Jump to content
Tuts 4 You

File crash after adding section


FastLife

Recommended Posts

Hello Tuts4you, I created a function which adds a new section to a exe file. Everything seems to be correct, but the new file crashed after adding the new section. After some study, i found the problem is the SizeOfRawData, because when I zero this out, the file runs smoothly.


 


So the problem is I don't know what Im doing wrong. Maybe someone could help me out with this?


 


If you want to see an example of a crashing-file after adding the new section, see attachment.


crashed_file.rar

Link to comment

Thanks my friend, your right! Now it does works :)


 


However, for small files, the new section is empty as it should, but for large files, like 40 MB, the newly created section is filled with random bytes.


Do you know why the section sin't empty?


 


Let me post my source



bool AddSection(AnsiString sectionName, unsigned int sectionSize, DWORD permission)
{
DWORD roffset = 0;
DWORD rsize = 0;
DWORD voffset = 0;
DWORD vsize = 0; PIMAGE_SECTION_HEADER pSection = IMAGE_FIRST_SECTION(this->pINH) + this->pINH->FileHeader.NumberOfSections - 1;
int sectionNameLenght = 0; rsize = PEAlign(sectionSize, this->pINH->OptionalHeader.SectionAlignment);;
vsize = sectionSize;
roffset = PEAlign(pSection->PointerToRawData + pSection->SizeOfRawData, this->pINH->OptionalHeader.FileAlignment);
voffset = PEAlign(pSection->VirtualAddress + pSection->Misc.VirtualSize, this->pINH->OptionalHeader.SectionAlignment ); pSection++;
memset(pSection, 0, (size_t)sizeof(IMAGE_SECTION_HEADER));
pSection->PointerToRawData = roffset;
pSection->VirtualAddress = voffset;
pSection->SizeOfRawData = rsize;
pSection->Misc.VirtualSize = vsize;
pSection->Characteristics = permission; this->pINH->FileHeader.NumberOfSections += 1;
this->pINH->OptionalHeader.SizeOfImage = pSection->VirtualAddress + pSection->Misc.VirtualSize;
// Assign new section-name
memcpy(pSection->Name, sectionName.c_str(), sectionNameLenght); Return true;
}
DWORD PEAlign(DWORD dwTarNum, DWORD dwAlignTo)
{
return (((dwTarNum + dwAlignTo - 1) / dwAlignTo) * dwAlignTo);
}
Link to comment
Extreme Coders

Most probably the file you are looking at (the 40mb one), has appended data after the last section.


In technical terms, this is called overlay.


 


This is common for self extracting archives.


  • Like 1
Link to comment

Thanks! ( And Teddy for the tutorial ).


 


Indeed after checking the file uses a overlay. But do you know what i should do by adding a new section, but leaving the overlay intact?


So in other words, how to append a new section by overlay-files? ( assuming using the source code posted above )


Edited by FastLife
Link to comment

Hi,


 


if your file really used overlay then you can dump & add it again to your file so for this there are some overlay tools (Overlay tool 1.0) to get.If your file used simple overlay then this way should be no problem.On the other hand if your file used advanced overlay then you need to adjust new pointer datas in your overlay itself.



Exsample:
------------------------------------------------------
last section SizeOfRawData = 1000
+
PointerToRawData = 261A00
=
00262A00 002A2600 <-- little endian = old pointer value find 002A2600 in Overlay with winhex (load your new file) Now change this DWORD with your new value and save

Next problem could come if your file also used CRC or filesize or PE Header checks so this you have then also to handle later just if used of course.


 


greetz


  • Like 1
Link to comment
Extreme Coders

@FastLife You would simply copy the overlay somewhere (perhaps a dynamically allocated memory block).


Add the new section (which will overwrite some bytes of the original overlay) and then finally append the copied overlay when done.


  • Like 1
Link to comment

@LCF-AT


Thanks for helping, but it needs to be done programmatically :)


 


 


@extreme coders


So, like tihs?



1. GlobalAlloc -> Allocated block is at: 02400000.
2. CopyMem(allocatedBlock, overLayPointer, sizeof Overlay);
3. Add section.
4. CopyMem(pointerToRawData_fromLastSection + rawSize_fromLastSection, allocatedBlock, sizeof Overlay);

If this is correct, how to get the sizeof Overlay?


Edited by FastLife
Link to comment
Extreme Coders

Size of Overlay = File Size - (Size of Headers + Size of Sections).


 


Size of Headers include dos header, nt header & section table


Size of Sections can be found out by adding Size Of Raw Data for each individual section.


Edited by Extreme Coders
  • Like 1
Link to comment

Thanks man!


 


Got the overlay saved to a serperate file. So after adding a new section and adding the overlay after the new section space, the certificate sign is shown and visible, but got this message: Signature is not valid.


 


So it seems we can't add a new section to a file which has a overlay certificate present


Link to comment
Extreme Coders

The whole objective of digital signatures is to prevent tampering of the executable and adding a new section exactly does that.


 


However there are ways if you would simply want to add an overlay, instead of adding a new section.


See here and here


  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...