                        Import reconstruction 
                        
This small import reconstrution project is developed for my own
needs. Due to logic of my all dumps non of existing import 
reconstructors was good.

For each API one image_import_descriptor is created, this allows
us to have API addresses all over our dump and still it is possible
to build correct and nice IAT. (Armadillo IAT shuffling for example).


Each resolved API is described by import_struct:

import_struct           struct
        is_address      dd      ?
        is_dlllen       dd      ?
        is_apilen       dd      ?
        is_dllname      db      256     dup(0)
        is_apiname      db      256     dup(0)  
import_struct           ends


is_address      - RVA where is address of API (first thunk)
is_dlllen       - len of dll for given API
is_apilen       - len of API name
is_dllname      - name of dll
is_apiname      - full name of API or MSB | ordinal


Procedures:

get_sys_dir     - args none, only will get systemdirectory
                  and store in separate buffer used by locate_dll 
                  procedure

locate_dll      - in:  eax - api address
                  out: eax - dll name

locate_api      - in:  eax - api address
                - out: eax - address of API or MSB | ordinal

get_imp_size    - in: stack - pointer to import_structure array
                  out : eax - size of new import table, ecx - number of import descriptors
                  
build_import_table      proc
                        arg     iat_sec_rva:dword
                        arg     is_mem_ptr:dword
                        arg     iat_size:dword
                        arg     id_num:dword
                        
                 - in:
                   iat_sec_rva - RVA of section where IMPORT table is being constructed
                   is_mem_ptr  - pointer to import_structs array
                   iat_size    - size of new iat (ret eax from get_imp_size)
                   id_num      - number of image_import_descriptors (ret ecx from get_imp_size)
                   
adjust_first_thunk - in:  eax - pointer to mapped file
                     out: none

handle_forwards      proc
                     arg     is_mem_ptr:dword

                     rearanges k32->ntdll forwards... 
                                             
                     
What you are going to do here? and how? Check sample for UPX unpacker, it is very good commented


                                                        S verom u Boga, deroko/ARTeam


                     
      
