FastLife Posted November 19, 2014 Share Posted November 19, 2014 Hello Tuts4you, I created a function which adds a new section to a exe file. Everything seems to be correct, but the new file crashed after adding the new section. After some study, i found the problem is the SizeOfRawData, because when I zero this out, the file runs smoothly. So the problem is I don't know what Im doing wrong. Maybe someone could help me out with this? If you want to see an example of a crashing-file after adding the new section, see attachment.crashed_file.rar Link to comment
Extreme Coders Posted November 19, 2014 Share Posted November 19, 2014 The file did not run, because you did not add any section data in the file.The raw size of the last section was 0x1000 and so you need at at least that most bytes. Cheers. itview_new (fixed).rar Link to comment
FastLife Posted November 19, 2014 Author Share Posted November 19, 2014 Thanks my friend, your right! Now it does works However, for small files, the new section is empty as it should, but for large files, like 40 MB, the newly created section is filled with random bytes. Do you know why the section sin't empty? Let me post my source bool AddSection(AnsiString sectionName, unsigned int sectionSize, DWORD permission) { DWORD roffset = 0; DWORD rsize = 0; DWORD voffset = 0; DWORD vsize = 0; PIMAGE_SECTION_HEADER pSection = IMAGE_FIRST_SECTION(this->pINH) + this->pINH->FileHeader.NumberOfSections - 1; int sectionNameLenght = 0; rsize = PEAlign(sectionSize, this->pINH->OptionalHeader.SectionAlignment);; vsize = sectionSize; roffset = PEAlign(pSection->PointerToRawData + pSection->SizeOfRawData, this->pINH->OptionalHeader.FileAlignment); voffset = PEAlign(pSection->VirtualAddress + pSection->Misc.VirtualSize, this->pINH->OptionalHeader.SectionAlignment ); pSection++; memset(pSection, 0, (size_t)sizeof(IMAGE_SECTION_HEADER)); pSection->PointerToRawData = roffset; pSection->VirtualAddress = voffset; pSection->SizeOfRawData = rsize; pSection->Misc.VirtualSize = vsize; pSection->Characteristics = permission; this->pINH->FileHeader.NumberOfSections += 1; this->pINH->OptionalHeader.SizeOfImage = pSection->VirtualAddress + pSection->Misc.VirtualSize; // Assign new section-name memcpy(pSection->Name, sectionName.c_str(), sectionNameLenght); Return true; } DWORD PEAlign(DWORD dwTarNum, DWORD dwAlignTo) { return (((dwTarNum + dwAlignTo - 1) / dwAlignTo) * dwAlignTo); } Link to comment
Extreme Coders Posted November 19, 2014 Share Posted November 19, 2014 Most probably the file you are looking at (the 40mb one), has appended data after the last section.In technical terms, this is called overlay. This is common for self extracting archives. 1 Link to comment
FastLife Posted November 19, 2014 Author Share Posted November 19, 2014 (edited) Thanks! ( And Teddy for the tutorial ). Indeed after checking the file uses a overlay. But do you know what i should do by adding a new section, but leaving the overlay intact?So in other words, how to append a new section by overlay-files? ( assuming using the source code posted above ) Edited November 19, 2014 by FastLife Link to comment
LCF-AT Posted November 19, 2014 Share Posted November 19, 2014 Hi, if your file really used overlay then you can dump & add it again to your file so for this there are some overlay tools (Overlay tool 1.0) to get.If your file used simple overlay then this way should be no problem.On the other hand if your file used advanced overlay then you need to adjust new pointer datas in your overlay itself. Exsample: ------------------------------------------------------ last section SizeOfRawData = 1000 + PointerToRawData = 261A00 = 00262A00 002A2600 <-- little endian = old pointer value find 002A2600 in Overlay with winhex (load your new file) Now change this DWORD with your new value and saveNext problem could come if your file also used CRC or filesize or PE Header checks so this you have then also to handle later just if used of course. greetz 1 Link to comment
Extreme Coders Posted November 20, 2014 Share Posted November 20, 2014 @FastLife You would simply copy the overlay somewhere (perhaps a dynamically allocated memory block).Add the new section (which will overwrite some bytes of the original overlay) and then finally append the copied overlay when done. 1 Link to comment
FastLife Posted November 20, 2014 Author Share Posted November 20, 2014 (edited) @LCF-AT Thanks for helping, but it needs to be done programmatically @extreme coders So, like tihs? 1. GlobalAlloc -> Allocated block is at: 02400000. 2. CopyMem(allocatedBlock, overLayPointer, sizeof Overlay); 3. Add section. 4. CopyMem(pointerToRawData_fromLastSection + rawSize_fromLastSection, allocatedBlock, sizeof Overlay); If this is correct, how to get the sizeof Overlay? Edited November 20, 2014 by FastLife Link to comment
Extreme Coders Posted November 21, 2014 Share Posted November 21, 2014 (edited) Size of Overlay = File Size - (Size of Headers + Size of Sections). Size of Headers include dos header, nt header & section tableSize of Sections can be found out by adding Size Of Raw Data for each individual section. Edited November 21, 2014 by Extreme Coders 1 Link to comment
FastLife Posted November 21, 2014 Author Share Posted November 21, 2014 Thanks man! Got the overlay saved to a serperate file. So after adding a new section and adding the overlay after the new section space, the certificate sign is shown and visible, but got this message: Signature is not valid. So it seems we can't add a new section to a file which has a overlay certificate present Link to comment
Extreme Coders Posted November 21, 2014 Share Posted November 21, 2014 The whole objective of digital signatures is to prevent tampering of the executable and adding a new section exactly does that. However there are ways if you would simply want to add an overlay, instead of adding a new section.See here and here 1 Link to comment
FastLife Posted November 22, 2014 Author Share Posted November 22, 2014 Thanks for all the help man! Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now