Manually inserted section in PE not showing in memory

Question

0.00/5 (No votes)

See more:

Hello,
I'm manually adding a section to a PE using CFF Explorer.

Here's the PE (after inserting the section):
http://content.screencast.com/users/DELLX/folders/Snagit/media/daedd962-f2e7-4c71-88af-40ffc2a56ccd/09.08.2013-20.36.10.png[^]

Now I'm using this code:

C++

PBYTE base = (PBYTE)GetModuleHandle(0);
PIMAGE_DOS_HEADER __IDH = (PIMAGE_DOS_HEADER)base ;
PIMAGE_NT_HEADERS __NTHEADER ;
__NTHEADER = PIMAGE_NT_HEADERS( (DWORD)__IDH +__IDH->e_lfanew);
PIMAGE_SECTION_HEADER __SECTIONHEAD = NULL;
for(int i =0;i<__NTHEADER->FileHeader.NumberOfSections;i++)
{
    __SECTIONHEAD = (PIMAGE_SECTION_HEADER)((DWORD)base+__IDH->e_lfanew+248+(i*40));
    puts((const char*)__SECTIONHEAD->Name);
    if(!strcmp((const char*)__SECTIONHEAD->Name,".cdata"))
    {
        char* PtrToData = (char*)((DWORD)__NTHEADER->OptionalHeader.ImageBase + __SECTIONHEAD->VirtualAddress);
        printf("address of cdata=0x%x",PtrToData);
    }
 }

It all works well and good, but the pointer calculated to the address of the start of ".cdata" (PtrToData) section does not actually lead me to where that section is in memory. It's just a bunch of random junk.

Does anyone see the problem? Or am I missing something more fundamental about how sections are loaded in memory?

Thank you very much for any help you can give

Posted 8-Sep-13 14:42pm

p4p4p4

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

H.Brydon · Accepted Answer · 2013-09-08T17:52:00

I don't follow your code completely but it looks like you are incorrectly doing pointer arithmetic. The short answer is that you need to do some casting to calculate offsets in bytes.

Consider the code:

C++

char* ch = new char[20];
char* pch = ch + 1;
int* in = new int[20];
int* pin = in + 1;

Note that pch points 1 byte past 'ch', but (surprise!) pin points 4 bytes (sizeof(int)) past 'in'. When you add an integer to a pointer of type 'x', the result is the pointer plus the integer times sizeof(x). It is not pointer plus integer.

You probably want to cast the pointers in your code to be 1 byte fields (ie. char* or equivalent)...