1

i've this simple code test code:

#include <Windows.h>
#include <stdio.h>

/* Declare new sections to store encrypted code and shellcode data */
#pragma section(".code", execute, read, write)
#pragma comment(linker,"/SECTION:.code,ERW")

// From here executable code will go in .code section
#pragma code_seg(".code")


int test()
{
    printf("prova");
    return 0;
}

// .stub SECTION
#pragma section(".stub", execute, read, write)
#pragma code_seg(".stub")

int main(int argc, char *argv[]){
    test(); /* Call function which executes shellcode now that it is decrypted */
    return 0;
}

Can anyone tell me why if i dump this file i only got this default section:

  • .data
  • .rdata
  • .reloc
  • .rsrc
  • .stub
  • .text

The .code segment it's not generated. I think I used to do like this in some previuos project, am i doing something wrong?

-- Further tests --

  • Dumping the .obj file the .code section is shown.
  • .stub gets showed dumping .exe or .obj
  • removing #pragma comment(linker,"/SECTION:.code,ERW") did not work
  • adding #pragma comment(linker,"/SECTION:.stub,ERW") didn't change dumpbin result on .exe, .stub still showing
  • change the name from .code to .somethingelse didn't work either, same result
Luca Reccia
  • 578
  • 3
  • 16
  • Are you dumping the executable file, or the object file? – Some programmer dude Aug 31 '18 at 10:21
  • i'm dumping the .exe – Luca Reccia Aug 31 '18 at 10:25
  • Anyway the .stub gets created @Someprogrammerdude – Luca Reccia Aug 31 '18 at 10:31
  • If you dump the object file, is the section in it? Perhaps the default linker script have a case for a sections with the name `.code`? Or perhaps it have check for executable sections (which you set using the `/SECTION` option using a pragma, but only for `.code`)? – Some programmer dude Aug 31 '18 at 10:32
  • Yes @Someprogrammerdude , there is the section in the obj, i've just tried using another name but still the same result (shown in the obj and not show in the exe). N.B. the stub gets created everytime – Luca Reccia Aug 31 '18 at 10:35
  • Then a last experiment: What happens if you do `#pragma comment(linker,"/SECTION:.stub,ERW")`? Do the `.stub` sections still exist in the executable? – Some programmer dude Aug 31 '18 at 10:36
  • nothing changed @Someprogrammerdude , i even tried to remove `#pragma comment(linker,"/SECTION:.code,ERW")`. The stub is there and the code is not. I've even checked the path multiple time coping the one in the compilation output and tried to clean rebuild the project but nothing changed – Luca Reccia Aug 31 '18 at 10:40
  • 1
    Unfortunately I'm not able to help you further. Please edit your question to include the results of these experiments, and hopefully someone more knowledgeable would be able to help you. – Some programmer dude Aug 31 '18 at 10:45
  • 1
    add `/MAP` to linker option, this will be most informative. however `#pragma code_seg(".code")` is worked as excepted – RbMm Aug 31 '18 at 17:08

1 Answers1

0

Using the following directives i was able to confine all the code/variable/costant into the .code segment which was visible using the dumbin command.

#pragma section(".code", execute, read)
#pragma section(".codedata", read, write)
#pragma comment(linker,"/SECTION:.code,ERW")
#pragma comment(linker,"/SECTION:.codedata,ERW")
#pragma comment(linker, "/MERGE:.codedata=.code")

#pragma code_seg(".code")
#pragma data_seg(".codedata")
#pragma const_seg(".codedata")
Luca Reccia
  • 578
  • 3
  • 16