2

I am currently working on a packer and I need to copy raw data in the section containing the code (. text), is there any way to do this in VC++ ?

If it's impossible, could you recommend me some good C/C++ lib to edit PE files ?

too honest for this site
  • 12,050
  • 4
  • 30
  • 52
Omen
  • 85
  • 6
  • In some cases it is technically impossible to add extra data to already linked PE without risk to break it. And I guess there is no any library for such purpose. – Sergio Sep 05 '16 at 12:06
  • http://re.coldwind.pl/dl/packer_005.zip It can help – Krzysztof Bargieł Sep 05 '16 at 12:11
  • @Serhio could you please elaborate on 'technically impossible'? What are some cases that it would be so? – kubuzetto Sep 05 '16 at 12:13
  • By the way @Omen these may be helpful: http://www.codeproject.com/Articles/12532/Inject-your-code-to-a-Portable-Executable-file http://coder.pub/2014/09/pe-file-packer-step-by-step-step-7-relocations/ http://www.rohitab.com/discuss/topic/33006-detailed-guide-to-pe-infection/?hl=%2Brelocation http://www.csn.ul.ie/~caolan/pub/winresdump/winresdump/doc/pefile2.html http://www.rohitab.com/discuss/topic/41510-another-detailed-guide-to-pe-infection/ – kubuzetto Sep 05 '16 at 12:14
  • @kubuzetto The simplest case is when there is no free virtual space between `.text` and subsequent section. It may be `.data` or something else. Assuming that we can not replace original `.text` content we have no way to append extra data, since virtual address of next section must be preserved and we can not move it. – Sergio Sep 05 '16 at 12:19
  • Under what circumstances would we be unable to replace original `.text` content (except for an intentional tamper-proofing mechanism)? – kubuzetto Sep 05 '16 at 12:24
  • 2
    Use `#pragma section(".text")` first, then `__declspec(allocate(".text")) unsigned char packedData[] = {...}` – Hans Passant Sep 05 '16 at 12:33

1 Answers1

0

Instead of trying to extend the .text section, adding a new executable section and injecting your code there might be a better solution. Then you put a jmp to the address from which you want to divert the execution (which will overwrite some of the instructions there), start your code with the overwritten instructions and continue to whatever you wanted to do, then return to the original execution with another jump. Note that if the overwritten code also contains addresses/relocations, these should also be updated properly.

kubuzetto
  • 1,046
  • 1
  • 12
  • 31
  • 1
    Yes, I am aware of this solution, but adding a new executable section is basically asking any AV to flag you as a malware. – Omen Sep 05 '16 at 12:24
  • I see your point now. I don't think I have come across a solution for it, though. – kubuzetto Sep 05 '16 at 12:26