i need help urgently

[dprasanna11]

hi..
im have tried to remove one of the section in the section table..
im not removed .text section..
in my exe two code excute section is there..
i think the second one is due to virus.. so i tried to remove the last section.. after removed the section.. PE explorer changed the image size.. and finaly i saved that modified exe..
after that i tried to run that exe.. it crashed..
i dont know why??

Any body help me..

thanks in advance...

[TechMan]

1. Likely this section was pointed to by other sections.
2. Probably the file verifies its own integrity at load time.
3. If the file has been infected by a virus, you need to figure out what is changed, restore all changes, and restore the original entry point.

[dprasanna11]

thanks for information,,
after removed the section.. i have changed no of section table values..
then i have changed size of image value..
by using raw data offset values i found the starting entry point of virus code and i removed that code..
any otherthing i have to do for removing that section??
how to find this section is linked to other section??

[TechMan]

Sections pointed to by the header are marked by red dots. They cannot be deleted in any way. You can delete only sections marked by green dots:

Sections pointed to by Data Directories are marked by yellow dots. To delete a section pointed to by Data Directories (marked by yellow dot), there are three steps required:

1. Find the names of Pointing Directories first.
2. Switch to the Data Directories screen, select the Pointing Directory and edit its Virtual Address and Size (set in zero in order to remove a pointer).
3. Back to the Section Headers, turn off the checkbox next to the section to be deleted. Note that the yellow dot has become green as the section is no longer pointed to by any of headers.

If warned that the number of sections and size have changed, click "Yes" to update.

[dprasanna11]

im tryin to delete the GREEN dots only..
not others. but its not workin..

[TechMan]

Well... the interaction of the various sections may be very extensive making it very difficult to reveal all the interactions within the file. Unfortunately, some operations cannot be automated, sorry.

[dprasanna11]

thanks for information..
if u have got any solution for this..
pls convey to me..

[dprasanna11]

i got what is the problem, while i removing one section.
Actually some modification made at "Start Entry Point" at the time of adding new section.

So  im removing that section.. i have to change the entry point also..

I dont know what this the value present in the Start Entry Point of the EXE files..

I know how to collect the Start Entry point position..

Give me idea to change the Start Entry Point of the Exe file.

[TechMan]

Yep, that was #3 in my reply: "restore the original entry point".

The Entry Point value can be modified in the Headers Info Viewer. PE Explorer will notify you if the new value falls outside of the permissable range disabling the button.