user725913
user725913

Reputation:

Moving data between sections of Portable Executable (PE)

I have a few questions regarding the structure of a Portable Executable.

Now, I found a great start through a couple of well written articles both here and here; however, I still do not quite have my answer.

I believe, and please, correct me if I'm wrong here, that data in a certain section of the PE structure is what's loaded and run by the operating system. For example, take the .text and the .data sections.

Based on what I've read, the .data section holds instrunctions of some sort, while the .text section holds the actual data to be run.

I'm curious to know whether or not it's possible to store a file's data in the .text section, and dynamically move it over to the .text section which would then automatically (load/launch/run) the file's data which is now in the .text section.

If you are confused about what I'ma asking, allow me to paraphrase.

  1. Where (in what section) is the main data of a file stored?
  2. How would I go about moving data between sections in C#? I'm assuming I'd have to use pointers for this.
  3. Am I correct in thinking that such a functionality would even work?

Upvotes: 1

Views: 1117

Answers (2)

dyasta
dyasta

Reputation: 2191

For native code PE or PE+ files these questions would be answered a lot different, and these things would be plausible.

However, for a .NET assembly encapsulated in a PE, things change a lot. The PE/PE+ is just a storage container barely referenced by the OS loader.

You can load into memory an assembly and execute it, so therefore what you propose is theoretically possible. HOWEVER, it has nothing to do with moving code from one section of a PE to another.

You would dynamically allocate read+write virtual memory, write your code to it, change the attributes to read+execute (adding execute, removing write), then invoke the appropriate .NET assembly loader code. Lookup the various Invoke methods for that.

Upvotes: 0

Am I correct in thinking that such a functionality would even work?

No :)

It's not clear to me at all what you want to accomplish - you sound like you're talking native PEs because .NET PEs don't really have anything other than data in the PE.

In any case, the PE is mapped by Windows while the module (EXE or DLL) is loaded, so you can't really modify it on the fly.

Upvotes: 1

Related Questions