1

What are the disadvantages of merging compatible PE file sections?

user541686
  • 205,094
  • 128
  • 528
  • 886

2 Answers2

2

That's a perfectly reasonable thing to do. If you wanted to make your PE file easier to analyze though, it would be better not to, since leaving them apart makes it more obvious that the two sections contain different types of code/data/metadata. Typically section names give a hint about what they contain, merging two sections removes one of the hints. I can't think of any benefits to merging the sections other than tiny reductions in file size and memory footprint. Sections in the file are padded out to FileAlignment boundaries, and sections in memory are padded out to page-size boundaries, so merging the section removes the padding from the end of the first section (and means that you have one section entry instead of 2, which saves only 72 bytes).

Kevin
  • 233
  • 1
  • 8
0

The main disadvantage is that some anti-virus software will mark file as malware. Just because it's unusual and certain AV don't have better malware detection techniques.

Abyx
  • 12,345
  • 5
  • 44
  • 76
  • could you please provide more information about this? why is this unusual, where is the potential rist of having one section resulting from a merge? thanks. – mox Aug 02 '12 at 12:40
  • @mox, "unusual" means "unusual". I.e. if you'd take a 1000 of popular programs (not packed and not signed), probably you won't find one with merged sections. – Abyx Aug 03 '12 at 13:39
  • thanks for your answer. But, once sections have been merged (since they are compatible) how can one detect that they have been merged? How can one know that from these 1000 popular programs, none section have been merged? – mox Aug 03 '12 at 13:58
  • -1, virusscanners do not have access to the original un-merged sections so how could they determine that two sections have been merged? – MSalters Jan 03 '14 at 09:43
  • @MSalters they can look at directories and data signatures and e.g. expect that IAT is in `.idata` and not in `.rdata` or `.data`. – Abyx Jan 03 '14 at 11:53
  • @Abyx: That would assume far too much. The question is tagged C++, but a virusscanner cannot assume (Microsoft) Visual C++. A MicroFocus COBOL or Visual Basic 6 program is just as legal. – MSalters Jan 03 '14 at 11:57
  • @MSalters virusscanner can get linker version from PE header and can easily detect compiler by signatures. It's "scanner". It scans file for signatures and detects stuff. And one of those signatures is directories placement. – Abyx Jan 03 '14 at 12:01
  • @Abyx: So you know it's linker version 5, but not whether it's Microsoft linker version 5 or MicroFocus linker version 5. Helpful. And if the signatures look like Visual C++ 2005, but the sections don't match, the virusscannner still has no idea. The Visual C++2005 signatures could have been produced by linking in some C code, that's quite common. – MSalters Jan 03 '14 at 12:09
  • 1
    @MSalters tell it to AV developers. – Abyx Jan 03 '14 at 12:11