Jump to content
Tuts 4 You

Question About Packing And The Iat


Recommended Posts

So if you have a file, and you pack it, obviously you lose all the information in the Import Address Table, well maybe not lose it, but it's useless because its never intialized since at the time the PE loader loaded the file, it would have never been set to the function addresses. So then how does the stub make it so that the orignal code is able to use the program correctly, does the packer run over the Import Name Table, find everything it is trying to import, and then build a new import address table once the file is loaded up using LoadLibrary?So you have something likeCALL DWORD PTR DS:[1063060]And then that stores an address to the beginning of the function (TlsSetValue) inside of kernel32 at 760D1462.10636060 -> 760D1462 (kernel32)But that's in a exe that wasn't packed, so the question is, if it loads it up?Maybe in the packer source code it has an array of all the modules that an exe will require to load up, and then it has some sort of code that fire LoadLibrary inside of the stub? And then GetProcAddress?
Then it recreates the import address table?Now another question is, if it does this, then what about all the code within the program that relies on CALL DWORD PTR[iMAGEBASE+RVA] <-- A call to the orignal IATI am confused on how it handles this, would the crypter run over that code and replace it with the new IAT location? Or would it..?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...