Jump to content
Tuts 4 You

Imports Fixer

  • entry
    1
  • comments
    3
  • views
    14,666

Imports Fixer Overview

Sign in to follow this  
SuperCRacker

6,369 views

gallery_5231_7_17354.jpg

Get the latest release here

Report bugs, or post suggestions here

Today I decided to present a new tool meant for rebuilding imports and that will hopefully replace ImpREC. I called it "Imports Fixer" and for convenience will call it "IF" hereafter.

It has been a long time that the project has been private inside SnD (more than 4 years) and I think that the time has come to go for a first public release. A lot of work and effort has been done so far in order to try to compete with the so beloved ImpREC. I will present here for now a general overview of what IF can do, will do and probably can't do (for the moment ;) ). If you are familiar with ImpREC the following explanations shouldn't be problematic.

So for impatient folks who got bored from ImpREC, here is the new Imports Fixer 1.5a *PUBLIC VERSION*

med_gallery_5231_7_6166.jpg

As you can see there are 4 tabs :

Processes & Modules :

To get started simply select the process from the list and the loaded modules inside the running process will be automatically loaded.

You can right click a process to either dump it or kill it (the dumping is more fun than killing ;) )

Well here is the dumper tool. You can use it in collapsed mode if you do not wish to dump other memory regions and add them to the end of the main dump. You can also dump the PE header or a specific section by right clicking the desired section.

gallery_5231_7_46340.jpg

If you want to add other memory regions to the file then use the dumper tool in the expanded mode

(by clicking the arrow) you will then have a map view of the memory. Simply drag and drop

selected region into the main dump and it will be automatically added (be sure to not exceed the

max number of sections allowed).

med_gallery_5231_7_25065.jpg

IT & IAT

med_gallery_5231_7_23543.jpg

Get Imports : retrieves and tries to resolve thunks starting from IAT begin

Load Imports : load imports from pre-saved tree

Save Imports : save imports tree

med_gallery_5231_7_27643.jpg

Write Imports : writes import table to the dumped file

Show invalid thunks : show non resolved thunks

med_gallery_5231_7_58127.jpg

Clear Imports : talks for itself ;)

Enter the OEP and press the IAT auto search button to serach for a possible valid IAT. If it fails try to manually to fill the IAT RVA and Size.

med_gallery_5231_7_19762.jpg

When you get imports you will have have a set of options :

med_gallery_5231_7_13340.jpg

you can cut, invalidate or show calls for the api :

med_gallery_5231_7_10099.jpg

you can also edit manually the api by double clicking it :

gallery_5231_7_19282.jpg

Hex Editor :

Time for some editing. A hex viewer/editor within executable imagesize.

med_gallery_5231_7_93820.jpg

Options to search for a sequence of bytes, to go to an address and to modify a byte are also present.

med_gallery_5231_7_88868.jpg

Disassembling & Debugging :

This section is under construction. The disassembling part is ready though, but I wanted to have a full working debugging and disassembling engine before releasing the whole package. But if you are curious here is an overview of what the disassembling would look like :

gallery_5231_7_22385.jpg

IF main menu :

Tools :

Converter tool : converts values into different formats (VA : Virtual Address, RVA : Relative Virtual Address, Offset : Address on disk)

gallery_5231_7_9107.jpg

Hex calculator : basic assembler operations and hextodec, dectohex conversions.

gallery_5231_7_9844.jpg

Preferences :

gallery_5231_7_27070.jpg

The options are very clear I think, you will get used to them very quickly. As you see IF can be hidden in tray and called when needed :

gallery_5231_7_10013.jpg

Help :

Documentation : includes a detailed help file of all functionalities supported by IF.

Check for updates : will update automatically IF after detecting a new version.

Next version update list : will give you ongoing info about updates I'm working on for next versions.

gallery_5231_7_23550.jpg

History : All IF updates since 1.0 version.

gallery_5231_7_7500.jpg

About : includes greetingz section.

Well that's it for today, if you appreciate the work an encouraging comment would be nice ;)

I am not telling at all that it is a perfect tool, but I can say that this is an active

project with some nice features and that all suggestions are welcome to improve it.

SC.

Sign in to follow this  


3 Comments


Recommended Comments

This looks like a very promising tool SuperCracker. When will you be releasing it?

Love all the different options :)

Share this comment


Link to comment
SuperCRacker

Posted

Very soon, working on some annoying bugs under x64, won't take that much time. In the meanwhile take time to say goodbye to ImpRec :)

Share this comment


Link to comment

It looks good but.. Can you give few reasons why I should use it instead of ImpRec? ;)

Share this comment


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...