Import Address Tables (IAT)
13 files
-
Adding Imports by Hand
By Teddy Rogers
Building up all the imports information and adding imports (both by hand).
663 downloads
0 comments
Submitted
-
Excercising Imports in Custom Stubs
By Teddy Rogers
When your writing a crypter/packer it is a necessary that you crypt/compress the Import Table and have some mechanism from which you change the Directory entry to point to your own Import Directory. The Import Directory is a must in PEs cause the image wont run if there is no Import Directory, Win2k = nothing and XP = fault (i think), so this tutorial is about this process, still intrested?
149 downloads
0 comments
Submitted
-
Import Address Table Rebuilding
By Teddy Rogers
In this tutorial I will show you how does ImpRec works when it tries to find and validate the Imports from three specific protectors; ASProtect, Yodas Crypter and teLock.
332 downloads
0 comments
Submitted
-
Injective Code Inside Import Table
By Teddy Rogers
Let's imagine we could redirect the thoroughfare of the imported function's entrances into our especial routines by manipulating the import table thunks, it could be possible to filter the demands of the importations through our routines. Furthermore, we could settle our appropriate routine by this performance, which is done by the professional Portable Executable (PE) Protectors, additionally some sort of rootkits employ this approach to embed its malicious code inside the victim by a troy horse.
In reverse engineering world, we describe it as API redirection technique, nevertheless I am not going to accompany all viewpoints in this area by source code, this article merely represents a brief aspect of this technique by a simple code. I will describe other issues in the absence of the source code; I could not release the code which is related to the commercial projects or intended to the malicious motivation, however I think this article could be used as an introduction into this topic.
146 downloads
0 comments
Submitted
-
PE Files Import Table Rebuilding
By Teddy Rogers
Well i wrote this essay because i was working on a process dumper, when I saw that many compressors/encrypters make the Import table unusable, and then, the dumped executables needed to have their import table rebuilt. I saw no essay about this on common win32asm sites, so here is a little help if you are interested in.
276 downloads
0 comments
Submitted
-
Rebuild Manually the IAT & Inject a DLL in a Portable Executable
By Teddy Rogers
This article demonstrates a couple of steps to rebuild the whole IAT table and to inject your DLL in a portable executable file without having to recompile the source code.
258 downloads
0 comments
Submitted
-
Rebuilding the Import Address Table Using Hooked DLL Calls
By Teddy Rogers
For a Reverse Engineer, rebuilding a large Import Address Table (IAT) can be a very time-consuming and tedious process. When the IAT has been sufficiently hashed or munged and current IAT rebuilders fail to resolve any of the calls, there is little other choice than to rebuild it by hand. Depending on the size, it can take days or even weeks. Also, doing anything by hand is prone to mistakes. QuietRIATT is an IDA Pro plug-in which automates the process of rebuilding the IAT when it can't be done by current IAT tools. Not only can it greatly reduce the amount of time spent rebuilding by hand, it also removes the element of human error.
232 downloads
0 comments
Submitted
-
Understanding Import Tables
By Teddy Rogers
There are various documents around explaining PE, but I decided to write about the import table in detail as it is usually an interest to crackers.
230 downloads
0 comments
Submitted
-
Understanding Import Tables - Manually Add Imports
By Teddy Rogers
This tutorial should explain how to add imports to a PE file. I hope I can explain it understandable without forgetting important details. The tutorial structure is following :
Part one: some theoretical words about adding imports manually
Part two: we'll have a look at our simple file I've coded for this tut, then we'll add imports to it.
Bonus Part: we'll inject some code which uses our new imports
210 downloads
0 comments
Submitted
-
Understanding RVA and Import Tables
By Teddy Rogers
After having finally understood the section table of a PE, I started to look at the Import Table. In the Import Table is stored which functions from which DLLs are used by the prog. So it's quite interesting but much more complicated than the section table because we have to use RVAs quite often. I will say some words about them before really starting examining the Import Table.
Tool needed is a hex editor (I use Hex WorkShop). I will describe Import Tables in general and after that we will test our knowledge with an example. You should also have some knowledge about PE file-format. I'm also a beginner so don't blame me if not everything is absolutely right. I just want to help other newbies in understanding the PE file-format. Instead I would be happy if someone would tell me what is wrong! Last word here: Sorry for my bad English, it's not my mother tongue! Ok, lets start.
200 downloads
0 comments
Submitted
-
64-bit Imports Rebuilding and Unpacking
By Teddy Rogers
With 64-bit packers and protectors being released, there is presently a growing need to create new tools to facilitate the manual unpacking process and to make it as trivial as it is now for protected 32-bit executables. I'm proposing two brand-new tools: CHimpREC and CHimpREC-64, allowing the spirit of ImpREC to live on under the best possible compatibility with all the x64 versions of the Windows operating system.
This talk is about explaining the inner-workings of coding a 32-bit imports rebuilder and the problems encountered due to the WoW64 environment and Address Space Layout Randomization. Next, is an overview of the differences between the PE and PE32+ formats and their impact on porting CHimpREC to 64-bit. Finally, 2 or 3 short live unpacking sessions with different examples of 64-bit packers and how trivial it has become to deal with them with the help of CHimpREC-64.
387 downloads
0 comments
Submitted
-
Understanding the Import Address Table
By Teddy Rogers
Import Libraries are dlls that an executable image are bound to. Much of windows core functionailty is found in Dlls that MS provides and is how applications interact with the base windows services.
Function addresses in the binary file of a dll are not static, as new versions come out they are destined to change, so applications cannot be built using a hardcoded function address.
When an executable is first loaded, the Windows loader is responsible for reading in the files PE structure and loading the executable image into memory. One of the other steps it takes is to load all of the dlls that the application uses and map them into the process address space.
The executable also lists all of the functions it will require from each dll. Because the function addresses are not static a mechanism had to be developed that allowed for the these variables to be changed without needing to alter all of the compiled code at runtime.
This was accomplished through the use of an import address table. This is a table of function pointers filled in by the windows loader as the dlls are loaded.
178 downloads
0 comments
Submitted
-
Working With Import Tables
By Teddy Rogers
It has been a little while since I have made tutes because of work problems that I am experiencing, all they know is that perhaps it will speed up soon and until then find new work. It’s probable that this is my last tute. Before not being able to write for a while, until I return back to work, therefore the idea is to make a simple tute, because the truth is I am quite despondent, but I hope to help someone with this, someone that doesn’t have a clear vision of Import tables and their value.Of course what I learned of Import Tables I owe it to Yates and his tutes so if you want to read Yates’ tutes of course go read them. They are very good and will be the best logically.
180 downloads
0 comments
Submitted
-
Download Statistics