Jump to content
Tuts 4 You

Import Address Tables (IAT)

Sign in to follow this  

17 files

  1. Adding Imports by Hand

    Building up all the imports information and adding imports (both by hand).

    13 downloads

    0 comments

    Submitted

  2. ASProtect 1.31 (Fixing the IAT)

    Tutorial explaining the methods involved in rebuilding the IAT of an ASProtect packed and protected target.

    9 downloads

    0 comments

    Submitted

  3. ASProtect 2.11 SKE (Fixing IAT Through Code Injection)

    An example of fixing ASPR 2.11 SKE IAT with code injection.

    12 downloads

    0 comments

    Submitted

  4. ASProtect 2.11 SKE (IAT Rebuilding)

    In this article I'm going to explane the IT's protection: Emulate standard system function, on a TASM\MASM software.

    8 downloads

    0 comments

    Submitted

  5. ASProtect 2.xx (IAT Rebuilding).rar

    The new ASPR has come into scene and some new tricks (based in old onces) have been seen in that packer.The most sophisticated one is IAT destruction and how aspr resolves the IAT addresses in the exe.

    10 downloads

    0 comments

    Submitted

  6. Excercising Imports in Custom Stubs

    When your writing a crypter/packer it is a necessary that you crypt/compress the Import Table and have some mechanism from which you change the Directory entry to point to your own Import Directory. The Import Directory is a must in PEs cause the image wont run if there is no Import Directory, Win2k = nothing and XP = fault (i think), so this tutorial is about this process, still intrested?

    4 downloads

    0 comments

    Submitted

  7. Import Address Table Rebuilding

    In this tutorial I will show you how does ImpRec works when it tries to find and validate the Imports from three specific protectors; ASProtect, Yodas Crypter and teLock.

    12 downloads

    0 comments

    Submitted

  8. Injective Code Inside Import Table

    Let's imagine we could redirect the thoroughfare of the imported function's entrances into our especial routines by manipulating the import table thunks, it could be possible to filter the demands of the importations through our routines. Furthermore, we could settle our appropriate routine by this performance, which is done by the professional Portable Executable (PE) Protectors, additionally some sort of rootkits employ this approach to embed its malicious code inside the victim by a troy horse.

    In reverse engineering world, we describe it as API redirection technique, nevertheless I am not going to accompany all viewpoints in this area by source code, this article merely represents a brief aspect of this technique by a simple code. I will describe other issues in the absence of the source code; I could not release the code which is related to the commercial projects or intended to the malicious motivation, however I think this article could be used as an introduction into this topic.

    4 downloads

    0 comments

    Submitted

  9. PE Files Import Table Rebuilding

    Well i wrote this essay because i was working on a process dumper, when I saw that many compressors/encrypters make the Import table unusable, and then, the dumped executables needed to have their import table rebuilt. I saw no essay about this on common win32asm sites, so here is a little help if you are interested in.

    7 downloads

    0 comments

    Submitted

  10. Rebuild Manually the IAT & Inject a DLL in a Portable Executable

    This article demonstrates a couple of steps to rebuild the whole IAT table and to inject your DLL in a portable executable file without having to recompile the source code.

    9 downloads

    0 comments

    Submitted

  11. Rebuilding the Import Address Table Using Hooked DLL Calls

    For a Reverse Engineer, rebuilding a large Import Address Table (IAT) can be a very time-consuming and tedious process. When the IAT has been sufficiently hashed or munged and current IAT rebuilders fail to resolve any of the calls, there is little other choice than to rebuild it by hand. Depending on the size, it can take days or even weeks. Also, doing anything by hand is prone to mistakes. QuietRIATT is an IDA Pro plug-in which automates the process of rebuilding the IAT when it can't be done by current IAT tools. Not only can it greatly reduce the amount of time spent rebuilding by hand, it also removes the element of human error.

    11 downloads

    0 comments

    Submitted

  12. Understanding Import Tables

    There are various documents around explaining PE, but I decided to write about the import table in detail as it is usually an interest to crackers.

    13 downloads

    0 comments

    Submitted

  13. Understanding Import Tables - Manually Add Imports

    This tutorial should explain how to add imports to a PE file. I hope I can explain it understandable without forgetting important details. The tutorial structure is following :

    Part one: some theoretical words about adding imports manually
    Part two: we'll have a look at our simple file I've coded for this tut, then we'll add imports to it.
    Bonus Part: we'll inject some code which uses our new imports 

    12 downloads

    0 comments

    Submitted

  14. Understanding RVA and Import Tables

    After having finally understood the section table of a PE, I started to look at the Import Table. In the Import Table is stored which functions from which DLLs are used by the prog. So it's quite interesting but much more complicated than the section table because we have to use RVAs quite often. I will say some words about them before really starting examining the Import Table.
    Tool needed is a hex editor (I use Hex WorkShop). I will describe Import Tables in general and after that we will test our knowledge with an example. You should also have some knowledge about PE file-format. I'm also a beginner so don't blame me if not everything is absolutely right. I just want to help other newbies in understanding the PE file-format. Instead I would be happy if someone would tell me what is wrong! Last word here: Sorry for my bad English, it's not my mother tongue! Ok, lets start.

    15 downloads

    0 comments

    Submitted

  15. 64-bit Imports Rebuilding and Unpacking

    With 64-bit packers and protectors being released, there is presently a growing need to create new tools to facilitate the manual unpacking process and to make it as trivial as it is now for protected 32-bit executables. I'm proposing two brand-new tools: CHimpREC and CHimpREC-64, allowing the spirit of ImpREC to live on under the best possible compatibility with all the x64 versions of the Windows operating system.

    This talk is about explaining the inner-workings of coding a 32-bit imports rebuilder and the problems encountered due to the WoW64 environment and Address Space Layout Randomization. Next, is an overview of the differences between the PE and PE32+ formats and their impact on porting CHimpREC to 64-bit. Finally, 2 or 3 short live unpacking sessions with different examples of 64-bit packers and how trivial it has become to deal with them with the help of CHimpREC-64.

    11 downloads

    0 comments

    Submitted

  16. Understanding the Import Address Table

    Import Libraries are dlls that an executable image are bound to. Much of windows core functionailty is found in Dlls that MS provides and is how applications interact with the base windows services.

    Function addresses in the binary file of a dll are not static, as new versions come out they are destined to change, so applications cannot be built using a hardcoded function address.

    When an executable is first loaded, the Windows loader is responsible for reading in the files PE structure and loading the executable image into memory. One of the other steps it takes is to load all of the dlls that the application uses and map them into the process address space.

    The executable also lists all of the functions it will require from each dll. Because the function addresses are not static a mechanism had to be developed that allowed for the these variables to be changed without needing to alter all of the compiled code at runtime.

    This was accomplished through the use of an import address table. This is a table of function pointers filled in by the windows loader as the dlls are loaded.

    14 downloads

    0 comments

    Submitted

  17. Working With Import Tables

    It has been a little while since I have made tutes because of work problems that I am experiencing, all they know is that perhaps it will speed up soon and until then find new work. It’s probable that this is my last tute. Before not being able to write for a while, until I return back to work, therefore the idea is to make a simple tute, because the truth is I am quite despondent, but I hope to help someone with this, someone that doesn’t have a clear vision of Import tables and their value.Of course what I learned of Import Tables I owe it to Yates and his tutes so if you want to read Yates’ tutes of course go read them. They are very good and will be the best logically.

    10 downloads

    0 comments

    Submitted

Sign in to follow this  

×
×
  • Create New...