appending data to an exe

This question extensions from one of the answers to my earlier question: how to save user registration in the exe... (C#).

The idea itself is still very new to me, but it seems plausible. My first attempt of simply appending 开发者_开发百科a string to the exe from inside a different application didn't work. Then got a little smarter and tried appending bytes. Still no luck.

I've found various documentations on Windows Portable Executable files:

http://en.wikipedia.org/wiki/Portable_Executable

http://msdn.microsoft.com/en-us/magazine/bb985997.aspx

http://msdn.microsoft.com/en-us/windows/hardware/gg463125

Frankly, I understand so little that they're not of much use to me. Of more use I was able to find a delphi tutorial that describes the idea of adding a "payload" to the executable. It goes on to say that to do this, you need to let the exe know and also be able to track where you put it... or something to that effect. I have no knowledge of delphi other than what I can guess from the code itself. http://www.delphidabbler.com/articles?article=7&part=2

What would be most useful is just an example or a link of how to add and retrieve a short piece of information onto the executable. I am going to want to have this operation performed on a C# Forms Application from a linux server ran as a php script.. I figure a standalone C++ application which accepts information as arguments should be able to do the trick.

I am open to other ideas, too.

Thank you.

Yes, you append the data outside/after the end of the defined PE image. You can do a simple concatenation if you don't want to deal with the PE header.

For instance "echo abcd >> myprogram.exe" would work, resulting in 'abcd' appended to the end of 'myprogram.exe'. Myprogram.exe would run fine. Then you'd just need to code a way to find your appended data (e.g. traverse header to find end of defined image by finding end of last section, or store a static offset somewhere in the EXE you can later read). For instance, you could store the offset you saved the data at in the last 4 bytes of the file. Then you always know the static offset is at EOF-4.

Alternatively, if you wanted your appended data to get loaded into virtual memory when the process loads, you could actually extend the last section of the PE image and put your data there.

Watch for file alignment on last section, you'll want to expand to next file alignment (0x200 or 0x1000 usually), then add your stuff.

As the author of an executable compressor who has seen some weird PEs, let me say there is no steadfast rule that the last section defined in the section table is the last in the image (they could be out of order). That is to say, they can be out of order. However, they are in order 99% of the time unless made by some weird linker or modified with some external utility.

My packer (PECompact) has beta support for 'overlay/extra-data emulation' BTW - meaning it can actually compress this data slapped on the end along WITH the EXE, then emulate its uncompressed form in memory when you do I/O on the EXE file. Alternatively, it can leave the extra-data/overlay on the outside of the file and compress the rest, but adjust reads and writes so the physical offset won't have changed. This is necessary because SO MANY installers and SFX archives actually reference the appended data by a static offset, instead of properly computing its location at runtime by traversing the PE header.

David Hall's link does a little more than you need to do, unless you want to keep the signature. That method does allow preservation/use of digital signing, inserting your data into an expanded certificate area at the end of the file.

You have no need for dealing with the header at all if you don't want to, and don't care about preserving the code signing!

Here is a link to a piece of code I've used to append data to an exe. This is specifically for appending data without breaking the signing of the exe, but the principle should hold for just appending to unsigned executables.

http://blog.barthe.ph/2009/02/22/change-signed-executable/