Specify section address?

Index > Windows > Specify section address?

Author

Thread

Ecoste

Joined: 26 Aug 2015
Posts: 5

Ecoste 23 Aug 2016, 23:39

Is it possible to specify the Virtual Offset of a particular section in the generated PE file?

23 Aug 2016, 23:39

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20537
Location: In your JS exploiting you and your system

revolution 23 Aug 2016, 23:56

Do you mean the relative virtual address (RVA)? If so then yes, you use the RVA operator:

Code:

mov eax,RVA my_label

If you mean you want to force a section to a particular offset from the header, then you can make the preceding section as large as needed:

Code:

section ...
;... some code/data here
rb space_filler_value ;some value to increase the in-memory size of the section
section ...  ;the section that needs to have a fixed offset

23 Aug 2016, 23:56

Ecoste

Joined: 26 Aug 2015
Posts: 5

Ecoste 24 Aug 2016, 00:15

revolution wrote:

Do you mean the relative virtual address (RVA)? If so then yes, you use the RVA operator:
Code:
mov eax,RVA my_label    
If you mean you want to force a section to a particular offset from the header, then you can make the preceding section as large as needed:
Code:
section ...
;... some code/data here
rb space_filler_value ;some value to increase the in-memory size of the section
section ...  ;the section that needs to have a fixed offset    

I meant the second thing, I was already doing what you suggested but maybe thought there's a directive or something. I'm very new to fasm.

Thank you for the swift response.

24 Aug 2016, 00:15

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20537
Location: In your JS exploiting you and your system

revolution 24 Aug 2016, 00:21

The documentation PDF shows no "at" or similar setting:

Quote:

section directive defines a new section, it should be followed by quoted string defining the name of section, then one or more section flags can follow. Available flags are: code, data, readable, writeable, executable, shareable, discardable, notpageable. The origin of section is aligned to page (4096 bytes). Example declaration of PE section:

section ’.text’ code readable executable

Among with flags also on of special PE data identifiers can be specified to mark the whole section as a special data, possible identifiers are export, import, resource and fixups. If the section is marked to contain fixups, they are generated automatically and no more data needs to be defined in this section. Also resource data can be generated automatically from the resource file, it can be achieved by writing the from operator and quoted file name after the resource identifier. Below are the examples of sections containing some special PE data:

section ’.reloc’ data readable discardable fixups
section ’.rsrc’ data readable resource from ’my.res’

24 Aug 2016, 00:21

Grom PE

Joined: 13 Mar 2008
Posts: 114
Location: i@grompe.org.ru

Grom PE 24 Aug 2016, 11:34

If for some odd reason you want to have a PE section to be loaded at a specified virtual address, you can put your section first and set image base to desired address minus 0x1000.
Or if you don't want to make it the first section, calculate its address according to sizes of the previous sections, rounded up to multiple of 0x1000.

Edit: had confused physical size and wrote 0x200 instead of 0x1000

Last edited by Grom PE on 24 Aug 2016, 23:19; edited 1 time in total

24 Aug 2016, 11:34

Ecoste

Joined: 26 Aug 2015
Posts: 5

Ecoste 24 Aug 2016, 15:51

Grom PE wrote:

If for some odd reason you want to have a PE section to be loaded at a specified virtual address, you can put your section first and set image base to desired address minus 0x1000.
Or if you don't want to make it the first section, calculate its address according to sizes of the previous sections, rounded up to multiple of 0x200.

I initially set the image base to desired address minus 0x1000, but the program wouldn't run for some reason. I believe the reason is that the image base must be on a multiple of 64K, so I need to load it up and then have a padding section.

I don't have a source for the 64K multiple requirement, except for "The linker issues an error if address is not a multiple of 64K." from https://msdn.microsoft.com/en-us/library/f7f5138s.aspx I think it's a global requirement from Windows for PE files, and not just VS' linker. Can anyone confirm?

24 Aug 2016, 15:51

Grom PE

Joined: 13 Mar 2008
Posts: 114
Location: i@grompe.org.ru

Grom PE 24 Aug 2016, 23:17

Ah, true, Windows 7 64-bit refuses to run an exe if its image base is not multiple of 0x10000.

You can pad the section with "rb" so the padding won't be stored in the file.

24 Aug 2016, 23:17

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20537
Location: In your JS exploiting you and your system

revolution 26 Aug 2016, 07:57

Grom PE wrote:

You can pad the section with "rb" so the padding won't be stored in the file.

Yes, but only if such padding occurs at the end of the section.

You can also use the question mark:

Code:

rb 100 ;pad 100 uninitialised bytes
db 100 dup (?) ;also pad 100 uninitialised bytes

26 Aug 2016, 07:57

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum