Home/ Questions/Q 3968136
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T03:48:21+00:00

My program is combined with some additional data at the end of the original

  • 0

My program is combined with some additional data at the end of the original exe. The program would extract the additional data to disk when running the program.

However my program can’t get the right offset of the appended data after signing the combined executable program.

I compared the signed exe and the original exe, the signing information is appended at the end of the exe. So I’m looking for a Win32 API to get the length of signing segment from the signed program. After that, my program could find the right offset of combined data, then extract them correctly.

Could anyone give me a hint?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I find a tool named PEDump(written by Matt Pietrek for his book) with source code to demonstrate how to get the size of signing information.

    Below is the code extracted from PEDump for my purpose,

    // MakePtr is a macro that allows you to easily add to values (including
// pointers) together without dealing with C's pointer arithmetic.  It
// essentially treats the last two parameters as DWORDs.  The first
// parameter is used to typecast the result to the appropriate pointer type.
#define MakePtr( cast, ptr, addValue ) (cast)( (DWORD)(ptr) + (DWORD)(addValue))

// Names of the data directory elements that are defined
const char *ImageDirectoryNames[] = {
    "EXPORT", "IMPORT", "RESOURCE", "EXCEPTION", "SECURITY", "BASERELOC",
    "DEBUG", "COPYRIGHT", "GLOBALPTR", "TLS", "LOAD_CONFIG",
    "BOUND_IMPORT", "IAT",  // These two entries added for NT 3.51
    "DELAY_IMPORT" };       // This entry added in NT 5

#define NUMBER_IMAGE_DIRECTORY_ENTRYS \
    (sizeof(ImageDirectoryNames)/sizeof(char *))
        HANDLE hFile = (HANDLE)_get_osfhandle(_fileno(getProgramFile()));
        HANDLE hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
        if ( hFileMapping == 0 )
        {
            printf("%s", "Couldn't open file mapping with CreateFileMapping()\n");
        } else {
            LPVOID lpFileBase = MapViewOfFile(hFileMapping, FILE_MAP_READ, 0, 0, 0);
            if ( lpFileBase == 0 )
            {
                printf("%s", "Couldn't map view of file with MapViewOfFile()\n");
            } else {
                PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)lpFileBase;
                PIMAGE_FILE_HEADER pImgFileHdr = (PIMAGE_FILE_HEADER)lpFileBase;
                // it's EXE file
                if ( dosHeader->e_magic == IMAGE_DOS_SIGNATURE )
                {
                    PIMAGE_NT_HEADERS pNTHeader;
                    DWORD base = (DWORD)dosHeader;

                    pNTHeader = MakePtr( PIMAGE_NT_HEADERS, dosHeader, dosHeader->e_lfanew );

                    PIMAGE_OPTIONAL_HEADER optionalHeader = (PIMAGE_OPTIONAL_HEADER)&pNTHeader->OptionalHeader;
                    for ( int i=0; i < optionalHeader->NumberOfRvaAndSizes; i++)
                    {
                        // DataDirectory[4] represents security directory
                        if ( 4 == i ) {
                            signingLength = optionalHeader->DataDirectory[i].Size;
                            break;
                        }
                    }
                }
                UnmapViewOfFile(lpFileBase);
            }
            CloseHandle(hFileMapping);
        }
    • 0