While it is considerably easier to place new sections in PE32+ files below .rsrc and .reloc, I realized that this makes any resource modding impossible as any expansion of rsrc and dislocation of reloc seems to enroach on any code below.
Ximonite posted a similar method, though I had trouble replicating it for ntoskrnl.exe, so I devised a slightly different way of doing things:
I pre-made my new (100 000h byte) section in CFF Explorer, then changed the attributes in PE Internals (https://www.softpedia.com/get/Programming/Debuggers-Decompilers-Dissasemblers/PE-Internals.shtml) so the new section started where .rsrc did before, then moved rsrc/reloc down by 100 000h.
Thus, all sections had their attributes finalized, so all I had to do was swap the new section around with the existing ones (in a hex editor, it will be everything from ".xxxx" to the last byte before the next ".xxxx", if at the end of the header, a set of nops).
Then I changed the address of the resource and relocation directories to the new .rsrc/.reloc locations.
Then I used PE Internals to copy the hex contents of rsrc and reloc from a copy of the original file to plaintext files. Then opened the new version of the file and copied those to the sections in their new locations.
Then use CFF Explorer, select all of the new section, and fill it with zeros, to remove any traces of the old sections. Note: PE Internals and CFF will look for resources anywhere in a file, so the file looks less broken in those applications than it does in Resource Hacker or to Windows itself.
Then use Resource Hacker to mass-import and overwrite resources from an original copy of the file.
Then you're done and you have a fully functional, clean, expanded x64 ntoskrnl.
Clean PE32+ Section Adding - my method
- WIN2000WARRIOR
- Posts: 30
- Joined: 18 Oct 2021, 06:34
- Has thanked: 13 times
- Been thanked: 16 times
Re: Clean PE32+ Section Adding - my method
The biggest problem remains the difficulty of knowing the new base address after adding a function, and I found this problem, as you know, with NT 4.0win32 wrote: ↑19 Jun 2021, 11:14 While it is considerably easier to place new sections in PE32+ files below .rsrc and .reloc, I realized that this makes any resource modding impossible as any expansion of rsrc and dislocation of reloc seems to enroach on any code below.
Ximonite posted a similar method, though I had trouble replicating it for ntoskrnl.exe, so I devised a slightly different way of doing things:
I pre-made my new (100 000h byte) section in CFF Explorer, then changed the attributes in PE Internals (https://www.softpedia.com/get/Programming/Debuggers-Decompilers-Dissasemblers/PE-Internals.shtml) so the new section started where .rsrc did before, then moved rsrc/reloc down by 100 000h.
Thus, all sections had their attributes finalized, so all I had to do was swap the new section around with the existing ones (in a hex editor, it will be everything from ".xxxx" to the last byte before the next ".xxxx", if at the end of the header, a set of nops).
Then I changed the address of the resource and relocation directories to the new .rsrc/.reloc locations.
Then I used PE Internals to copy the hex contents of rsrc and reloc from a copy of the original file to plaintext files. Then opened the new version of the file and copied those to the sections in their new locations.
Then use CFF Explorer, select all of the new section, and fill it with zeros, to remove any traces of the old sections. Note: PE Internals and CFF will look for resources anywhere in a file, so the file looks less broken in those applications than it does in Resource Hacker or to Windows itself.
Then use Resource Hacker to mass-import and overwrite resources from an original copy of the file.
Then you're done and you have a fully functional, clean, expanded x64 ntoskrnl.
Is there a solution to this problem with the new PE applications?
Windows 2000 Warrior
Users browsing this forum: No registered users and 1 guest