Ive been having trying to add a new section to a PE file, the section seems to add correctly but when i load the resultant file and look with softice the section doesnt seem to have been mapped into memory - softice just shows a load of "invalids" at the memory location of the new section.

PLEASE help!

Zaza

i have also tried increasing the size of the .rsrc section which causes XP to claim the file is not a valid executable.

I dont know if its important but the file im experimenting on was origianlly compressed with upx

There are additional fields in the PE header that must be adjusted to correctly add/resize a section, e.g. the ImageSize field etc. Get hold of a PE format specification and study it. Try the docs at Iczelion's site for example.

ive actually been using various utilities to try and add the sections -namely LordPE and SaDD which automatically update the ImageSize field.

ill have a look at the PE specs in case i need to update a field specific to XP which the utilities miss.

adding a section is not always 100% safe. better enlarge the last section (but check for overlays!).

if there is no code that tried to access your new section, the memory might not be 'present', and softice will show ?? ?? ??'s indeed.

i assumed the win32 loader blindly mapped the file into memory, not taking into account whether the code was actually being referenced from anywhere.

as to enlarging the last section - i tried that as a fallback plan and that didnt work either - enlarging the .rsrc section (which is the last section in the file) caused XP to claim it wasnt a valid win32 executable - i wondered if perhaps this was because the .rsrc section was parsed for errors or something.

(i cant really see the .rsrc section being overlayed)

p.s. as far as i can tell it is safe to add a new section as there is plenty of space to add a new section header (unlike notepad )

you can easily extend rsrc section size, just remember to update ImageSize value = align(lastSection.VirtualSize + lastSection.RVA, sectionAlignment)

indeed, that should do the job. winxp loader doesn't verify the resource structs or something, i successfully made last section increasers in this way before.

Map the memory: Yes

Page in the contents of the memory: No, not necessarily

Y use TOPO, it work well ! ! !

um...

have u tried a program called zeroadd?

adds a new section to ur file.

hxxp://biw.rult.at/tools/zeroadd.zip

Windows 2000 and Windows XP WON't show any new memory sections until a part of that memory section is actually used. Remember, Windows uses PAGED memory. The sections load in as 4K pages. Which means usually your new section will get its own page, and if that part of the file is never used, it will never be paged in. Even though the program is run and "loaded", the windows loader does not load the entire file, it only loads pieces which are needed to execute. If a page fault occurs, which would happen when your program goes to address something in that new section of yours, then windows will load that section from the disk file.

You can force SoftICE to load the section anyway, if you know where it is supposed to be in memory, by using the PAGEIN command.

PAGEIN <address>

-nt20