0

I've been able to locate the .text section of the module, knowing the base address of that section and its size how would I be able to find the other segments of the DLL, like .rdata, .data, .bss, etc.

John Wayne
  • 115
  • 6

1 Answers1

1

You'll make 2 assumptions:

  1. all virtual memory allocations are done with 4k (0x1000) incremental
  2. .text section will (in most cases) be places after the PE header

So, your goal would be to find the DLL's PE header and parse it to find all the parameters of the other sections, assuming they are present. Using above assumptions, you would:

  1. Decrement your known base address by 0x1000
  2. Check that this new address is valid (i.e VirtualQuery)
  3. Check for presence of MZ signature starting the address from (1)
    1. If found, parse the header and you can calculate the offsets based on the header data - you already know where .text located, extrapolate for other sections the same way.
  4. Repeat for reasonable amount of times till you find the header.
PhoeniX
  • 3,052
  • 16
  • 30
  • 1
    but you said that you already know where .text is located, no? So why to go the long way. Other sections will be in near proximity of it. – PhoeniX Jul 07 '17 at 17:39
  • 1
    Another problem, is to distinguish between the sections. Do you have more information beside .text base address and its size? – PhoeniX Jul 07 '17 at 18:03
  • 1
    The section does not have PE header so I dot know what you are looking at. You can try and filter out all shared memory regions as most dlls will have that type of mapping and look for RE or RWE regions with private allocation. Once you have enumerated all candidates, you will still have trouble to zero on sections if you do not have PE header. With .rdata you might have some luck if the DLL imports functions, as there you should find imported function names. – PhoeniX Jul 07 '17 at 19:16
  • 1
    The only thing that comes to my mind is to use heuristics: a. all other sections will follow the .text one. b. VQ will show the same state for each group of pages, so this way you can get the size and base. c. In most cases you can find a big zeroed region at the end of the section, before the new begins, this could help too. Again, without further information - PE header, code analysis of .text section it will be hard to get where you want with 100% validity, because each section is just chunk of raw data without any metadata. – PhoeniX Jul 07 '17 at 20:29
  • That's unfortunate. What do you mean by code analysis of the .text section. Is there anything specific I could look for in other to help me locate the others? – John Wayne Jul 07 '17 at 20:35
  • 1
    I mean, if you can find some information in .text section that refers to data in .rdata (strings, constants, data patterns and etc.) then you can use it in your search of other sections. – PhoeniX Jul 07 '17 at 20:39
  • In case there is a string or a value that I am able to recognize and search for, how would I do this without manually analyzing each section in IDA? – John Wayne Jul 07 '17 at 22:07
  • 1
    you would not. no info -> no good way to find other sections. You'll get many FPs or other similar errors. – PhoeniX Jul 07 '17 at 22:12