+- +-

+-User

Welcome, Guest.
Please login or register.
 
 
 
Forgot your password?

+-Stats

Members
Total Members: 129
Latest: dilpreetkaur
New This Month: 1
New This Week: 1
New Today: 0
Stats
Total Posts: 319
Total Topics: 160
Most Online Today: 2
Most Online Ever: 68
(October 18, 2019, 12:38:07 am)
Users Online
Members: 0
Guests: 2
Total: 2

Author Topic: Add an empty section to a PE file  (Read 1147 times)

hMihaiDavid

  • Newbie
  • *
  • Posts: 6
    • View Profile
Add an empty section to a PE file
« on: August 08, 2017, 09:11:54 pm »
https://github.com/hMihaiDavid/addscn

Hi everyone! This is my first post. :)
I didn't know whether to post the code here directly or on github first. I hope it's not a problem.


Basically this program adds an empty section at the end of the file so that it creates a code cave where you can put whatever you want. You can put a shellcode there for example and modify the EntryPoint to fall in there like it is done here:
http://zwclose7.createaforum.com/malware-and-hacking/pe-infection-tutorial/

In the tutorial above the code cave is created expanding an existing section, here we create a new one.
Maybe expanding an existing section is more stealthy but it's always good to have diversity on the forum :D I did it for educational purposes to learn about PE files so the code may be a bit sloppy.

Here's the method to add a section to a PE file (.exe, .dll, .sys, .scr ...)

1) Map the file read-only and check if it is a valid PE file.
2) Check if there is enough room after the last section header to hold another section header.
3) Unmap the file and create a new bigger mapping, which increases the file size to hold the new section's content, which will pe placed right at the end of the file. The size on disk of the section will be the specified VirtualSize aligned-up to the FileAlignment.
4) Append the new section header at the end of the section header table. The new section header will have the specified Name, Characteristics and VirtualSize. The PointerToRawData will point to the sections content (the former end of file). SizeOfRawData is VirtualSize aligned up to FileAlignment.

Now we need to calculate the RVA of this new section.

We can observe by looking at the RVAs of the sections of a PE file that they are mapped continuously in ascending order filling up the memory reserved for the module, which is of the size of SizeOfImage.
That is:
The RVA of each section is the next possible RVA after the RVA of the previous section.


Ex. If we have a section .text with RVA 0x1000 and a size of 0x1023, the RVA of the next section will be 0x1000+0x1023 = 0x2023 --> 0x3000 which is 0x2023 aligned up to the next multiple of SectionAlignment (usually 0x1000).
We apply this formula to calculate the RVA of our new section.

5) Update the SizeOfImage.

The SizeOfImage must be the RVA of the last section (our new section) + its VirtualSize but aligned up to the next multiple of SectionAlignment.  It can also be calculated by adding the VirtualSize of the new section to the previous SizeOfImage and then aligning it up to SizeOfImage.

6) Unmap and close the file.

This code works for both 32bit and 64bit pe files but only if it is compiled for the corresponding target architecture. See the github repo on how to use the program. This program has an issue with pe files that have a certificate table (Microsoft Authenticode) See the github repository README for more details on this.

Resources:
https://msdn.microsoft.com/en-us/library/ms809762.aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680547(v=vs.85).aspx

http://www.openrce.org/reference_library/files/reference/PE%20Format.pdf

xchg

  • Administrator
  • Newbie
  • *****
  • Posts: 35
    • View Profile
Re: Add an empty section to a PE file
« Reply #1 on: August 11, 2017, 11:18:54 pm »
Hey, great job on the example. I'm sure quite a few people could learn a thing or two from this code :)

One question:
You said that if there isn't room for a new image section header structure, it won't modify the file; but if you are allocating room for the new code anyway, why not just allocate room for another image section header structure?

All you have to do is expand allocate additional memory of size:
Code: [Select]
FileAlignment * ((sizeof(IMAGE_SECTION_HEADER) / FileAlignment) + 1)to the end of the PE headers?

Afterwards, all that is required is adding the additional size to the existing sections' PointerToRawData offset

These are the steps I followed when replicating your method in a project some weeks ago, so needless to say I am a fan of the method :)

Regardless, excellent contribution. Keep up the good work!

hMihaiDavid

  • Newbie
  • *
  • Posts: 6
    • View Profile
Re: Add an empty section to a PE file
« Reply #2 on: August 12, 2017, 12:01:24 am »
Hey, great job on the example. I'm sure quite a few people could learn a thing or two from this code :)

One question:
You said that if there isn't room for a new image section header structure, it won't modify the file; but if you are allocating room for the new code anyway, why not just allocate room for another image section header structure?

All you have to do is expand allocate additional memory of size:
Code: [Select]
FileAlignment * ((sizeof(IMAGE_SECTION_HEADER) / FileAlignment) + 1)to the end of the PE headers?

Afterwards, all that is required is adding the additional size to the existing sections' PointerToRawData offset

These are the steps I followed when replicating your method in a project some weeks ago, so needless to say I am a fan of the method :)

Regardless, excellent contribution. Keep up the good work!

Thanks, I'm glad you like the post! ^.^

You're totally right, the only thing that needs to be done in order to make room for the section header in case there is not already is to make a bigger mapping the second time to enlarge the file size even more and displace all the section's raw data down to make room for the section header, then fix the PointerToRawData becase the section's raw data has moved. I haven't done it for simplicity. I will try to do it in the near future. Feel free to do it yourself and collaborate on the repository. :) :)

xchg

  • Administrator
  • Newbie
  • *****
  • Posts: 35
    • View Profile
Re: Add an empty section to a PE file
« Reply #3 on: August 12, 2017, 09:59:14 am »
OT: I enjoy how you structured the code. It was easy to read and explanations were placed when required.

If I may ask, was there an original purpose in the making of this code?

hMihaiDavid

  • Newbie
  • *
  • Posts: 6
    • View Profile
Re: Add an empty section to a PE file
« Reply #4 on: August 13, 2017, 03:05:08 pm »
OT: I enjoy how you structured the code. It was easy to read and explanations were placed when required.

If I may ask, was there an original purpose in the making of this code?

If by purpose you mean I need this for a specific task then no.  :)
The purpose was to do something in my free time instead of procrastinating haha and of course learning, I didn't actually known hot to do this untill I got my hands dirty.  ;D


xchg

  • Administrator
  • Newbie
  • *****
  • Posts: 35
    • View Profile
Re: Add an empty section to a PE file
« Reply #5 on: August 13, 2017, 09:05:09 pm »
Well, regardless of the reasons for your development, excellent work.

Looking forward to seeing what comes of this.

 

+-Recent Topics

Independent Call Girls in Chandigarh by dilpreetkaur
June 21, 2021, 01:02:52 pm

Hi zwclose7. How to create process by using NT apis? by zwclose7
June 01, 2021, 03:09:52 pm

Poison of the Day by zwclose7
March 16, 2020, 06:45:08 pm

IRC by AzeS
February 17, 2020, 08:18:01 am

Native API tutorial by hMihaiDavid
January 08, 2019, 02:11:02 am

The properties of GP nerve agent by xchg
October 19, 2018, 07:40:57 pm

A new route of synthesis for G-series agents by Basquyatti
October 15, 2018, 06:12:57 am

Synthesis of Methylisobutylcarbinylsarin (GH) by APC process by Basquyatti
October 14, 2018, 07:55:33 am

Synthesis conventional of Sarin by Basquyatti
October 02, 2018, 07:57:32 am

Reaction CX-7 (Experimental) by zwclose7
October 02, 2018, 12:46:47 am