I want use ImpREC.dll in my unpacker, but it works only on winNT-systems. HOWEVER, GUW32 use THIS ImpREC.dll and successfully rebuild import on win9x! It's a paradox!!!
In my unpacker ImpREC.dll on win9x import looks like:
=============================
KERNEL32.dll 1
FlushInstructionCache 1
FlushInstructionCache 1
FlushInstructionCache KERNEL32.dll 1
FlushInstructionCache 1
FlushInstructionCache 1
FlushInstructionCache 1
FlushInstructionCache 1
FlushInstructionCache 1
FlushInstructionCache 1
FlushInstructionCache 1
FlushInstructionCache 1
FlushInstructionCache 1
FlushInstructionCache 1
FlushInstructionCache 1
FlushInstructionCache 1
FlushInstructionCache 1
FlushInstructionCache 1
FlushInstructionCache 1
FlushInstructionCache
=============================
On WinXP my unpacker works fine, but on win9x import filled FlushInstructionCache functions.

Rebuild function looks like:
BOOL RebuildImport(DWORD pid, DWORD oep_rva, DWORD iat_rva, DWORD nb_recursion, LPTSTR dump_filename);

Syntax of my call on MSVC++ 6.0:
RebuildImport(pi.dwProcessId, 0x401000, 0, 5, m_Dumpname);

What is nb_recursion??? I reversed PEiD Generic Unpacker by Snaker and there found this number. There was 5.
What number must be there??

p.s. sorry for my ugly english

ImpREC.DLL wont work on Win9X on a process which you loaded with the Debug APIs...It's a problem with the way APIs are handled or so on it...I had the problem long ago and discussed with MackT.

A work-around maybe to fire up the process again without Debug APIs and then use that handle to make ImpREC fix imports...