Log in

View Full Version : Import Table: Working with IAT, ImpRec

Panemuckl
July 4th, 2004, 11:29
Hi!

Intro

To get familiar on rebuilding import tables, I've coded a simple application that basically just shows a form:

Code:




    // main code



    hWnd = CreateWindow(    szAppName,                    

                            "Title",              

                            WS_OVERLAPPEDWINDOW,         

                            CW_USEDEFAULT,               

                            CW_USEDEFAULT,               

                            400,                          

                            300,                       

                            NULL,

                            NULL,

                            hInstance,                   

                            NULL);



    ShowWindow(hWnd, iCmdShow);


SIMPLEAPI.EXE OEP: 0x10E0.

Loding simpleapi.exe in ImpRec, click "IAT Autosearch".
Since I've entered the correct OEP and the import table is just fine (not screwed up by some packer), it should be easy to locate it.

Autosearch:
Set RVA = 0x12100, size = 0xB8 (how's that???)
-> Located (only) 1 library: kernel32.dll.

Okay, lets try it manual:
Set RVA = 0x12000, size = 0x1000
-> Now it found 3 DLLs ("valid:Yes", but it also shows off lot of trash: 101 unresolved pointers ("valid: No".

How can this happen? Why does ImpRec show an invalid thunk between 2 valid thunks (Kernel32.dll - ?trash? - GDI32.DLL)? If you follow the raw offsets in the file you won't find that invalid thunk!


Hopefully someone will enlight me.
evlncrn8
July 4th, 2004, 13:18
why not try and rebuild it manually instead of relying on imprec? that might give you the answers to your questions

Quote:

Unexpectedly, simpleapi_.exe runs! But having a look inside at the IAT, I noticed that GDI32.DLL and USER32.DLL are still missing. So obviously the manual import (+ deleting the invalid thunks) didn't work after all.


wrong, i think u need to learn the pe format a bit more.. gdi32.dll and user32.dll are NOT missing, its at a different va..

simple exe = iat @ .412000
simple1 exe = iat @ .4161f0 (imprec made a new section .mackt)
Panemuckl
July 4th, 2004, 15:32
>why not try and rebuild it manually instead of relying on imprec? that might give you the answers to your questions

That's exactly what I intent to do. And you're right about the import!
Now I was able to delete the import table (fill with zero) and replace it at the same file offset using ImpRec!

One more question:
Lets take for example that I've unpacked some app and created a new import table (new section) using ImpRec. Since the new section ".mackt" is insered at the end of the file, it should be possbile to remove the old import table (to be exactly: the section) savely (as it's not pointed by the header anymore).

So how do I remove an empty section? Using "Kill section" in ProcDump won't work.
evlncrn8
July 5th, 2004, 04:45
Quote:


Lets take for example that I've unpacked some app and created a new import table (new section) using ImpRec. Since the new section ".mackt" is insered at the end of the file, it should be possbile to remove the old import table (to be exactly: the section) savely (as it's not pointed by the header anymore).

So how do I remove an empty section? Using "Kill section" in ProcDump won't work.


heh you really need to study the pe format a bit more, the reason you cant remove the empty section in your rebuilt exe is because other sections follow it....the 'original' iat is in the .idata section, below it are other sections, .edata, .rsrc and .reloc, removing the .idata section will result in a 'black hole' within the pe image, thus making it invalid, you could remove it but you'd have to either leave it there but make its virtual size 0 so its filled with 0's when its loaded, or totally remove it but you'd have to rebase the sections below it or begin merging sections etc.. your main objective should be that in your dump you rebuild the exe, using the original iat and filling it in with the rebuilt information making the dumped exe as similar as you can to the original exe, rebuilding iat by making new sections is sloppy
nikolatesla20
July 6th, 2004, 10:24
Quote:
[Originally Posted by evlncrn8]heh you really need to study the pe format a bit more, the reason you cant remove the empty section in your rebuilt exe is because other sections follow it....the 'original' iat is in the .idata section, below it are other sections, .edata, .rsrc and .reloc, removing the .idata section will result in a 'black hole' within the pe image, thus making it invalid, you could remove it but you'd have to either leave it there but make its virtual size 0 so its filled with 0's when its loaded, or totally remove it but you'd have to rebase the sections below it or begin merging sections etc.. your main objective should be that in your dump you rebuild the exe, using the original iat and filling it in with the rebuilt information making the dumped exe as similar as you can to the original exe, rebuilding iat by making new sections is sloppy ;)


Your opinion. If you aren't "releasing" it to the public then who cares, in my opinion, functionality is what matters. Not to mention that adding a new section is just much more reliable to work the first time. Work smarter, not harder..

-nt20