Tutorial 5: Section Table
THEORY:
Up to this tutorial, we learned about the DOS header, the PE header. What remains is the section table. A section table is actually an array of structure immediately following the PE header. The number of the array members is determined by NumberOfSections field in The file header (image_file_header) structure. The structure_self is called image_section_header.
Image_sizeof_short_name EQU 8
IMAGE_SECTION_HEADER STRUCT Name1 db IMAGE_SIZEOF_SHORT_NAME dup (?) Union Misc PhysicalAddress dd? VirtualSize dd? Ends VirtualAddress dd? SizeOfRawData dd? PointerToRawData dd? PointerToRelocations dd? PointerToLinenumbers dd? NumberOfRelocations dw? NumberOfLinenumbers dw? Characteristics dd? IMAGE_SECTION_HEADER ENDS
Again, Not All Members Are Useful. I'll Describe Only The Ones That Are Really Important.
FieldMeaningsName1Actually the name of this field is "name" but the word "name" is an MASM keyword so we have to use "Name1" instead. This member contains the name of the section. Note that the maximum length is 8 bytes. The name is just a label, nothing more. You can use any name or even leave this field blank. Note that there is no mention of the terminating null. The name is not an ASCIIZ string so do not expect it to be terminated with a null .VirtualAddressThe RVA of the section. The PE loader examines and uses the value in this field when it's mapping the section into memory. Thus if the value in this field is 1000h and the PE file is loaded at 400000h, the section will be loaded at 401000h.SizeOfRawDataThe size of the section's data rounded up to the next multiple of file alignment. The PE loader examines the value in this field so it knows how many bytes in the section it should map into memory.PointerToRawDataThe file offset of the beginning of the Section. The pe loader Uses th e value in this field to find where the data in the section is in the file.CharacteristicsContains flags such as whether this section contains executable code, initialized data, uninitialized data, can it be written to or read from.Now that we know about IMAGE_SECTION_HEADER Structure, Let's See How We Can Emulation The PE Loader's Job:
Read NumberOfSections in IMAGE_FILE_HEADER so we know how many sections there are in the file. Use the value in SizeOfHeaders as the file offset of the section table and moves the file pointer to that offset. Walk the structure array, examining each member. For each structure , we obtain the value in PointerToRawData and move the file pointer to that offset. Then we read the value in SizeOfRawData so we know how many bytes we should map into memory. Read the value in VirtualAddress and add the value in ImageBase to it to get the virtual address the section should start from. and then we are ready to map the section into memory and mark the attribute of the memory according to the flags in Characteristics. Walk the array until all the sections are processed.Note that we did not Make Use the the name of the section: It's not really necessary.
EXAMPLE:
This is the section.
.386 .model flat, stdcall option casemap: none include /masm32/include/windows.inc include /masm32/include/kernel32.inc include /masm32/include/comdlg32.inc include /masm32/include/user32.inc include / masm32 /include/comctl32.inc includelib /masm32/lib/comctl32.lib includelib /masm32/lib/user32.lib includelib /masm32/lib/kernel32.lib includelib /masm32/lib/comdlg32.lib IDD_SECTIONTABLE equ 104 IDC_SECTIONLIST equ 1001 sEH struct PrevLink dd;? the address of the previous seh structure CurrentHandler dd;? the address of the new exception handler SafeOffset dd;? The offset where it's safe to continue execution PrevEsp dd;? the old value in esp PrevEbp dd;? The old value IN EBP SEH Ends .data Appname DB "PE Tutorial No.5", 0 OFN OpenFileName <> Filterstring DB "Executable files (* .exe, * .dll)", 0, "*. EXE; *. DLL", 0 DB "All Files", 0, "*. *", 0, 0 FileOpenenError DB "Cannot Open the file forread", 0 FileOpenMappinger DB "Cannot Open THE FILE for MEMORY MAPPING", 0 filemappinger ROR DB "Cannot Map The File Into Memory, 0 FileInvalidpe DB" This File IS Not a Valid PE ", 0 Template DB"% 08LX ", 0 SectionName DB" Section ", 0 Virtualsize DB" V.size ", 0 VirtualAddress DB "v.address", 0 SizeOfrawData DB "Raw Size", 0 Rawoffset DB "Raw Offset", 0 Characteristics DB "Characteristics"
??, 0 .data hInstance dd buffer db 512 dup hFile dd hMapping dd pMapping dd ValidPE dd NumberOfSections dd .code start proc LOCAL seh (?):????? SEH invoke GetModuleHandle, NULL mov hInstance, eax mov ofn.lStructSize , SIZEOF ofn mov ofn.lpstrFilter, OFFSET FilterString mov ofn.lpstrFile, OFFSET buffer mov ofn.nMaxFile, 512 mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES or OFN_EXPLORER or OFN_HIDEREADONLY invoke GetOpenFileName, ADDR ofn .if eax == TRUE invoke CreateFile , addr buffer, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL .if eax! = INVALID_HANDLE_VALUE mov hFile, eax invoke CreateFileMapping, hFile, NULL, PAGE_READONLY, 0,0,0 .if eax! = NULL mov hMapping, eax invoke MapViewoffile, hmapping, file_map_read, 0,0,0 .if eax! = Null mov pmapping, eax assume fs: Nothing push fs: [0] Po p seh.PrevLink mov seh.CurrentHandler, offset SEHHandler mov seh.SafeOffset, offset FinalExit lea eax, seh mov fs: [0], eax mov seh.PrevEsp, esp mov seh.PrevEbp, ebp mov edi, pMapping assume edi: ptr Image_dos_header .IF [EDI] .e_magic == Image_dos_signature add edi, [edi] .e_lfanew associum EDI: Ptr image_nt_headers .IF [EDI]. Signature ==
IMAGE_NT_SIGNATURE mov ValidPE, TRUE .else mov ValidPE, FALSE .endif .else mov ValidPE, FALSE .endif FinalExit: push seh.PrevLink pop fs: [0] .if ValidPE == TRUE call ShowSectionInfo .else invoke MessageBox, 0, addr FileInValidPE , addr AppName, MB_OK MB_ICONINFORMATION .endif invoke UnmapViewOfFile, pMapping .else invoke MessageBox, 0, addr FileMappingError, addr AppName, MB_OK MB_ICONERROR .endif invoke CloseHandle, hMapping .else invoke MessageBox, 0, addr FileOpenMappingError, addr AppName, MB_OK MB_ICONERROR. Nendif Invoke CloseHandle, Hfile .else Invoke Messagebox, 0, AddR FileOpenerror, Addr Appname, MB_OK MB_ICONERROR. Nendif.endif Invoke Exit Process, 0 invoke InitCommonControls start endp SEHHandler proc uses edx pExcept: DWORD, pFrame: DWORD, pContext: DWORD, pDispatch: DWORD mov edx, pFrame assume edx: ptr SEH mov eax, pContext assume eax: ptr CONTEXT push [edx] .SafeOffset pop [eax] .regEip push [edx] .PrevEsp pop [eax] .regEsp push [edx] .PrevEbp pop [eax] .regEbp mov ValidPE, FALSE mov eax, ExceptionContinueExecution ret SEHHandler endp DlgProc proc uses edi esi hDlg: DWORD, UMSG: DWORD, WPARAM: DWORD, LPARAM: DWORD LOCAL LVC: LV_COLUMN LOCAL LVI: LV_ITEM .IF UMSG ==
WM_INITDIALOG mov esi, lParam mov lvc.imask, LVCF_FMT or LVCF_TEXT or LVCF_WIDTH or LVCF_SUBITEM mov lvc.fmt, LVCFMT_LEFT mov lvc.lx, 80 mov lvc.iSubItem, 0 mov lvc.pszText, offset SectionName invoke SendDlgItemMessage, hDlg, IDC_SECTIONLIST, LVM_INSERTCOLUMN , 0, addr lvc inc lvc.iSubItem mov lvc.fmt, LVCFMT_RIGHT mov lvc.pszText, offset VirtualSize invoke SendDlgItemMessage, hDlg, IDC_SECTIONLIST, LVM_INSERTCOLUMN, 1, addr lvc inc lvc.iSubItem mov lvc.pszText, offset VirtualAddress invoke SendDlgItemMessage, hDlg , IDC_SECTIONLIST, LVM_INSERTCOLUMN, 2, addr lvc inc lvc.iSubItem mov lvc.pszText, offset SizeOfRawData invoke SendDlgItemMessage, hDlg, IDC_SECTIONLIST, LVM_INSERTCOLUMN, 3, addr lvc inc lvc.iSubItem mov lvc.pszText, offset rawOffset invoke SendDlgItemMessage, hDlg, IDC_SECTIONLIST , LVM_INSERTCOLUMN, 4, ADDR LVC INC LVC.ISUBITEM MOV LVC.PSZTEXT, OFFSET Characteristics Invoke Senddl gItemMessage, hDlg, IDC_SECTIONLIST, LVM_INSERTCOLUMN, 5, addr lvc mov ax, NumberOfSections movzx eax, ax mov edi, eax mov lvi.imask, LVIF_TEXT mov lvi.iItem, 0 assume esi: ptr IMAGE_SECTION_HEADER .while edi>
0 mov lvi.iSubItem, 0 invoke RtlZeroMemory, addr buffer, 9 invoke lstrcpyn, addr buffer, addr [esi] .Name1,8 lea eax, buffer mov lvi.pszText, eax invoke SendDlgItemMessage, hDlg, IDC_SECTIONLIST, LVM_INSERTITEM, 0, addr lvi invoke wsprintf, addr buffer, addr template, [esi] .Misc.VirtualSize lea eax, buffer mov lvi.pszText, eax inc lvi.iSubItem invoke SendDlgItemMessage, hDlg, IDC_SECTIONLIST, LVM_SETITEM, 0, addr lvi invoke wsprintf, addr buffer, addr template, [esi] .VirtualAddress lea eax, buffer mov lvi.pszText, eax inc lvi.iSubItem invoke SendDlgItemMessage, hDlg, IDC_SECTIONLIST, LVM_SETITEM, 0, addr lvi invoke wsprintf, addr buffer, addr template, [esi] .SizeOfRawData lea Eax, Buffer Mov Lvi.psztext, Eax Inc Lvi.isubitem Invoke Senddlgitemmessage, HDLG, IDC_SECTIONLIST, LVM_SETITITETITET, 0, AddR Lvi Invoke Wsprintf, Addr Buffer, Addr TE mplate, [esi] .PointerToRawData lea eax, buffer mov lvi.pszText, eax inc lvi.iSubItem invoke SendDlgItemMessage, hDlg, IDC_SECTIONLIST, LVM_SETITEM, 0, addr lvi invoke wsprintf, addr buffer, addr template, [esi] .Characteristics lea eax , buffer mov lvi.pszText, eax inc lvi.iSubItem invoke SendDlgItemMessage, hDlg, IDC_SECTIONLIST, LVM_SETITEM, 0, addr lvi inc lvi.iItem dec edi add esi, sizeof IMAGE_SECTION_HEADER .endw .elseif uMsg ==
WM_CLOSE invoke EndDialog, hDlg, NULL .else mov eax, FALSE ret .endif mov eax, TRUE ret DlgProc endp ShowSectionInfo proc uses edi mov edi, pMapping assume edi: ptr IMAGE_DOS_HEADER add edi, [edi] .e_lfanew assume edi: ptr IMAGE_NT_HEADERS mov ax, [edi] .FileHeader.NumberOfSections movzx eax, ax mov NumberOfSections, eax add edi, sizeof IMAGE_NT_HEADERS invoke DialogBoxParam, hInstance, IDD_SECTIONTABLE, NULL, addr DlgProc, edi ret ShowSectionInfo endp end startAnalysis:
This Example Reuses The Code of the Example In PE Tutorial 2.After It Verifies That The File Is A Valid PE, IT Calls A Function, ShowSectionInfo.
ShowsectionInfo Proc Uses Edi Mov Edi, PMapping Assume EDI: PTR Image_DOS_HE_LFANEW Assume EDI: PTR Image_NT_HEADERS
We use edi as the pointer to the data in the PE file. At first, we initialize it to the value of pMapping which is the address of the DOS header. Then we add the value in e_lfanew to it so it now contains the address of The pe header.
MOV AX, [EDI] .fileHeader.Numberofsections Mov Numberofsections, AX
.
Add Edi, SizeOf Image_NT_HEADERS
EDI Currently Contains The Address of The Pe Header. Adding The size of the pehper to it will make it it point.
Invoke Dialogboxparam, Hinstance, IDD_SECTIONTABLE, NULL, ADDR DLGPROC, EDI
Call DialogBoxParam to show the dialog box containing the listview control. Note that we pass the address of the section table as its last parameter. This value will be available in lParam during WM_INITDIALOG message.In the dialog box procedure, in response to WM_INITDIALOG message, we store the value of lParam (address of the section table) in esi, the number of sections in edi and then dress up the listview control. When everything is ready, we enter a loop which will insert the info about each section into the listview THIS Part IS VERY SIMPLE.
.While Edi> 0 MOV LVI.ISUBITEM, 0
Put this string in the first column.
Invoke RTLZERMEMORY, ADDR BUFFER, 9 Invoke Lstrcpyn, Addr Buffer, Addr [ESI] .Name1, 8 Lea Eax, Buffer Mov Lvi.psztext, EAX
We will display the name of the section.............
Invoke Senddlgitemmessage, HDLG, IDC_SECTIONLIST, LVM_INSERTITEM, 0, ADDR LVI
................. ..
Dec Edi Add ESI, SIZEOF Image_SECTION_HEADER .Endw
.
The Steps in Walking The Section Table Are:
Verify that the file is a valid PE Go to the beginning of the PE header Obtain the number of sections from NumberOfSections field in the file header. Go to the section table either by adding ImageBase to SizeOfHeaders or by adding the address of the PE header to the size of the PE header. (The section table immediately follows the PE header). If you do not use file mapping, you need to move the file pointer to the section table using SetFilePointer. The file offset of the section table is in SizeOfheaders. (SIZEOFHEADERS IS A MEMBER OF IMAGE_OPTIONAL_HEADER) Process Each Image_section_Header Structure. [ICZelion's Win32 Assembly Home]
