most probably the file you are looking at (the 40mb one), has appended data after the last section.

In technical terms, this is called overlay.

 

This is common for self extracting archives.

[FastLife]

Thanks! ( And Teddy for the tutorial ).

 

Indeed after checking the file uses a overlay. But do you know what i should do by adding a new section, but leaving the overlay intact?

So in other words, how to append a new section by overlay-files? ( assuming using the source code posted above )

Edited November 19, 2014 by FastLife

[LCF-AT]

Hi,

 

if your file really used overlay then you can dump & add it again to your file so for this there are some overlay tools (Overlay tool 1.0) to get.If your file used simple overlay then this way should be no problem.On the other hand if your file used advanced overlay then you need to adjust new pointer datas in your overlay itself.

Exsample:

------------------------------------------------------

last section SizeOfRawData = 1000

+

PointerToRawData = 261A00

=

00262A00
002A2600  <-- little endian = old pointer value
find 002A2600 in Overlay with winhex (load your new file)
Now change this DWORD with your new value and save

Next problem could come if your file also used CRC or filesize or PE Header checks so this you have then also to handle later just if used of course.

 

greetz

[Extreme Coders]

@FastLife You would simply copy the overlay somewhere (perhaps a dynamically allocated memory block).

Add the new section (which will overwrite some bytes of the original overlay) and then finally append the copied overlay when done.

[FastLife]

@LCF-AT

Thanks for helping, but it needs to be done programmatically

 

 

@extreme coders

So, like tihs?

1. GlobalAlloc -> Allocated block is at: 02400000.

2. CopyMem(allocatedBlock, overLayPointer, sizeof Overlay);

3. Add section.

4. CopyMem(pointerToRawData_fromLastSection + rawSize_fromLastSection, allocatedBlock, sizeof Overlay);

If this is correct, how to get the sizeof Overlay?

Edited November 20, 2014 by FastLife

[Extreme Coders]

Size of Overlay = File Size - (Size of Headers + Size of Sections).

 

Size of Headers include dos header, nt header & section table

Size of Sections can be found out by adding Size Of Raw Data for each individual section.

Edited November 21, 2014 by Extreme Coders

[FastLife]

Thanks man!

 

Got the overlay saved to a serperate file. So after adding a new section and adding the overlay after the new section space, the certificate sign is shown and visible, but got this message: Signature is not valid.

 

So it seems we can't add a new section to a file which has a overlay certificate present

[Extreme Coders]

The whole objective of digital signatures is to prevent tampering of the executable and adding a new section exactly does that.

 

However there are ways if you would simply want to add an overlay, instead of adding a new section.

See here and here

[FastLife]

Thanks for all the help man!