Ximonite Posted May 26, 2020 Posted May 26, 2020 Hello. I have been trying to do something similar to this but with NTOSKRNL.EXE and the other 3 similar exe files. I have been unable to add a section to the file like I can with ntdll.dll. How I added a section to ntdll.dll: I made a blank file and added the code I wanted to add to ntdll.dll with HxD Opened CFF Explorer and clicked "Section Headers" in the sidebar. Right clicked the space below the last section and clicked "Add Section (File Data)" and chose the file with the new code. Programs I tried when trying to add a section to NTOSKRNL.EXE: CFF Explorer (Same process as ntdll.dll) LordPE (Invalid RVAs) PEMaker (Couldn't make new section) Does anyone have info that could help me? 1
jumper Posted May 26, 2020 Posted May 26, 2020 NTOSKRNL.EXE is a system driver. User mode library PE tools won't work on it. Sorry, that's all I know.
win32 Posted May 27, 2020 Posted May 27, 2020 Why don't you try Stud_PE? I tried adding sections to ntkrnlpa.exe from XP SP3 filled with random binary data and zeros and it worked. http://www.cgsoftlabs.ro/studpe.html 1
Ximonite Posted May 27, 2020 Author Posted May 27, 2020 (edited) 2 hours ago, win32 said: Why don't you try Stud_PE? Thank you for the suggestion. It works exactly how I need it to except for one thing. The one thing is that after adding a section, the Import Address Table Directory RVA is invalid. Is this important? If it is, does anyone know a way to fix this? Edited May 27, 2020 by Ximonite spelling error
dencorso Posted May 27, 2020 Posted May 27, 2020 39 minutes ago, Ximonite said: Is this important? If it is, does anyone know a way to fix this?
windows2 Posted May 27, 2020 Posted May 27, 2020 On 5/26/2020 at 11:50 PM, Ximonite said: Thank you for the suggestion. It works exactly how I need it to except for one thing. The one thing is that after adding a section, the Import Address Table Directory RVA is invalid. Is this important? If it is, does anyone know a way to fix this? The only problem in Windows 2000 to this day is that UMDF 1.0 is not supported for Windows 2000 for MTP running in Windows Media Player 11. This thing worries me a lot
win32 Posted May 27, 2020 Posted May 27, 2020 (edited) 12 hours ago, Ximonite said: The one thing is that after adding a section, the Import Address Table Directory RVA is invalid. Is this important? If it is, does anyone know a way to fix this? What tool states that it's invalid? My test modifications seem to be fine with CFF Explorer and stud_pe. I don't know much about this stuff, but putting the new sections at the end shouldn't affect the sections before it, I think... try maybe adjusting the virtual offset of the section that corresponds to the import address table? We should page @blackwingcat since he would obviously know about this stuff. Edited May 27, 2020 by win32
Ximonite Posted May 28, 2020 Author Posted May 28, 2020 13 hours ago, win32 said: What tool states that it's invalid? My test modifications seem to be fine with CFF Explorer and stud_pe. I don't know much about this stuff, but putting the new sections at the end shouldn't affect the sections before it, I think... try maybe adjusting the virtual offset of the section that corresponds to the import address table? CFF Explorer stated that it was invalid. I figured out that I need to change the value of the Import Address Table Directory RVA to the same value as SizeOfHeaders. 1
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now