Results 1 to 2 of 2

Thread: snippet [NODE.JS] Add section to PE EXE x86

  1. #1
    CovetousEyes
    Guest

    snippet [NODE.JS] Add section to PE EXE x86

    Hi! I love Node JS and Reverse Engeneering, so I created code what unite this ones. This NODE.JS snippet added section to PE EXE x86. Maybe code has bugs, but now this module in developing.

    Code:
    var fs = require('fs');
    
    const PE_DosHeader = 0, PE_NtHeaders = 1, PE_FileHeader = 2, PE_OptionalHeader = 3, PE_SectionHeaders = 4, PE_DataDirectories = 5,
    PE_ExportDirectory = 6, PE_ImportDirectory = 7, PE_ResourceDirectory = 8, PE_ExceptionDirectory = 9, PE_SecurityDirectory = 0xa,
    PE_RelocationDirectory = 0xb, PE_DebugDirectory = 0xc, PE_TLSDirectory = 0xd, PE_ConfigurationDirectory = 0xe,
    PE_BoundImportDirectory = 0xf, PE_ImportAddressTableDirectory = 0x10, PE_DelayImportDirectory = 0x11, PE_DotNETDirectory = 0x12;
    
    String.prototype.rtrim = function() {return this.replace(/\0+$/,"");}
    
    function toSectionNameBuf(s) {
      var buf = new Buffer(8);
      buf.fill(0);
      if (s.length > 8) s = s.slice(0, 8);
      buf.write(s, 0, s.length, 'ascii');
      return(buf);};
    
    function alignBy(v, by) {
     return((v%by)?(1+Math.floor(v/by))*by:v)};
    
    function PEFile(){
      this.buf;
      this.peStrucTable;}
                                                                                                                                 
    PEFile.prototype.OpenPE = function(file) {
      this.buf = fs.readFileSync(file);
      var sig = this.buf.toString('ascii', 0, 2)
      if (sig != 'MZ') return(false);                                                            
      var pHeaderPE = this.buf.readUInt16LE(0x3c);
      if (this.buf.readUInt16LE(pHeaderPE) !== 0x4550) return(false);
      var pDataDirectories = pHeaderPE+0x78;
      this.peStrucTable = [0, pHeaderPE, pHeaderPE+0x4, pHeaderPE+44, pHeaderPE+0xf8, pDataDirectories, pDataDirectories,
        pDataDirectories+0x8, pDataDirectories+0x10, pDataDirectories+0x18, pDataDirectories+0x20, pDataDirectories+0x28,
        pDataDirectories+0x30, pDataDirectories+0x48, pDataDirectories+0x50, pDataDirectories+0x58, pDataDirectories+0x60, 
        pDataDirectories+0x68, pDataDirectories+0x70]; 
      return(true);};                                                  
    
    PEFile.prototype.Save = function(name){
      fs.writeFileSync(name, this.buf);};
    
    PEFile.prototype.readByte = function(ofs) {
      return(this.buf[ofs]);}
    
    PEFile.prototype.readWord = function (ofs) {
      return(this.buf.readUInt16LE(ofs));}
    
    PEFile.prototype.readDWord = function (ofs) {
      return(this.buf.readUInt32LE(ofs));}
    
    PEFile.prototype.readQWord = function (ofs) {
      return(this.buf.readDoubleLE(ofs));}
    
    PEFile.prototype.writeByte = function(ofs, val) {
      this.buf[ofs] = val;}
    
    PEFile.prototype.writeWord = function (ofs, val) {
      this.buf.writeUInt16LE(val, ofs);}
    
    PEFile.prototype.writeDWord = function (ofs, val) {
      this.buf.writeUInt32LE(val, ofs);}
    
    PEFile.prototype.writeQWord = function (ofs, val) {
      this.buf.writeDoubleLE(val, ofs);}
      
    PEFile.prototype.getNumberOfSections = function(n){
      return(this.readWord(this.getOffset(PE_FileHeader)+0x2));};
    
    PEFile.prototype.getOffset = function(n){
      return(this.peStrucTable[n % 0x13]);};  
    
    PEFile.prototype.enumSections = function(fEnumProc, lParam){
      var iSections = this.getNumberOfSections();
      for(var i = 0; i < iSections; i++){
        var pSection = this.getOffset(PE_SectionHeaders) + i*0x28;
        var sName = this.buf.toString('ascii', pSection, pSection+8).rtrim();
        fEnumProc.call(this, i, pSection, sName, lParam);};
      return(true);};
    
    PEFile.prototype.findSection = function(sName){
      var pSection = null;
      this.enumSections( function(i, p, s, name) { if (s == name) {pSection = p;} }, sName);
      return(pSection);}
    
    PEFile.prototype.dumpSection = function(sName) {
      var dwVirtualSize, dwRawSize, dwRawAddr, bufSection, bufSectionHeader = new Buffer(0x28), pSection = this.findSection(sName);
      if (!pSection) return(null);
      this.buf.copy(bufSectionHeader, 0, pSection, pSection+0x28);
      dwRawSize = bufSectionHeader.readUInt32LE(0x10);
      dwVirtualSize = bufSectionHeader.readUInt32LE(0x8);
      dwRawAddr = bufSectionHeader.readUInt32LE(0x14);
      if (dwRawSize < dwVirtualSize) dwVirtualSize = dwRawSize;
      bufSection = new Buffer(dwVirtualSize);
      this.buf.copy(bufSection, 0, dwRawAddr, dwRawAddr+dwVirtualSize);
      return(bufSection);};
    
    PEFile.prototype.addSectionHeader = function(name) {
      var pSectionHeaders = this.getOffset(PE_SectionHeaders), pHeaderOffset = 0x28*this.getNumberOfSections()+pSectionHeaders,
      pFirstSectionData = this.readDWord(pSectionHeaders+0x14);
      if (pFirstSectionData <= pHeaderOffset) return(false);
      this.buf.fill(0, pHeaderOffset, pHeaderOffset+0x28);
      toSectionNameBuf(name).copy(this.buf, pHeaderOffset);
      this.writeDWord(pHeaderOffset+0x24, 0xC0000000);          	
      var pSecNum = this.getOffset(PE_FileHeader)+0x2;
      this.writeWord(pSecNum, this.readWord(pSecNum)+1);
      return(true);};
    
    PEFile.prototype.addSectionEmpty = function(name, size, ch){
      if (!this.addSectionHeader(name)) return false;
      var pSectionHeaders = this.getOffset(PE_SectionHeaders), iSect = this.getNumberOfSections(),
      dwSectionAligment = this.readDWord(this.getOffset(PE_FileHeader)+0x34), 
      dwFileAligment = this.readDWord(this.getOffset(PE_FileHeader)+0x38);
      var pLastSectionHdr = pSectionHeaders+(iSect-2)*0x28;
      var pVA = alignBy(this.readDWord(pLastSectionHdr+0x8), dwSectionAligment)+this.readDWord(pLastSectionHdr+0xC);
      var pRA = alignBy(this.readDWord(pLastSectionHdr+0x10), dwFileAligment)+this.readDWord(pLastSectionHdr+0x14);
      var dwSizeRaw = alignBy(size, dwFileAligment);
      var pNewSectionHdr = pSectionHeaders+(iSect-1)*0x28;
      this.writeDWord(pNewSectionHdr+0x8, size);
      this.writeDWord(pNewSectionHdr+0xC, pVA);
      this.writeDWord(pNewSectionHdr+0x10, dwSizeRaw);
      this.writeDWord(pNewSectionHdr+0x14, pRA);
      var b = new Buffer(dwSizeRaw);
      b.fill(0);
      this.buf = Buffer.concat([this.buf, b]);
      return(true)};
    
    PEFile.prototype.addSection = function(name, buf, ch) {
      this.addSectionEmpty(name, buf.length, ch);
      var pLastSecHdr = this.getOffset(PE_SectionHeaders) + (this.getNumberOfSections()-1)*0x28; 
      buf.copy(this.buf, this.readDWord(pLastSecHdr+0x14));};  
    
    PEFile.prototype.sectionFromRVA = function (rva) {
      var result = null;
      this.enumSections( function(i, p, s, rva){
        var dwVirtualSize = this.readWord(p+0x8), dwVirtualAddress =  this.readWord(p+0xC);
        if (rva >= dwVirtualAddress && rva  < dwVirtualAddress+dwVirtualSize) result = i;}, rva);
      return(result);};
    
    PEFile.prototype.rebuildImageSize = function (){
      var  dwSectionAligment = this.readDWord(this.getOffset(PE_FileHeader)+0x34), 
      pLastSecHdr = this.getOffset(PE_SectionHeaders) + (this.getNumberOfSections()-1)*0x28;
      var dwSizeImage = alignBy(this.readDWord(pLastSecHdr+0x8), dwSectionAligment)+this.readDWord(pLastSecHdr+0xC);
      this.writeDWord(this.getOffset(PE_FileHeader)+0x4C, dwSizeImage);
      return(true)};
    
    var bufX = new Buffer('I LOVE NODE.JS ! \n(c) CovetousEyes', 'ascii');
    var pef = new PEFile();
    pef.OpenPE('test.EXE');
    pef.addSection('.FUNNY', bufX);
    pef.rebuildImageSize();
    pef.Save('testCracked.exe');
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    This is kinda neat.

    Is it possible to create a signature scanner by abusing regex?

Similar Threads

  1. Trying to decompile a MFC snippet code
    By dion in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: January 23rd, 2013, 07:53
  2. A snippet of time.. ;) uneditted ..
    By BanMe in forum Blogs Forum
    Replies: 0
    Last Post: July 5th, 2009, 16:17
  3. Confusing code snippet
    By VectoR.360 in forum Advanced Reversing and Programming
    Replies: 9
    Last Post: September 20th, 2006, 03:00
  4. c compiler/linker and snippet creator
    By homersux in forum The Newbie Forum
    Replies: 14
    Last Post: July 31st, 2004, 22:16
  5. How to create one section EXE from a multi section exe
    By new_age in forum The Newbie Forum
    Replies: 4
    Last Post: January 27th, 2003, 20:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •