Knowledge Review section of the New PE PE

Dian Why a new section . Step and the new section

　　　　For example, a few speak before our PE file in a blank area to add the code, but this is a drawback, because you blank section area may be read-only attribute can not be executed. If you modify the attributes. So the program may appear problems. so a new section can achieve our code.

and many more.

　　1. Step New Day

　　　　1. Add in the last section of a section position. If there is no empty space. I need to expand the extension header. And offset correction section of their own.

　　　　2. The number of the section header modify the file.

　　　　3. Add a new section table to modify the properties of the section of the table. Section .VirtualAddress. The members specified in this section expand the memory where it is. So you need to modify.

　　　　4. Modify the section table file offset section .PointerToRawData we specify where to expand the memory section. This section then also need to specify where in the document launched

　　　　Size. .SizeofRawData section after section of the data in the table in Section 5. Modify the alignment of our new section. I need to add some sections in the PE file data according to the size of the data file is aligned Add. And fill to the members.

　　　　6. Modify extension headers PE image size. SizeofImage. This member is the key. If you do not modify the image size in accordance with the alignment of memory. So we just will not be mapped into memory. PE file or impossible to perform.

The new section Dian two steps . Combat manually add a section .

　　　　1. Add a table section

　　　　　　　　Add section table of the time. Needs to be added after the last section. For example just what a PE file

　　Because the extension header SizeofHeaders marked head + size + NT DOS first section of the table. Align stored by file, so the data section 400 is the beginning. So we figure shown in the last section table .rsrc. We below there is enough space to add a new section table, so we copy the section table. paste behind him. .rsrc paste a new section table.

　　We rename this section AAAA

　　　2. Modify the number of the section table . In the attribute header .

　　There is a file header attribute records the number of our section of the table. We've added a section. Then you need to add in the original header record number 1. Find the number of the section table position. And add a can.

　　　　Originally 7, 8 can now be changed.

　　　　3. The offset correction section table .

　　We've added a section table. So we have to specify memory location, commenced this section of the table. File deployed position. As well as the size of the data section.

　　Corresponding to the three members are:

　　　　Section .VirtualAddress

　　　　节.SizeOfRawData

　　　　节.PointerToRawData

　　3.1 Jie .VirtuallAddress modification

　　First, the first member of Section .virtuallAddress. We are aligned according to the file. With a section on the table to align storage.

　　　　For example deployed position after a section of the table aligned 0x1c000 then we changed to 0x1d000

　　3.2 Jie .sizeofRawData modification

　　This member is the section in accordance with the size of the data file alignment. We depend on how much data is added to this section. We can add 0x1000 bytes behind PE file.