Clean PE32+ Section Adding - my method

Hardware and software mods, and programming stuff (overclocking, game mods, learning how to exit Vim because you're a web developer...)
User avatar
win32
Posts: 45
Joined: 11 Jan 2021, 15:46
Has thanked: 12 times
Been thanked: 31 times
Canada

Clean PE32+ Section Adding - my method

Unread post by win32 »

While it is considerably easier to place new sections in PE32+ files below .rsrc and .reloc, I realized that this makes any resource modding impossible as any expansion of rsrc and dislocation of reloc seems to enroach on any code below.

Ximonite posted a similar method, though I had trouble replicating it for ntoskrnl.exe, so I devised a slightly different way of doing things:

I pre-made my new (100 000h byte) section in CFF Explorer, then changed the attributes in PE Internals (https://www.softpedia.com/get/Programming/Debuggers-Decompilers-Dissasemblers/PE-Internals.shtml) so the new section started where .rsrc did before, then moved rsrc/reloc down by 100 000h.

Thus, all sections had their attributes finalized, so all I had to do was swap the new section around with the existing ones (in a hex editor, it will be everything from ".xxxx" to the last byte before the next ".xxxx", if at the end of the header, a set of nops).

Then I changed the address of the resource and relocation directories to the new .rsrc/.reloc locations.

Then I used PE Internals to copy the hex contents of rsrc and reloc from a copy of the original file to plaintext files. Then opened the new version of the file and copied those to the sections in their new locations.

Then use CFF Explorer, select all of the new section, and fill it with zeros, to remove any traces of the old sections. Note: PE Internals and CFF will look for resources anywhere in a file, so the file looks less broken in those applications than it does in Resource Hacker or to Windows itself.

Then use Resource Hacker to mass-import and overwrite resources from an original copy of the file.

Then you're done and you have a fully functional, clean, expanded x64 ntoskrnl.

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests