Vigual
February 10th, 2010, 22:26
nevermind. I'm sure I'll have more questions on this topic soon.
View Full Version : code injection
Vigual
February 13th, 2010, 17:02
I tried to add a PE section manually before trying to code that process. Here is what I changed in the PE. I incremented the number of sections, added the minimal section alignmnet to the size of image. Then I named the section .inject, gave it the next available starting virtual address, gave it a virtual size of 100h, gave it the minimal size of raw data based up the file alignment, gave it the next available raw adress and set the characteristics.
Here is what this caused. I looked in ollydbg after making these changes but olly did not show that a new section had been created. I don't know why. So I dumped the process and opened it again in olly. This time the new section showed up but it was named "NewID" not ".inject" as I had named it, and for some reason the new section contained the imports. I had intended for this new section to be empty. Becasue it has the imports this makes the section useless to me because now I can not write code into it. What do I need to do so that I can fix the name of the section and keep the imports in their orgional location.
By the way, I wrote this program that I'm trying to add a section to, incase that was a concern.
Here is the entry I made into in the section table.
Here is the rest of the setion table
Old PE fields
New PE fields
Here is what this caused. I looked in ollydbg after making these changes but olly did not show that a new section had been created. I don't know why. So I dumped the process and opened it again in olly. This time the new section showed up but it was named "NewID" not ".inject" as I had named it, and for some reason the new section contained the imports. I had intended for this new section to be empty. Becasue it has the imports this makes the section useless to me because now I can not write code into it. What do I need to do so that I can fix the name of the section and keep the imports in their orgional location.
By the way, I wrote this program that I'm trying to add a section to, incase that was a concern.
Here is the entry I made into in the section table.
Code:
00400250 2E 6E 65 77 >ASCII ".newIID" ; SECTION
00400258 00100000 DD 00001000 ; VirtualSize = 1000 (4096.)
0040025C 00500000 DD 00005000 ; VirtualAddress = 5000
00400260 00040000 DD 00000400 ; SizeOfRawData = 400 (1024.)
00400264 00420000 DD 00004200 ; PointerToRawData = 4200
00400268 00000000 DD 00000000 ; PointerToRelocations = 0
0040026C 00000000 DD 00000000 ; PointerToLineNumbers = 0
00400270 0000 DW 0000 ; NumberOfRelocations = 0
00400272 0000 DW 0000 ; NumberOfLineNumbers = 0
00400274 400000C0 DD C0000040 ; Characteristics = INITIALIZED_DATA|READ|WRITE
Here is the rest of the setion table
Code:
004001B0 2E 74 65 78 >ASCII ".text" ; SECTION
004001B8 08010000 DD 00000108 ; VirtualSize = 108 (264.)
004001BC 00100000 DD 00001000 ; VirtualAddress = 1000
004001C0 00020000 DD 00000200 ; SizeOfRawData = 200 (512.)
004001C4 00040000 DD 00000400 ; PointerToRawData = 400
004001C8 00000000 DD 00000000 ; PointerToRelocations = 0
004001CC 00000000 DD 00000000 ; PointerToLineNumbers = 0
004001D0 0000 DW 0000 ; NumberOfRelocations = 0
004001D2 0000 DW 0000 ; NumberOfLineNumbers = 0
004001D4 20000060 DD 60000020 ; Characteristics = CODE|EXECUTE|READ
004001D8 2E 72 64 61 >ASCII ".rdata" ; SECTION
004001E0 0E010000 DD 0000010E ; VirtualSize = 10E (270.)
004001E4 00200000 DD 00002000 ; VirtualAddress = 2000
004001E8 00020000 DD 00000200 ; SizeOfRawData = 200 (512.)
004001EC 00060000 DD 00000600 ; PointerToRawData = 600
004001F0 00000000 DD 00000000 ; PointerToRelocations = 0
004001F4 00000000 DD 00000000 ; PointerToLineNumbers = 0
004001F8 0000 DW 0000 ; NumberOfRelocations = 0
004001FA 0000 DW 0000 ; NumberOfLineNumbers = 0
004001FC 40000040 DD 40000040 ; Characteristics = INITIALIZED_DATA|READ
00400200 2E 64 61 74 >ASCII ".data" ; SECTION
00400208 60000000 DD 00000060 ; VirtualSize = 60 (96.)
0040020C 00300000 DD 00003000 ; VirtualAddress = 3000
00400210 00020000 DD 00000200 ; SizeOfRawData = 200 (512.)
00400214 00080000 DD 00000800 ; PointerToRawData = 800
00400218 00000000 DD 00000000 ; PointerToRelocations = 0
0040021C 00000000 DD 00000000 ; PointerToLineNumbers = 0
00400220 0000 DW 0000 ; NumberOfRelocations = 0
00400222 0000 DW 0000 ; NumberOfLineNumbers = 0
00400224 400000C0 DD C0000040 ; Characteristics = INITIALIZED_DATA|READ|WRITE
00400228 2E 72 73 72 >ASCII ".rsrc" ; SECTION
00400230 A8010000 DD 000001A8 ; VirtualSize = 1A8 (424.)
00400234 00400000 DD 00004000 ; VirtualAddress = 4000
00400238 00020000 DD 00000200 ; SizeOfRawData = 200 (512.)
0040023C 000A0000 DD 00000A00 ; PointerToRawData = A00
00400240 00000000 DD 00000000 ; PointerToRelocations = 0
00400244 00000000 DD 00000000 ; PointerToLineNumbers = 0
00400248 0000 DW 0000 ; NumberOfRelocations = 0
0040024A 0000 DW 0000 ; NumberOfLineNumbers = 0
0040024C 40000040 DD 40000040 ; Characteristics = INITIALIZED_DATA|READ
Old PE fields
Code:
004000B8 50 45 00 00 ASCII "PE" ; PE signature (PE)
004000BC 4C01 DW 014C ; Machine = IMAGE_FILE_MACHINE_I386
004000BE 0400 DW 0004 ; NumberOfSections = 4
004000C0 6420774B DD 4B772064 ; TimeDateStamp = 4B772064
004000C4 00000000 DD 00000000 ; PointerToSymbolTable = 0
004000C8 00000000 DD 00000000 ; NumberOfSymbols = 0
004000CC E000 DW 00E0 ; SizeOfOptionalHeader = E0 (224.)
004000CE 0F01 DW 010F ; Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|RELOCS_STRIPPED|LINE_NUMS_STRIPPED|LOCAL_SYMS_STRIPPED
004000D0 0B01 DW 010B ; MagicNumber = PE32
004000D2 05 DB 05 ; MajorLinkerVersion = 5
004000D3 0C DB 0C ; MinorLinkerVersion = C (12.)
004000D4 00020000 DD 00000200 ; SizeOfCode = 200 (512.)
004000D8 00060000 DD 00000600 ; SizeOfInitializedData = 600 (1536.)
004000DC 00000000 DD 00000000 ; SizeOfUninitializedData = 0
004000E0 00100000 DD 00001000 ; AddressOfEntryPoint = 1000
004000E4 00100000 DD 00001000 ; BaseOfCode = 1000
004000E8 00200000 DD 00002000 ; BaseOfData = 2000
004000EC 00004000 DD 00400000 ; ImageBase = 400000
004000F0 00100000 DD 00001000 ; SectionAlignment = 1000
004000F4 00020000 DD 00000200 ; FileAlignment = 200
004000F8 0400 DW 0004 ; MajorOSVersion = 4
004000FA 0000 DW 0000 ; MinorOSVersion = 0
004000FC 0400 DW 0004 ; MajorImageVersion = 4
004000FE 0000 DW 0000 ; MinorImageVersion = 0
00400100 0400 DW 0004 ; MajorSubsystemVersion = 4
00400102 0000 DW 0000 ; MinorSubsystemVersion = 0
00400104 00000000 DD 00000000 ; Reserved
00400108 00500000 DD 00005000 ; SizeOfImage = 5000 (20480.)
0040010C 00040000 DD 00000400 ; SizeOfHeaders = 400 (1024.)
00400110 DB420000 DD 000042DB ; CheckSum = 42DB
00400114 0200 DW 0002 ; Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI
00400116 0000 DW 0000 ; DLLCharacteristics = 0
00400118 00001000 DD 00100000 ; SizeOfStackReserve = 100000 (1048576.)
0040011C 00100000 DD 00001000 ; SizeOfStackCommit = 1000 (4096.)
00400120 00001000 DD 00100000 ; SizeOfHeapReserve = 100000 (1048576.)
00400124 00100000 DD 00001000 ; SizeOfHeapCommit = 1000 (4096.)
00400128 00000000 DD 00000000 ; LoaderFlags = 0
0040012C 10000000 DD 00000010 ; NumberOfRvaAndSizes = 10 (16.)
00400130 00000000 DD 00000000 ; Export Table address = 0
00400134 00000000 DD 00000000 ; Export Table size = 0
00400138 24200000 DD 00002024 ; Import Table address = 2024
0040013C 3C000000 DD 0000003C ; Import Table size = 3C (60.)
00400140 00400000 DD 00004000 ; Resource Table address = 4000
00400144 A8010000 DD 000001A8 ; Resource Table size = 1A8 (424.)
00400148 00000000 DD 00000000 ; Exception Table address = 0
0040014C 00000000 DD 00000000 ; Exception Table size = 0
00400150 00000000 DD 00000000 ; Certificate File pointer = 0
00400154 00000000 DD 00000000 ; Certificate Table size = 0
00400158 00000000 DD 00000000 ; Relocation Table address = 0
0040015C 00000000 DD 00000000 ; Relocation Table size = 0
00400160 00000000 DD 00000000 ; Debug Data address = 0
00400164 00000000 DD 00000000 ; Debug Data size = 0
00400168 00000000 DD 00000000 ; Architecture Data address = 0
0040016C 00000000 DD 00000000 ; Architecture Data size = 0
00400170 00000000 DD 00000000 ; Global Ptr address = 0
00400174 00000000 DD 00000000 ; Must be 0
00400178 00000000 DD 00000000 ; TLS Table address = 0
0040017C 00000000 DD 00000000 ; TLS Table size = 0
00400180 00000000 DD 00000000 ; Load Config Table address = 0
00400184 00000000 DD 00000000 ; Load Config Table size = 0
00400188 00000000 DD 00000000 ; Bound Import Table address = 0
0040018C 00000000 DD 00000000 ; Bound Import Table size = 0
00400190 00200000 DD 00002000 ; Import Address Table address = 2000
00400194 24000000 DD 00000024 ; Import Address Table size = 24 (36.)
00400198 00000000 DD 00000000 ; Delay Import Descriptor address = 0
0040019C 00000000 DD 00000000 ; Delay Import Descriptor size = 0
004001A0 00000000 DD 00000000 ; COM+ Runtime Header address = 0
004001A4 00000000 DD 00000000 ; Import Address Table size = 0
004001A8 00000000 DD 00000000 ; Reserved
004001AC 00000000 DD 00000000 ; Reserved
New PE fields
Code:
004000B8 50 45 00 00 ASCII "PE" ; PE signature (PE)
004000BC 4C01 DW 014C ; Machine = IMAGE_FILE_MACHINE_I386
004000BE 0500 DW 0005 ; NumberOfSections = 5
004000C0 B01C774B DD 4B771CB0 ; TimeDateStamp = 4B771CB0
004000C4 00000000 DD 00000000 ; PointerToSymbolTable = 0
004000C8 00000000 DD 00000000 ; NumberOfSymbols = 0
004000CC E000 DW 00E0 ; SizeOfOptionalHeader = E0 (224.)
004000CE 0F01 DW 010F ; Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|RELOCS_STRIPPED|LINE_NUMS_STRIPPED|LOCAL_SYMS_STRIPPED
004000D0 0B01 DW 010B ; MagicNumber = PE32
004000D2 05 DB 05 ; MajorLinkerVersion = 5
004000D3 0C DB 0C ; MinorLinkerVersion = C (12.)
004000D4 00020000 DD 00000200 ; SizeOfCode = 200 (512.)
004000D8 00060000 DD 00000600 ; SizeOfInitializedData = 600 (1536.)
004000DC 00000000 DD 00000000 ; SizeOfUninitializedData = 0
004000E0 00100000 DD 00001000 ; AddressOfEntryPoint = 1000
004000E4 00100000 DD 00001000 ; BaseOfCode = 1000
004000E8 00200000 DD 00002000 ; BaseOfData = 2000
004000EC 00004000 DD 00400000 ; ImageBase = 400000
004000F0 00100000 DD 00001000 ; SectionAlignment = 1000
004000F4 00020000 DD 00000200 ; FileAlignment = 200
004000F8 0400 DW 0004 ; MajorOSVersion = 4
004000FA 0000 DW 0000 ; MinorOSVersion = 0
004000FC 0400 DW 0004 ; MajorImageVersion = 4
004000FE 0000 DW 0000 ; MinorImageVersion = 0
00400100 0400 DW 0004 ; MajorSubsystemVersion = 4
00400102 0000 DW 0000 ; MinorSubsystemVersion = 0
00400104 00000000 DD 00000000 ; Reserved
00400108 00540000 DD 00005400 ; SizeOfImage = 5400 (21504.)
0040010C 00040000 DD 00000400 ; SizeOfHeaders = 400 (1024.)
00400110 273F0000 DD 00003F27 ; CheckSum = 3F27
00400114 0200 DW 0002 ; Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI
00400116 0000 DW 0000 ; DLLCharacteristics = 0
00400118 00001000 DD 00100000 ; SizeOfStackReserve = 100000 (1048576.)
0040011C 00100000 DD 00001000 ; SizeOfStackCommit = 1000 (4096.)
00400120 00001000 DD 00100000 ; SizeOfHeapReserve = 100000 (1048576.)
00400124 00100000 DD 00001000 ; SizeOfHeapCommit = 1000 (4096.)
00400128 00000000 DD 00000000 ; LoaderFlags = 0
0040012C 10000000 DD 00000010 ; NumberOfRvaAndSizes = 10 (16.)
00400130 00000000 DD 00000000 ; Export Table address = 0
00400134 00000000 DD 00000000 ; Export Table size = 0
00400138 00500000 DD 00005000 ; Import Table address = 5000
0040013C 3C000000 DD 0000003C ; Import Table size = 3C (60.)
00400140 00400000 DD 00004000 ; Resource Table address = 4000
00400144 A8010000 DD 000001A8 ; Resource Table size = 1A8 (424.)
00400148 00000000 DD 00000000 ; Exception Table address = 0
0040014C 00000000 DD 00000000 ; Exception Table size = 0
00400150 00000000 DD 00000000 ; Certificate File pointer = 0
00400154 00000000 DD 00000000 ; Certificate Table size = 0
00400158 00000000 DD 00000000 ; Relocation Table address = 0
0040015C 00000000 DD 00000000 ; Relocation Table size = 0
00400160 00000000 DD 00000000 ; Debug Data address = 0
00400164 00000000 DD 00000000 ; Debug Data size = 0
00400168 00000000 DD 00000000 ; Architecture Data address = 0
0040016C 00000000 DD 00000000 ; Architecture Data size = 0
00400170 00000000 DD 00000000 ; Global Ptr address = 0
00400174 00000000 DD 00000000 ; Must be 0
00400178 00000000 DD 00000000 ; TLS Table address = 0
0040017C 00000000 DD 00000000 ; TLS Table size = 0
00400180 00000000 DD 00000000 ; Load Config Table address = 0
00400184 00000000 DD 00000000 ; Load Config Table size = 0
00400188 00000000 DD 00000000 ; Bound Import Table address = 0
0040018C 00000000 DD 00000000 ; Bound Import Table size = 0
00400190 00200000 DD 00002000 ; Import Address Table address = 2000
00400194 24000000 DD 00000024 ; Import Address Table size = 24 (36.)
00400198 00000000 DD 00000000 ; Delay Import Descriptor address = 0
0040019C 00000000 DD 00000000 ; Delay Import Descriptor size = 0
004001A0 00000000 DD 00000000 ; COM+ Runtime Header address = 0
004001A4 00000000 DD 00000000 ; Import Address Table size = 0
004001A8 00000000 DD 00000000 ; Reserved
004001AC 00000000 DD 00000000 ; Reserved
disavowed
February 13th, 2010, 18:09
Quote:
| [Originally Posted by Vigual;85242]gave it a virtual size of 100h |
This needs to be divisible by your section alignment, so you'll probably need to make the virtual size of the last section 1000h.
Quote:
| [Originally Posted by Vigual;85242]gave it the next available raw adress |
Does the raw address (and raw size) actually correspond to a region in the file? If not, you'll have problems.
Vigual
February 13th, 2010, 20:09
Quote:
| [Originally Posted by disavowed;85244] Does the raw address (and raw size) actually correspond to a region in the file? If not, you'll have problems. |
No, it doesn't. I read that if you map a file and set the size of the mapping to be larger than the actual file size, when you unmap the file, it will have zeros appended to it to fit the increased size. I don't really get how this works because you're specifying the Virtual Size of a file when you map it, not the raw size. Anways, i tried this and it didnt solve the problem. I wrote this code to perform the technique I described. Maybe I did it wrong though...How can I increase the raw file size?
Code:
.386
.model flat, stdcall
option casemap:none
include kernel32.inc
include user32.inc
include windows.inc
includelib kernel32.lib
includelib user32.lib
.data
TargetName db "crack.exe"
.data?
hInstance HINSTANCE ?
hMap dd ?
.code
start:
invoke CreateFile, addr TargetName,\
GENERIC_READ+GENERIC_WRITE,\
FILE_SHARE_READ+FILE_SHARE_WRITE,\
NULL,\
OPEN_EXISTING,\
FILE_ATTRIBUTE_NORMAL,\
NULL
mov hInstance, eax
invoke GetFileSize, eax, 0
add eax, 1000h ;section alignment is 1000h
invoke CreateFileMapping, hInstance, NULL, PAGE_READWRITE, NULL, eax, NULL
mov hMap, eax
invoke CloseHandle, hMap
invoke CloseHandle, hInstance
xor eax,eax
invoke ExitProcess, eax
end start
disavowed
February 13th, 2010, 23:34
If you're just creating a file mapping then the PE headers don't matter anyway.
Vigual
February 14th, 2010, 15:02
ok. I'll rephase my question because what I am looking for has changned. If I want to expand the size of a file on disk so that I can add a section to it, how to I go about doing that? I was under the impression that all I had to do was map the file into memory with extra space for the new section, then unmap it. but that doesn't seem to be working.
aqrit
February 14th, 2010, 19:06
WriteFile()
Vigual
February 16th, 2010, 23:32
I got it to work. I don't know what was wrong but here is the code incase anyone wants to see it.
Code:
Add_Section proc
mov ecx, offset Address_Of_File_Header
mov ebx, dword ptr[ecx]
add ebx, sizeof(DWORD)
inc [ebx].IMAGE_FILE_HEADER.NumberOfSections ;increase the number of sections by one
add ebx, sizeof(IMAGE_FILE_HEADER)
mov ecx, offset EntryPoint
mov edx, [ebx].IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint
mov dword ptr[ecx], edx ;saves Address of Entry Point
mov ecx, offset FileAlignment
mov edx, [ebx].IMAGE_OPTIONAL_HEADER.FileAlignment
mov dword ptr[ecx], edx ;saves file alignment
mov ecx, offset SectionAlignment
mov edx, [ebx].IMAGE_OPTIONAL_HEADER.SectionAlignment
mov dword ptr[ecx], edx ;saves section alignment
add [ebx].IMAGE_OPTIONAL_HEADER.SizeOfImage, edx ;adds size of new section to SizeOfImage
mov ecx, offset SizeOfImage
mov edx, [ebx].IMAGE_OPTIONAL_HEADER.SizeOfImage
mov dword ptr[ecx], edx ;saves sizeof image
mov eax, Address_Of_End_Of_Section_Table
mov ebx, offset NewSecName
mov ebx, dword ptr[ebx]
mov dword ptr[eax],ebx ;updates section name
add eax, 8
mov ebx, offset NewSecSize
mov ebx, dword ptr[ebx]
mov dword ptr[eax], ebx ;updates Virtual size
add eax, 4
mov ebx, offset SizeOfImage
mov ecx, dword ptr[ebx]
mov ebx, offset SectionAlignment
mov ebx, dword ptr[ebx]
sub ecx, ebx
mov dword ptr[eax], ecx ;updates VirtualAddress
add eax, 4
mov ebx, FileAlignment
mov dword ptr[eax], ebx ;updates RawSize
add eax, 4
mov ebx, offset Address_Of_End_Of_Section_Table
sub eax, 28h
mov ebx, dword ptr[eax]
add eax, 28h
add ebx, FileAlignment
mov dword ptr[eax], ebx ;updates PointerToRawAddress
add eax, 10h
mov ebx, Characteristics
mov dword ptr[eax], ebx
Ret
Add_Section EndP
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.