Injecting Code to an existing PE

Nadav wrote:

I am working on a project that should encrypt PE files ( Portable executable
), this require me to inject some code to existing PEs.

I believe this is caused by not updating the size of the .text section,
therefore the loader doesn't map your injected code into memory.
http://msdn.microsoft.com/msdnmag/is...E/default.aspx

"It's important to note that PE files are not just mapped into memory as
a single memory-mapped file. Instead, the Windows loader looks at the PE
file and decides what portions of the file to map in."

This sems to make sense also because then the section header's
characteristics (IMAGE_SCN_MEM_ READ etc) can easily be applied to the
different memory pages.

--
Ben
http://bschwehn.de

Hi Ben,

Thanks again for your responce, The code I add to the '.text' segment is
added at the end on the existing '.text' segment (the existing segment is not
enlarged) e.g. if the size of the '.text' segment is X i add the code at
[Base + X - 'Size of injected code'] this may override existing data in case
the actual data size is alligned to 0x1000, BUT on first stage I would like
to avoid enlaging the '.text' segment size, after achieving what was just
described I would try to enlarge the .text segment ( changing existing RVAs
and so )..., anyhow, back to the problem, putting the code at the position
just mentioned works fine as long as for the written file, BUT when the
loader load the file it seems the requiered segment is not mapped... I
wonder... why does not all of the '.text' segment is mapped to memory? how
should I configure the PE so it will load all of the '.text' segment... what
flags should I set in addition to the one I have alerady set (see my root
query)?

"Ben Schwehn" wrote:

Nadav wrote:

I am working on a project that should encrypt PE files ( Portable executable
), this require me to inject some code to existing PEs.

I believe this is caused by not updating the size of the .text section,
therefore the loader doesn't map your injected code into memory.
http://msdn.microsoft.com/msdnmag/is...E/default.aspx

"It's important to note that PE files are not just mapped into memory as
a single memory-mapped file. Instead, the Windows loader looks at the PE
file and decides what portions of the file to map in."

This sems to make sense also because then the section header's
characteristics (IMAGE_SCN_MEM_ READ etc) can easily be applied to the
different memory pages.

--
Ben
http://bschwehn.de

You're right of course.

If tried your code with some minor adjustments and the injected code is
there when the PE is executed.
Perhaps you're just looking at the wrong location? ;)

The most significant change i made is

pNtHdr->OptionalHeader .AddressOfEntry Point =
pSecHeader[0].VirtualAddress - pSecHeader[0].PointerToRawDa ta +
(DWORD)(pInject edCode - pFileMemImage);

since you have to translate the EntryPoint to a RVA. (pSecHeader[0] ist
the text section header of my test file). Often
pSecHeader[0].VirtualAddress - pSecHeader[0].PointerToRawDa ta is 0 so it
doesn't matter. Don't know if this is causing you're problem...?

Only tested it with injecting 0xc3 (ret) and 0xcc (breakpoint) but that
worked.

ben

Hi Ben,

Thanks for your response, Indeed setting the entry point as you have advised
solved the problem, Now I have tried to extend the '.text' segment so
existing data would not be overwritten, to achieve that I have used the
ICeeFileGen interface provided by Microsoft (the app i am injecting
[unmanaged] code to is a managed executable, starting with an unmanaged JMP
_CorExeMain), I have successfully extended the segment and injected my code,
BUT, when setting the entrypoint of the executable to a location other then
it's original position I get 0xC000007B => STATUS_INVALID_ IMAGE_FORMAT,
injecting the code without changing the entrypoint causes the PE to execute
normally, using some common PE disassembler ( PE Explorer ) I can see the
modified entrypoint points to the right RVA:
( The injected code is added right after the original code )
jmp_mscoree.dll !_CorExeMain://<==The original entrypoint
jmp [mscoree.dll!_Co rExeMain]
;----------------------------------------------------------------------
EntryPoint:// <== the updated entrypoint
push ebp
mov ebp,esp
sub esp,000000FCh
push ebx
push esi
blablabla...

My guess is that additional configuration is needed to be done to the PE
headers so 0xC000007B will not show... what it is... i don't really
know.......

The Injection/entrypoint modification code:
HRESULT AssemblyEmitter ::PEWriter::Inj ectCode()
{
HCEESECTION Section = 0;
HRESULT hr = FileGen->GetSectionCrea te(ceeFile,
".text",
0,
&Section);
if(FAILED(hr))
return hr;
char *pCode = 0;
hr = FileGen->GetSectionBloc k(Section,
sizeof(INJECTED _SEGMENT_LIBLOA D),
4,
(void**)&pCode) ;
if(FAILED(hr))
return hr;
memcpy(pCode, INJECTED_SEGMEN T_LIBLOAD,
sizeof(INJECTED _SEGMENT_LIBLOA D));
return FileGen->ComputeSection Offset(Section,
pCode,

&m_pEmitter->m_uiInjectedCo deEntryPoint);
}

HRESULT AssemblyEmitter ::PEWriter::Upd ateEntryPoint(W CHAR *pSourceName)
{
DWORD dwBytesRead = 0;
BYTE *pFileMemImage = 0;
LARGE_INTEGER liSourceSize;
HANDLE hSource = CreateFile(pSou rceName,
GENERIC_READ,
FILE_SHARE_READ ,
0,
OPEN_EXISTING,
FILE_ATTRIBUTE_ NORMAL,
0);
if(0 == hSource)
return HRESULT_FROM_WI N32(GetLastErro r());
GetFileSizeEx(h Source, &liSourceSiz e);
pFileMemImage = new BYTE[(DWORD)liSource Size.QuadPart];
ReadFile(hSourc e, pFileMemImage,
(DWORD)liSource Size.QuadPart,
&dwBytesRead , 0);
CloseHandle(hSo urce);

IMAGE_DOS_HEADE R *pdosHeader = (IMAGE_DOS_HEAD ER*)pFileMemIma ge;
IMAGE_NT_HEADER S32 *pNtHdr = (IMAGE_NT_HEADE RS32*)(pFileMem Image
+ pdosHeader->e_lfanew);
IMAGE_SECTION_H EADER *pSecHeader = (IMAGE_SECTION_ HEADER*)((PBYTE )pNtHdr
+ sizeof(*pNtHdr) );
DWORD dwWrittenBytes = 0;
IMAGE_SECTION_H EADER *pSec = 0;
for(int i = 0; i < pNtHdr->FileHeader.Num berOfSections; i++)
{
pSec = pSecHeader + i;
if(0 == strcmp(".text", (char*)pSec->Name))
break;
pSec = 0;
}
if(0 == pSec)
return E_FAIL;
// Copy the new function to the end of the '.text' segment
IMAGE_DATA_DIRE CTORY *pdd =
(IMAGE_DATA_DIR ECTORY*)pNtHdr->OptionalHeader .DataDirectory
+ IMAGE_DIRECTORY _ENTRY_COMHEADE R;
DWORD dwCorhdrOffset = pdd->VirtualAddre ss
+ pdd->Size
- pSec->VirtualAddress ;
BYTE *pInjectedCode = pFileMemImage
+ pSec->PointerToRawDa ta
+ m_pEmitter->m_uiInjectedCo deEntryPoint
+ dwCorhdrOffset;
DWORD *pJumpAddress = (DWORD*)(pInjec tedCode
+ sizeof(INJECTED _SEGMENT_LIBLOA D)
- sizeof(DWORD));
// pSec->Characteristic s |= 0xc0000040;
DWORD dwOriginalAddre ss = pNtHdr->OptionalHeader .AddressOfEntry Point;
pNtHdr->OptionalHeader .AddressOfEntry Point =
pSec->VirtualAddre ss
+ m_pEmitter->m_uiInjectedCo deEntryPoint
+ dwCorhdrOffset;
*pJumpAddress = dwOriginalAddre ss
- (pNtHdr->OptionalHeader .AddressOfEntry Point
+ sizeof(INJECTED _SEGMENT_LIBLOA D));
DeleteFile(pSou rceName);

HANDLE hTarget = CreateFile(pSou rceName,
GENERIC_WRITE,
0,
0,
CREATE_ALWAYS,
FILE_ATTRIBUTE_ NORMAL,
0);
WriteFile(hTarg et,
pFileMemImage,
(DWORD)liSource Size.QuadPart,
&dwWrittenBytes ,
0);
CloseHandle(hTa rget);

return S_OK;
}

"Ben Schwehn" wrote:

You're right of course.

If tried your code with some minor adjustments and the injected code is
there when the PE is executed.
Perhaps you're just looking at the wrong location? ;)

There are a lot of information about PE file structures, loader and so
on, try, for example, http://win32asm.cjb.net/ or if you understand
Russian (http://www.wasm.ru)

If I should implement the similar project, I simplify my task to avoid
Windows PE loader:

1. run PE file as secondary process using CreateProcess with
CREATE_SUSPENDE D
flag (may be OR with DEBUG_PROCESS flag too)

2. modify code of already loaded PE file, using WriteProcessMem ory

Some other functions should be used as well: OpenProcess and
VirtualProtectE x

Regards:
http://ircdb.org
http://smike.ru
http://xedit.smike.ru