TL;DR
This guide shows how to add a hidden section (backdoor) to a Portable Executable (PE) file without breaking its functionality. We’ll modify the PE header to include space for our code, then write that code into the new section.
Prerequisites
- A basic understanding of PE file structure.
- A hex editor (e.g., HxD, 010 Editor).
- A disassembler/debugger (e.g., x64dbg, IDA Pro) – optional but helpful for verification.
- The target PE file.
Steps
- Analyze the Target PE File
- Open the PE file in your hex editor.
- Locate the DOS header (usually at offset 0).
- Find the NT headers, starting after the DOS header. The e_lfanew field in the DOS header points to the start of the NT headers.
- Within the NT headers, find the Section Headers. These describe each section of the PE file (e.g., .text, .data, .rsrc). Note their VirtualAddress, SizeOfRawData and RawAddress.
- Determine a suitable location for your backdoor code – typically at the end of the existing sections to avoid overwriting critical data.
- Calculate Space for the Backdoor
- Decide on the size of your backdoor code (in bytes). Keep it relatively small to minimize detection risk and potential instability.
- Add this size to the SizeOfRawData of the last section in the PE file. This will be the new SizeOfRawData for that section.
- Modify Section Header
- In your hex editor, locate the Section Header corresponding to the section you’re extending (usually the last one).
- Change the
SizeOfRawDatafield in that header to reflect the new size (original size + backdoor size). Be careful with endianness!
- Modify PE Header
- Locate the
ImageBasefield within the NT headers. This is the preferred load address of the PE file. You may need to adjust this later if your backdoor code conflicts with existing memory mappings. - Calculate the new size of the entire image by adding the backdoor size to the original image size (found in the optional header). Update the
SizeOfImagefield accordingly.
- Locate the
- Write Backdoor Code
- Locate the RawAddress of the section you modified. This is where your backdoor code will be written on disk.
- In your hex editor, starting at that
RawAddress, write your backdoor code in machine code (e.g., shellcode). Ensure it’s correctly aligned based on the PE file’s architecture.
- Adjust Entry Point (Optional)
- If you want your backdoor to execute immediately upon program startup, modify the
AddressOfEntryPointfield in the NT headers to point to the starting address of your backdoor code within its section. This is often a VirtualAddress. - Alternatively, you can hijack an existing function call by overwriting instructions at the original entry point or another suitable location with a jump to your backdoor code.
- If you want your backdoor to execute immediately upon program startup, modify the
- Update Checksum (Important)
- Modifying the PE file changes its checksum. Update the
Checksumfield in the optional header using a PE checksum calculator or by recalculating it manually. Failure to do so may cause the OS to reject the modified file.
- Modifying the PE file changes its checksum. Update the
- Test and Debug
- Run the modified PE file.
- Use a debugger (e.g., x64dbg) to verify that your backdoor code is executing as expected. Check the entry point, memory mappings, and register values.
- If the program crashes or behaves unexpectedly, review your modifications carefully. Common issues include incorrect header updates, misaligned code, and conflicts with existing memory regions.
Example Shellcode (Windows MessageBox):
6a 04 ; push 4 (message box timeout)68 01 00 00 00 ; push 1 (window handle - null for desktop)68 00 00 00 00 ; push 0 (window title - null)68 00 00 00 00 ; push 0 (message text - null)ff d0 ; inc eaxb8 00 00 00 00 ; mov eax, MessageBoxA address (replace with actual API address)call eax
Disclaimer: This information is for educational purposes only. Backdooring PE files can be used for malicious activities and should not be performed without proper authorization.