appending data to an exe

Question

This question extensions from one of the answers to my earlier question: how to save user registration in the exe... (C#).

The idea itself is still very new to me, but it seems plausible. My first attempt of simply appending a string to the exe from inside a different application didn't work. Then got a little smarter and tried appending bytes. Still no luck.

I've found various documentations on Windows Portable Executable files:

http://en.wikipedia.org/wiki/Portable_Executable

http://msdn.microsoft.com/en-us/magazine/bb985997.aspx

http://msdn.microsoft.com/en-us/windows/hardware/gg463125

Frankly, I understand so little that they're not of much use to me. Of more use I was able to find a delphi tutorial that describes the idea of adding a "payload" to the executable. It goes on to say that to do this, you need to let the exe know and also be able to track where you put it... or something to that effect. I have no knowledge of delphi other than what I can guess from the code itself. http://www.delphidabbler.com/articles?article=7&part=2

What would be most useful is just an example or a link of how to add and retrieve a short piece of information onto the executable. I am going to want to have this operation performed on a C# Forms Application from a linux server ran as a php script.. I figure a standalone C++ application which accepts information as arguments should be able to do the trick.

I am open to other ideas, too.

Thank you.

dyasta · Answer 1 · 2017-07-25T23:03:44.177

Yes, you append the data outside/after the end of the defined PE image. You can do a simple concatenation if you don't want to deal with the PE header.

For instance "echo abcd >> myprogram.exe" would work, resulting in 'abcd' appended to the end of 'myprogram.exe'. Myprogram.exe would run fine. Then you'd just need to code a way to find your appended data (e.g. traverse header to find end of defined image by finding end of last section, or store a static offset somewhere in the EXE you can later read). For instance, you could store the offset you saved the data at in the last 4 bytes of the file. Then you always know the static offset is at EOF-4.

Alternatively, if you wanted your appended data to get loaded into virtual memory when the process loads, you could actually extend the last section of the PE image and put your data there.

Watch for file alignment on last section, you'll want to expand to next file alignment (0x200 or 0x1000 usually), then add your stuff.

As the author of an executable compressor who has seen some weird PEs, let me say there is no steadfast rule that the last section defined in the section table is the last in the image (they could be out of order). That is to say, they can be out of order. However, they are in order 99% of the time unless made by some weird linker or modified with some external utility.

My packer (PECompact) has beta support for 'overlay/extra-data emulation' BTW - meaning it can actually compress this data slapped on the end along WITH the EXE, then emulate its uncompressed form in memory when you do I/O on the EXE file. Alternatively, it can leave the extra-data/overlay on the outside of the file and compress the rest, but adjust reads and writes so the physical offset won't have changed. This is necessary because SO MANY installers and SFX archives actually reference the appended data by a static offset, instead of properly computing its location at runtime by traversing the PE header.

David Hall's link does a little more than you need to do, unless you want to keep the signature. That method does allow preservation/use of digital signing, inserting your data into an expanded certificate area at the end of the file.

You have no need for dealing with the header at all if you don't want to, and don't care about preserving the code signing!

What about smart filtering? would such files pass from Windows 10 filters? — Michael Chourdakis, Mar 13 '16 at 17:15
No, it wouldn't bypass Windows SmartScreen. It isn't that dumb. It wouldn't necessarily trigger it, but it certainly wouldn't inherently bypass it. — dyasta, Mar 14 '16 at 18:02

David Hall · Accepted Answer · 2011-04-26T19:46:11.373

11

Here is a link to a piece of code I've used to append data to an exe. This is specifically for appending data without breaking the signing of the exe, but the principle should hold for just appending to unsigned executables.

http://blog.barthe.ph/2009/02/22/change-signed-executable/

edited Apr 26 '11 at 19:46

answered Apr 26 '11 at 19:38

David Hall

32,624
10
90
127

1

That code appears to insert your data into the defined PE, which would cause your appended data to be loaded into virtual memory with the EXE. That is ok so long as you are not appending megabytes of data, then load time may slow. In other words, that code is oriented towards not breaking sig. See below for alternate description of what you need to do, though no code snippet for ya (sorry). It is really trivial and easier than you are making it out to be. You don't have to 'let the EXE know' crap, in the simplest form of appending data to the end of the file outside the defined PE image. – dyasta Apr 27 '11 at 09:06
1

For instance "echo abcd >> myprogram.exe" .. Would actually WORK, have 'abcd' appended at the end, and myprogram.exe would run fine. – dyasta Apr 27 '11 at 09:09
Actually his code stores it outside the PE, my bad.. but it extends the digital certificate storage length, which is why it 'tricks' the certificate manager into thinking the signature is unbroken. – dyasta Apr 27 '11 at 09:16
2

A great answer, but sadly this technique seems to no longer be valid: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-098 – TheNextman Oct 05 '18 at 21:46
1

@TheNextman Actually, because there is lots of software (installers etc.) that use this "feature", the patch was released but the "strict authenticode check" has to be enabled manually via registry change(s) – Doc Nov 14 '18 at 13:49

appending data to an exe

2 Answers2

Linked