Luigi Auriemma

I need a way to add a new code section to an exe file, as I am working on something that requires a lot of new space.
I have tried using LordPE to create a new section at the end, however it is always written over with data (From the section before it I think) when the program runs.
Could you give me some information about why this happens and if it's possible to stop?
Or if there's a better way to add code.
Thanks

uhmmm don't know if it can help but PEditor has a better and simpler (imho) handling of the sections (you can even import the content of the section from a file after you add it)

Study PE file format. Then if you wish to add new section you have to add section header to the PE header and your content somewhere in the file. Then fix all offsets inside PE header (pointer to raw data ....)

The last section in the file has a much larger virtual size than real size ... what exactly does that mean?
(I'd appreciate a link to a good description of the PE format)
thanks again...

the difference between the virtual and real size is caused by the alignment (SectionAlignment and FileAlignment if my memory helps me).

exist various explanations of the PE format and how to add new sections on internet but some are more or less complex, for example the following has an example of doing it using just a hex editor:

http://gafur2008.multiply.com/journal/item/26

I implemented the adding of new sections in my exestringz tool and I can affirm that doing it is really easy :)

I read that tutorial ... very interesting.
Do you know where the tutorial about adding code to the new section is? It was mentioned, but I couldn't find it.

no, anyway it's an easy job to do.
you must simply replace the old offsets in the executed code with the new one.
this is a good job for a hex editor and quickrva (http://aluigi.org/mytoolz.htm#quickrva).

imagine to have the following situation:
00412345 push 00555555 // string: "the string you want to modify"

now if your new section starts (for example) at the memory offset 00700000 you put this value in quickrva (rva field) and it will show the file offset, put the new string at that file offset with a hex editor, then put 00412345 in quickrva and get the file offset of the instruction you want to change.
go to the new file offset (for example 0x12345) and you will see something like 68 55 55 55 00 that you must substituite with 68 00 00 70 00

naturally mine is only a quick example

Hmm, still having problems with using the new section.
If, for example, a section starting at 0x1000 had a real size of 1000, and a virtual size of 2000, could it overwrite data at 0x2600?

don't think to the virtual or real size at the moment because you decide this size in the section you add, so use the same and no problem

Well yeah, I'm wondering if the previous section (.data I think) could be writing onto my new section virtually or something. (I don't know if that's possible, just wondering)

no, the sections can't be overlapped, so there is no risk

Well, I still seem to be having problems...
Just to get this straight: If I create a new section, regardless of the virtual size of the previous section, it will not have data written onto it, it won't be used to store anything, and should remain blank except for what I put into it.
Is that correct?

depends by the program you use for creating the section, normally it should append a blank section (filled of zeroes) at the end of the executable where you can put your data through a hex editor or a more advance editor.
if you have problems with that program which creates the section I can write on the fly a quick tool which does the job, something like: tool.exe file.exe section_name section_size

Sorry to bring this up again, but I am still having difficulties with using the new section.
Here is what I am doing so far:
1) Adding some bytes to the end of the file with a hex editor
2) Using a PE editor to add a new section, adjust image size, etc.
At this point, everything works fine, the file still loads, etc.
Now, I want to access this code section from OllyDbg, since it's easy to add instructions with it (OllyDbg), however when I try to jump to the virtual offset where the section should start, it says 'No memory on address' or something like that.
I have also tried jumping to the actual offset, but that of course doesn't work.
How do I determine what offset to jump to? Or, am I doing something else wrong?

after you load the executable in olly go in the "Memory map" ('m' button) and verify if the section you have added is correctly loaded in memory (Owner - Section)