Jump to content

Adding a section to NTOSKRNL.EXE - Issues


Recommended Posts

Hello. I have been trying to do something similar to this but with NTOSKRNL.EXE and the other 3 similar exe files.

I have been unable to add a section to the file like I can with ntdll.dll.

How I added a section to ntdll.dll:

  • I made a blank file and added the code I wanted to add to ntdll.dll with HxD
  • Opened CFF Explorer and clicked "Section Headers" in the sidebar.
  • Right clicked the space below the last section and clicked "Add Section (File Data)" and chose the file with the new code.

Programs I tried when trying to add a section to NTOSKRNL.EXE:

  • CFF Explorer (Same process as ntdll.dll)
  • LordPE (Invalid RVAs)
  • PEMaker (Couldn't make new section)

Does anyone have info that could help me?

Link to comment
Share on other sites


2 hours ago, win32 said:

Why don't you try Stud_PE?

Thank you for the suggestion. It works exactly how I need it to except for one thing.

The one thing is that after adding a section, the Import Address Table Directory RVA is invalid. Is this important? If it is, does anyone know a way to fix this?

Edited by Ximonite
spelling error
Link to comment
Share on other sites

On 5/26/2020 at 11:50 PM, Ximonite said:

Thank you for the suggestion. It works exactly how I need it to except for one thing.

The one thing is that after adding a section, the Import Address Table Directory RVA is invalid. Is this important? If it is, does anyone know a way to fix this?

The only problem in Windows 2000 to this day is that UMDF 1.0 is not supported for Windows 2000 for MTP running in Windows Media Player 11. This thing worries me a lot

Link to comment
Share on other sites

12 hours ago, Ximonite said:

The one thing is that after adding a section, the Import Address Table Directory RVA is invalid. Is this important? If it is, does anyone know a way to fix this?

What tool states that it's invalid? My test modifications seem to be fine with CFF Explorer and stud_pe. I don't know much about this stuff, but putting the new sections at the end shouldn't affect the sections before it, I think... try maybe adjusting the virtual offset of the section that corresponds to the import address table?

We should page @blackwingcat since he would obviously know about this stuff.

Edited by win32
Link to comment
Share on other sites

13 hours ago, win32 said:

What tool states that it's invalid? My test modifications seem to be fine with CFF Explorer and stud_pe. I don't know much about this stuff, but putting the new sections at the end shouldn't affect the sections before it, I think... try maybe adjusting the virtual offset of the section that corresponds to the import address table?

 

CFF Explorer stated that it was invalid. I figured out that I need to change the value of the Import Address Table Directory RVA to the same value as SizeOfHeaders.

 

 cff.png

stud.png

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...