Manually adding a section to a PE file - by Sunshine

Download Example File: tut_addsec.zip

1. Introduction

Sometimes a new section is useful if there is not enough place to insert your code somewhere else in the PE. I know a lot of editors etc. are able to make this for you. But doing this by hand has one advantage: you learn very much about the PE file format, especially about sections. So lets begin!
Tools needed:
- just a hex editor, I use Hex Workshop 32
- a tool which shows the section table so you can check if you did everything right (for example PEditor, Procdump or SectionMaker from my site which can also show the section table.)
- some knowledge about the PE Header

2. Adding additional bytes

First we have a look to our file AddSection.exe. Open it with PEditor or any other prog to see that it has 3 sections:

Section Virtual Size Virtual Offset Raw Size Raw Offset Characteristics
.text 000002C2 00001000 00000400 00000400 60000020
.rdata 000001C2 00002000 00000200 00000800 40000040
.data 000002F8 00003000 00000200 00000A00 C0000040







Open our file with Hex Workshop. Let's say our new section should be 110h bytes long. At the end of the file you see that there are many zeros. So select everything between offset AE0 and BEF (which are 110h bytes), then choose Edit->Copy.

After that, put the cursor to the end of the file and choose Edit->Paste.

So we have our new section. It begins at offset C00 and ends at D0F. Its length is 110h bytes.

3. Modify PE Header

To fix up the PE Header, we have to do the three following things:
- Increase the number of sections (which is at offset 06 in the PE Header!)
- Increase Image Size
- Add our new section to the section table

As you can see, the PE signature is at offset B0. At offset B6 you see 03 00 (which is the DWORD 0003 because you must always reverse the bytes) because we originally have 3 sections. So it's clear that we have to change 0300 to 0400.

Next, we must increase the image size. A thing which is often forgotten. Let's have a look at our file with PEditor. We see that Section Alignment is 1000h and Image Size is 4000h. Because section alignment is 1000h, our new section must also be at least 1000h long. So we must add 1000h to Image Size which is 4000h + 1000h = 5000h. Image size is located at offset 50h in the PE Header (if you don't know this, have a look at my tut "PE File Format Offsets"). So go to B0h + 50h = 100h. Change to bytes 0040 to 0050.




Now we have to add our new section to the section table. The section table starts at offset F8h in the PE Header. One section is 28h bytes long and looks like the following:

+0
Array[8] of byte
Name
+08 DWORD PhysicalAddress / Virtual Size
+0C DWORD VirtualAddress
+10  (16) DWORD SizeOfRawData
+14  (20) DWORD PointerToRawData
+18  (24) dword PointerToRelocations
+1C  (28) DWORD PointerToLineNumbers
+20  (32) WORD NumberOfRelocations
+22  (34) WORD NumberOfLineNumbers
+24  (36) DWORD Characteristics

-> lets call our section .Sun
-> Virtual size is 110h -> 10010000
-> 4000 because section before is at 3000 -> 00400000
-> is 110h -> 10010000
-> we added our new section at C00 -> 000C0000
-> 00000000
-> 00000000
-> 00
-> 00
-> C0000040 (like .data section) -> 400000C0

So add this new data after the last section in the section table which is offset B0h + F8h + 3*28h = 220h. When you do everything right it should look like:

Ok, that's all. Save it and load our new file with PEditor to check if we did everything right. Yeah, it's not too difficult, isn't it? In one of the next tutorials we will add some code to our new section. Keep cool!

Sunshine, January 2002


This Site is part of Sunshine's Homepage