Manually adding a section to a PE file - by Sunshine
Download Example File: tut_addsec.zip
a new section is useful if there is not enough place to insert your code somewhere
else in the PE. I know a lot of editors etc. are able to make this for you.
But doing this by hand has one advantage: you learn very much about the PE
file format, especially about sections. So lets begin!
- just a hex editor, I use Hex Workshop 32
- a tool which shows the section table so you can check if you did everything right (for example PEditor, Procdump or SectionMaker from my site which can also show the section table.)
- some knowledge about the PE Header
2. Adding additional bytes
we have a look to our file AddSection.exe. Open it with PEditor or any other
prog to see that it has 3 sections:
|Section||Virtual Size||Virtual Offset||Raw Size||Raw Offset||Characteristics|
Open our file with Hex Workshop. Let's say our new section should be 110h bytes long. At the end of the file you see that there are many zeros. So select everything between offset AE0 and BEF (which are 110h bytes), then choose Edit->Copy.
After that, put the cursor to the end of the file and
So we have our new section. It begins at offset C00 and ends at D0F. Its length is 110h bytes.
3. Modify PE Header
fix up the PE Header, we have to do the three following things:
- Increase the number of sections (which is at offset 06 in the PE Header!)
- Increase Image Size
- Add our new section to the section table
you can see, the PE signature is at offset B0. At offset B6 you see 03 00
(which is the DWORD 0003 because you must always reverse the bytes) because
we originally have 3 sections. So it's clear that we have to change 0300 to
Next, we must increase the image size. A thing which is often forgotten. Let's have a look at our file with PEditor. We see that Section Alignment is 1000h and Image Size is 4000h. Because section alignment is 1000h, our new section must also be at least 1000h long. So we must add 1000h to Image Size which is 4000h + 1000h = 5000h. Image size is located at offset 50h in the PE Header (if you don't know this, have a look at my tut "PE File Format Offsets"). So go to B0h + 50h = 100h. Change to bytes 0040 to 0050.
Now we have to add our new section to the section table. The section table starts at offset F8h in the PE Header. One section is 28h bytes long and looks like the following:
Array of byte
|+08||DWORD||PhysicalAddress / Virtual Size|
lets call our section .Sun
-> Virtual size is 110h -> 10010000
-> 4000 because section before is at 3000 -> 00400000
-> is 110h -> 10010000
-> we added our new section at C00 -> 000C0000
-> C0000040 (like .data section) -> 400000C0
add this new data after the last section in the section table which is offset
B0h + F8h + 3*28h = 220h. When you do everything right it should look like:
Ok, that's all. Save it and load our new file with PEditor to check if we did everything right. Yeah, it's not too difficult, isn't it? In one of the next tutorials we will add some code to our new section. Keep cool!
This Site is part of Sunshine's Homepage