Reputation:
I have a few questions regarding the structure of a Portable Executable.
Now, I found a great start through a couple of well written articles both here and here; however, I still do not quite have my answer.
I believe, and please, correct me if I'm wrong here, that data in a certain section of the PE structure is what's loaded and run by the operating system. For example, take the .text
and the .data
sections.
Based on what I've read, the .data
section holds instrunctions of some sort, while the .text
section holds the actual data to be run.
I'm curious to know whether or not it's possible to store a file's data in the .text section, and dynamically move it over to the .text
section which would then automatically (load/launch/run) the file's data which is now in the .text
section.
If you are confused about what I'ma asking, allow me to paraphrase.
Upvotes: 1
Views: 1117
Reputation: 2191
For native code PE or PE+ files these questions would be answered a lot different, and these things would be plausible.
However, for a .NET assembly encapsulated in a PE, things change a lot. The PE/PE+ is just a storage container barely referenced by the OS loader.
You can load into memory an assembly and execute it, so therefore what you propose is theoretically possible. HOWEVER, it has nothing to do with moving code from one section of a PE to another.
You would dynamically allocate read+write virtual memory, write your code to it, change the attributes to read+execute (adding execute, removing write), then invoke the appropriate .NET assembly loader code. Lookup the various Invoke methods for that.
Upvotes: 0
Reputation: 28839
Am I correct in thinking that such a functionality would even work?
No :)
It's not clear to me at all what you want to accomplish - you sound like you're talking native PEs because .NET PEs don't really have anything other than data in the PE.
In any case, the PE is mapped by Windows while the module (EXE or DLL) is loaded, so you can't really modify it on the fly.
Upvotes: 1