help on manipulating sections for win32 pe files

[nvidia5500]

I've recently hit a wall. I have an exe file, and i wish to add a watermark jpeg file in it. The thing is, I don't want to place that jpeg
in the resources because it can be easily manipulated. So what I'm attempting to do is create a new a data section inside the .exe file
and place the jpeg in it. I've successfully added the new data section by manipulating PIMAGE_NT_HEADERS and  PIMAGE_SECTION_HEADER and
recalculating the fields under PIMAGE_SECTION_HEADER such as PointerToRawData. The exe file is manipulated by a memory-mapping The problem I'm dealing with is that I always get access violations when trying to manipulate PointerToRawData.

Here's my code:
jpgbuf DWORD ? ; address for jpeg buffer
jpgsize DWORD ?
.....
..... 
; After adding the new pe section:
; Trying to manipulate PointerToRawData
push jpgsize
push 0
push section.PointerToRawData
call memset

I've figured out that it wont let me "append" data from the end of the buffer. Is there some way for reallocating a memory mapped file?

[ramguru]

From CreateFileMapping documentation:

Code Select Expand


If an application specifies a size for the file mapping object that is
larger than the size of the actual named file on disk and if the page
protection allows write access (that is, the flProtect parameter specifies
PAGE_READWRITE or PAGE_EXECUTE_READWRITE), then the file on
disk is increased to match the specified size of the file mapping object.


Btw could you explain what this watermark of yours is for ?
For that watermark to be seen on Windows application .. requires some coding u know.
Or will you be just scanning exe for that sequence of bytes ?
In any case .. assembler programmers try to decrease size of application.
Now you want to append some crappy raw data to every exe file..

[nvidia5500]

From CreateFileMapping documentation:

Code Select Expand


If an application specifies a size for the file mapping object that is
larger than the size of the actual named file on disk and if the page
protection allows write access (that is, the flProtect parameter specifies
PAGE_READWRITE or PAGE_EXECUTE_READWRITE), then the file on
disk is increased to match the specified size of the file mapping object.


Btw could you explain what this watermark of yours is for ?
For that watermark to be seen on Windows application .. requires some coding u know.
Or will you be just scanning exe for that sequence of bytes ?
In any case .. assembler programmers try to decrease size of application.
Now you want to append some crappy raw data to every exe file..

Thanks for pointing this out! I kinda misinterpreted the high and low order DWORD arguments for the maximum size. This might
be the reason why I'm getting the access violations. Nope I will not be scanning the sequence, I'll just be using the section table
to find that. It's a specific (client) request btw, I can't really tell the specifics about the application but it really needs some optimizations,
that's why I use masm. Thanks again!