informations
the aim of this tutorial is to show a cleaner way to add our code, by appending our own section at the end of the file. we won' t really reverse any program in this tutorial, because the main reversing methods have already been seen in the previous tutorials. our target will be a small program coded for the purpose.
required files
lesson 3 files - all the needed files for the lesson 3
tools used
hex workshop
tutorial
I. the sections
that' s the dos header structure :
IMAGE_DOS_HEADER STRUCT offset in target value e_magic WORD ? 0h e_cblp WORD ? 2h e_cp WORD ? 4h e_crlc WORD ? 6h e_cparhdr WORD ? 8h e_minalloc WORD ? 0ah e_maxalloc WORD ? 0ch e_ss WORD ? 0eh e_sp WORD ? 10h e_csum WORD ? 12h e_ip WORD ? 14h e_cs WORD ? 16h e_lfarlc WORD ? 18h e_ovno WORD ? 1ah e_res WORD 4 dup(?) 1ch e_oemid WORD ? 24h e_oeminfo WORD ? 26h e_res2 WORD 10 dup(?) 28h e_lfanew DWORD ? 3ch 0c8h IMAGE_DOS_HEADER ENDSthe dos header is followed by the pe header. that' s the pe header structure :
IMAGE_NT_HEADERS STRUCT offset in target Signature DWORD ? 0c8h FileHeader IMAGE_FILE_HEADER <> 0cch OptionalHeader IMAGE_OPTIONAL_HEADER32 <> 0e0h IMAGE_NT_HEADERS ENDSthat' s the fileheader structure :
IMAGE_FILE_HEADER STRUCT offset in target value Machine WORD ? 0cch NumberOfSections WORD ? 0ceh 4h TimeDateStamp DWORD ? 0d0h PointerToSymbolTable DWORD ? 0d4h NumberOfSymbols DWORD ? 0d8h SizeOfOptionalHeader WORD ? 0dch 0e0h Characteristics WORD ? 0deh IMAGE_FILE_HEADER ENDSand that' s the optionalheader structure : offset in target value
IMAGE_OPTIONAL_HEADER32 STRUCT offset in target value Magic WORD ? 0e0h MajorLinkerVersion BYTE ? 0e2h MinorLinkerVersion BYTE ? 0e3h SizeOfCode DWORD ? 0e4h SizeOfInitializedData DWORD ? 0e8h SizeOfUninitializedData DWORD ? 0ech AddressOfEntryPoint DWORD ? 0f0h BaseOfCode DWORD ? 0f4h BaseOfData DWORD ? 0f8h ImageBase DWORD ? 0fch SectionAlignment DWORD ? 100h 1000h FileAlignment DWORD ? 104h 200h MajorOperatingSystemVersion WORD ? 108h MinorOperatingSystemVersion WORD ? 10ah MajorImageVersion WORD ? 10ch MinorImageVersion WORD ? 10eh MajorSubsystemVersion WORD ? 110h MinorSubsystemVersion WORD ? 112h Win32VersionValue DWORD ? 114h SizeOfImage DWORD ? 118h 5000h SizeOfHeaders DWORD ? 11ch CheckSum DWORD ? 120h Subsystem WORD ? 124h DllCharacteristics WORD ? 126h SizeOfStackReserve DWORD ? 128h SizeOfStackCommit DWORD ? 12ch SizeOfHeapReserve DWORD ? 130h SizeOfHeapCommit DWORD ? 134h LoaderFlags DWORD ? 138h NumberOfRvaAndSizes DWORD ? 13ch DataDirectory IMAGE_DATA_DIRECTORY IMAGE_NUMBEROF_DIRECTORY_ENTRIES dup(<>) 140h IMAGE_OPTIONAL_HEADER32 ENDSopen the target in the hex editor. you' re at the offset 0h, there' s the dos signature. the offset of the pe header is given by the e_lfanew element, so go 60 bytes further. the dword is the pointer to the pe header. it' s c8h, so go at offset c8h. there' s the pe signature. go 4 bytes further. you' re at the beginning of the IMAGE_FILE_HEADER structure. we want the size of the optional header, so go 16 bytes further, the word at the offset is the size of the optional header. it' s e0h. so go 4 bytes further. you' re at the beginning of the IMAGE_OPTIONAL_HEADER32 structure. the offset is e0h, so the optional header ends at e0h + e0h = 1c0h, so go at offset 1c0h. there' s IMAGE_SECTION_HEADER structures :
IMAGE_SECTION_HEADER STRUCT
Name1 db IMAGE_SIZEOF_SHORT_NAME dup(?)
union Misc
PhysicalAddress dd ?
VirtualSize dd ?
ends
VirtualAddress dd ?
SizeOfRawData dd ?
PointerToRawData dd ?
PointerToRelocations dd ?
PointerToLinenumbers dd ?
NumberOfRelocations dw ?
NumberOfLinenumbers dw ?
Characteristics dd ?
IMAGE_SECTION_HEADER ENDS
we' re gonna add our own. but we have to remember that' s we' ll have to increase the IMAGE_FILE_HEADER.NumberOfSections
word, and to choose the elements of the new IMAGE_SECTION_HEADER structure according to the
IMAGE_OPTIONAL_HEADER32.SectionAlignment and IMAGE_OPTIONAL_HEADER32.FileAlignment. we' ll also have to change the
IMAGE_OPTIONAL_HEADER32.SizeOfImage element.II. adding a new section
if you look at the IMAGE_FILE_HEADER.NumberOfSections word, it shows 4h. increase it. since the size of a IMAGE_SECTION_HEADER is 28h, the offset where we should add our section is 1c0h + 4h * 28h = 260h. the offset of the last section is 1c0h + 3h * 28h = 238h. go there. we' ll first gather some information :
element value offset in target name1 .rsrc,0,0,0 238h vSize 00000480h 240h vAddress 00004000h 244h rSize 00000600h 248h rOffset 00000a00h 24chso go at offset 260h. type a name, it must be 8 bytes. then we' ll have to select a size for the section, for example 400h bytes, so vSize and rSize are 500h. so change the IMAGE_OPTIONAL_HEADER32.SizeOfImage element at offset 118h to 5500h. now, for the vAddress, we have to compute where the .rsrc section ends, that is .rsrc.vAddress + .rsrc.vSize aligned to the SectionAlignment element, that is 1000h. so our vAddress is 4000h + 480h rounded to 1000h that is 5000h, so vAddress is 5000h. rOffset is .rsrc.rOffset + .rsrc.rSize aligned to the FileAlignment element, that is 200h, so our rOffset is 0a00h + 600h rounded to 200h = 1000h, so rOffset is 1000h. we have to execute code and to store datas in our code, so the characteristics should be c0000040h. so we have to write this in the target :
element value offset in target name1 '.mysec',0,0 260h vSize 00000400h 268h vAddress 00005000h 26ch rSize 00000400h 270h rOffset 00001000h 274h characteristics c0000040h 284hremember that you have to write the dwords value in the little endian format. so for example you have to write 00,40,00,00 at offset 268h. the section has been added.