Please could someone provide some links to tuts in which a section is added to pe header, section is edited, PE info is changed, and adding functions to files. I want to really understand this. 'Editing pe files'

I have read the Microsoft COFF document and Iczelions pe tut.

Thanks

Check out some tools like Lord PE, and also take a look at the collected PE info html document that was the subject of a recent thread around here.

For further info you have to be more specific and tell us what you have tried and failed with.

Right now I am confused on how to make a section bigger...

Say I wanted to extend a rsrc section..I know that I would have to change the flags to make it executable but I am still confused on what else I need to change & the limits of change.

Alright, suppose the last section in a pe file is .rsrc

.rsrc
VSize(Size in memory?): 000004E8 RVA(Starting addr in mem?): 00004000
RawSize(Size on disk?): 00000600 Offset(File offset on disk?): 00000C00

Starting address=base address+imagebase ;is this right?

Confused on how to use this: SizeofImage: 00005000

If I wanted to add some code at the end of the file what would I change?

Section characteristics 40000040 change to E0000060

im a little

VSize(Size in memory?): 000004E8 RVA(Starting addr in mem?): 00004000
RawSize(Size on disk?): 00000600 Offset(File offset on disk?): 00000C00

I changed vsize to 900 and Rsize to 900 and I get an error

The application failed to initialize properly (0xc0000005). Click OK to terminate...

in PE there is also alignment field. so 900 not matchs with 200h or 1000h
for W32PE

Are you saying that I can only add multiples of 200h or 1000h to the file??

Here is the file:

must be multiplier of that value of alignment, wich must be multiplier of 200h..

Thanks evaluater, I finally got it to work

600h is the most I can extend the section to. Is there something else I need to change to extend the section >600h ?

Hi infinity+,
You have only to add all the bytes you need to the file, save it and then adjust VirtualSize and RawSize values.

ZaiRoN

in your case, sizeofimage is .rsrc voffset + vsize, rounded up (ceiling) to the higher alignment value.

If you use lordPE to make those changes, it'll take care of that for you.

ex: Change .rsrc size to 0x2000

I did all that except........ & add 0x1A00 bytes at the end of the file.

How is this done?

Without changing that I get 'Not valid pe file'......



ZaiRoN
The virtual size and raw size are automatically done by LordPE. When I add more than 600h to the rsrc section the program displays the error 'Not valid pe file'......

The header gets screwed up I guess.....

When I rebuild the file RawSize(4000) changes to 4E7 and there is absolutely no space at the end of the file....

add 0x1A00 bytes at the end of the fileHave you ever used an hex editor? Sorry but I suspect that your problem resides in it.
To add all these bytes you have to edit (phisically) the file using this kind of tool (hexworkshop, ultraedit and so on...).
You can do all the work by hand with a simple hexeditor; add the bytes and then change some pe-values... nothing more.

Sorry if I misunderstand you...

Best regards,
ZaiRoN

If you just want to test your enlarged file (before pasting code in it), just insert nulls.. Hex workshop: Edit->Insert

WinHex: Edit->Paste Zero bytes

Your problem is you are telling windows (via the pe header) that your exe is "_that_" large, when it really isn't (because you forgot to physically enlarge the file on disk)

If you only want your file to have a larger section in memory, then you only enlarge the virtual size.



You only need to "save", a "Rebuild PE" option will _most likely_ try to optimize the file structure thus destroying the extra space you have allowed.

thanks, ill try it