flat assembler
Message board for the users of flat assembler.

Index > Main > insert bytes

Author
Thread Post new topic Reply to topic
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord
Hi,

Can someone tells me how can I add bytes in the middle of a mapped file, not appending to the end !

PS : this is for packer purpose Smile

The exact needs is to add a section header to a PE file. at the end of the last section.

I actually lower down the whole file from the last section header by inserting my new section header. Unfortunatly it only works if there is some kind of padding ! and most of the files are corrupted after the operation, needing a strong realignment on ALL the previous sections. which is not what I want to do ...

I hope I did explain it clearly , I even have an hard time to understand myself here :/

see ya
Post 09 May 2009, 16:33
View user's profile Send private message Reply with quote
pal



Joined: 26 Aug 2008
Posts: 227
pal
One way could be to map the size of memory so that you have sizeof(file) + sizeof(section to add). Fill the memory. You will then have to shift all of the bytes at the point you want to add by the size of the section you are adding. You can use the PE header structures to navigate the PE file. There are members which tell you how many sections there are and offsets to them (only the first one?).
Post 09 May 2009, 16:40
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
It is common to just add extra sections at the end of a PE file and just change the entry point. This is much easier than having to completely realign the whole file (which may be impossible to do with many files).
Post 09 May 2009, 17:33
View user's profile Send private message Visit poster's website Reply with quote
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord
I was misunderstanding my problem.

Many exe just add nothing next to the end of the last section, and there is enough free space to put a new section header.

It is not the case for all the files.

It seems that some other (such as regedit.exe, calc.exe => I tested those) put extras data like the BOUNDIMPORTS table.

I did raised the BOUNDIMPORT size and addr to 0 in the corresponding data directory structure, it seems to work fine now.

revolution, do you think this trick will cover all case or there is something I still dont know ?
Post 09 May 2009, 18:43
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
Somehow I doubt it. Most "tricks" have a habit of not working in many cases.

What is wrong with tacking on an extra section for all files? No tricks required.
Post 09 May 2009, 18:53
View user's profile Send private message Visit poster's website Reply with quote
pal



Joined: 26 Aug 2008
Posts: 227
pal
Just look for a possible code cave in the data. Do like revolution said and save yourself some time and trouble.
Post 09 May 2009, 19:05
View user's profile Send private message Reply with quote
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord
revolution wrote:

What is wrong with tacking on an extra section for all files? No tricks required.


Losing the time I already spent :p

But You have to be right.I tested some other files, it does not work on all of them Sad

exemple : ollydbg.exe + adding the section (the way i do it) just corrupt the modded PE.

I can't believe I have to work again from the beginning ...
Post 09 May 2009, 19:28
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.