Code Caving in a PE file : Part one

http://prewired.co.ke/2015/10/code-caving-part1.html

Adding Code to an existing Section

This is going to be a quick dirty code caving guide for anyone interested, although I don't plan to cover the basic details like digging up the Win32 API and the PE file format. Well, I'll make references to existing guides you can use to get familiarized with any concept or tool I think is important. You don't really need to be an assembly expert to get started but if you already understand the PE file format and the commonly used Win32 APIs you are on a roll.

I intended to make three separate guides on code caving, Part one : Adding to an existing section, Part two: enlarging an existing section and lastly Part three : adding a section on a PE file.... Later on I'd possibly do a post on Elf file formats as well. This is the first part and it's easy.

Follow, this is a "Do With Me" guide and it is straight to the point avoiding the nitty-gritty stories.... On this post, I've made use of the following tools and setup:

    WINE on Arch-Linux
    OllyDbg Ver 1.10 (Debbuger)
    LordPE Deluxe (PE file editor)
    Gnome-calculator (programming mode)
    Virtual-box running Windows XP SP3 (to test the modified files)
    WxHexEditor (Hex editor)
    Notes (scrap book)

You can follow along with your own setup (Windows/Linux) as long as you have the main tools for this specific blog post, OllyDbg, LordPE and any Hex-editor. For steps that are OS specific, I'll point out.

Reverse Engineering some Programs/Softwares might be against the law or provoke someone (try Oracle), please make sure you have the proper rights to use the file you choose. In this case, I'll be using HeidiSql for no good reason other than it's a valid Windows executable file. You can get the same file I'm using and some of the tools on my Git Repo or the links at the end of this page.

https://github.com/JohnTroony/PE-CodeCaving.git

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法