Jump to content






Photo
* * * * * 3 votes

Imports Fixer Overview

Posted by SuperCRacker, in PE Rebuilders 11 August 2010 · 1,289 views

  • IF Logo.jpg
  • history.jpg
  • update list.jpg
  • update.jpg
  • tray.jpg
  • preferences.jpg
  • hex calculator.jpg
  • converter tool.jpg
  • disassembler.jpg
  • bytes editor.jpg
  • hex editor.jpg
  • imports editor.jpg
  • show calls.jpg
  • iat options.jpg
  • iat auto search.jpg
  • invalid thunks.jpg
  • imports tree.jpg
  • it&iat.jpg
  • dumper expanded.jpg
  • dumper collapsed.jpg

Posted Image


Get the latest release here
Report bugs, or post suggestions here

Today I decided to present a new tool meant for rebuilding imports and that will hopefully replace ImpREC. I called it "Imports Fixer" and for convenience will call it "IF" hereafter.
It has been a long time that the project has been private inside SnD (more than 4 years) and I think that the time has come to go for a first public release. A lot of work and effort has been done so far in order to try to compete with the so beloved ImpREC. I will present here for now a general overview of what IF can do, will do and probably can't do (for the moment ;) ). If you are familiar with ImpREC the following explanations shouldn't be problematic.

So for impatient folks who got bored from ImpREC, here is the new Imports Fixer 1.5a *PUBLIC VERSION*

Posted Image

As you can see there are 4 tabs :

Processes & Modules :

To get started simply select the process from the list and the loaded modules inside the running process will be automatically loaded.

You can right click a process to either dump it or kill it (the dumping is more fun than killing ;) )

Well here is the dumper tool. You can use it in collapsed mode if you do not wish to dump other memory regions and add them to the end of the main dump. You can also dump the PE header or a specific section by right clicking the desired section.

Posted Image

If you want to add other memory regions to the file then use the dumper tool in the expanded mode
(by clicking the arrow) you will then have a map view of the memory. Simply drag and drop
selected region into the main dump and it will be automatically added (be sure to not exceed the
max number of sections allowed).

Posted Image

IT & IAT

Posted Image

Get Imports : retrieves and tries to resolve thunks starting from IAT begin
Load Imports : load imports from pre-saved tree
Save Imports : save imports tree

Posted Image

Write Imports : writes import table to the dumped file
Show invalid thunks : show non resolved thunks

Posted Image

Clear Imports : talks for itself ;)

Enter the OEP and press the IAT auto search button to serach for a possible valid IAT. If it fails try to manually to fill the IAT RVA and Size.

Posted Image

When you get imports you will have have a set of options :

Posted Image

you can cut, invalidate or show calls for the api :

Posted Image

you can also edit manually the api by double clicking it :

http://forum.tuts4you.com/uploads/gallery/1281395602/gallery_5231_7_19282.jpg

Hex Editor :

Time for some editing. A hex viewer/editor within executable imagesize.

http://forum.tuts4you.com/uploads/gallery/1281395602/med_gallery_5231_7_93820.jpg

Options to search for a sequence of bytes, to go to an address and to modify a byte are also present.

http://forum.tuts4you.com/uploads/gallery/1281395602/med_gallery_5231_7_88868.jpg

Disassembling & Debugging :

This section is under construction. The disassembling part is ready though, but I wanted to have a full working debugging and disassembling engine before releasing the whole package. But if you are curious here is an overview of what the disassembling would look like :

http://forum.tuts4you.com/uploads/gallery/1281395602/gallery_5231_7_22385.jpg

IF main menu :

Tools :

Converter tool : converts values into different formats (VA : Virtual Address, RVA : Relative Virtual Address, Offset : Address on disk)

http://forum.tuts4you.com/uploads/gallery/1281395602/gallery_5231_7_9107.jpg

Hex calculator : basic assembler operations and hextodec, dectohex conversions.

http://forum.tuts4you.com/uploads/gallery/1281395602/gallery_5231_7_9844.jpg

Preferences :

http://forum.tuts4you.com/uploads/gallery/1281395602/gallery_5231_7_27070.jpg

The options are very clear I think, you will get used to them very quickly. As you see IF can be hidden in tray and called when needed :

http://forum.tuts4you.com/uploads/gallery/1281395602/gallery_5231_7_10013.jpg

Help :

Documentation : includes a detailed help file of all functionalities supported by IF.

Check for updates : will update automatically IF after detecting a new version.

Next version update list : will give you ongoing info about updates I'm working on for next versions.

http://forum.tuts4you.com/uploads/gallery/1281395602/gallery_5231_7_23550.jpg

History : All IF updates since 1.0 version.

http://forum.tuts4you.com/uploads/gallery/1281395602/gallery_5231_7_7500.jpg

About : includes greetingz section.


Well that's it for today, if you appreciate the work an encouraging comment would be nice ;)
I am not telling at all that it is a perfect tool, but I can say that this is an active
project with some nice features and that all suggestions are welcome to improve it.

SC.




Photo
revert
Aug 16 2010 12:26 PM
This looks like a very promising tool SuperCracker. When will you be releasing it?
Love all the different options :)
Photo
SuperCRacker
Aug 16 2010 04:41 PM
Very soon, working on some annoying bugs under x64, won't take that much time. In the meanwhile take time to say goodbye to ImpRec :)
Photo
kao
Aug 31 2010 07:27 AM
It looks good but.. Can you give few reasons why I should use it instead of ImpRec? ;)

Recent Entries

Recent Comments

Categories

  1. Tuts 4 You
  2. Community Blog
  3. Imports Fixer
  4. Imports Fixer Overview
  5. Privacy Policy
  6. The Board Rules ·