Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Friday, April 03 2020 @ 07:26 AM CEST

RebuilDing IAT From Scratch Using ImpRec Tutorial

   

TutorialsLevel : intermediate

How to rebuild an IAT from scratch using ImpRec.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$ RebuilDing IAT From Scratch Using ImpRec Tutorial by KaGra $$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$



Tools used: ImpRec and Olly v1.10

This is a tutorial about rebuilding the IAT in unpacked exe files that their
table has been completelly destroyed but the packer-protector.An example of
such packers are Armadillo and SDprotector.I assume that U know tha basics
so I won't say much of details.

Well,ImpRec has a great feature that is called Load-Save tree.U enter the general
structure of the IAT u want Imprec to create in a txt file,and with Load Tree U
can inject this in the exe.Then Imprec will create this IAt.The save tree dumpes in
a txt file the current IAT of the exe,so U can make modifications and Load it back
again,or do anything U like.

Assume we have a simple exe (in zip,is simple.exe).Just run it,open ImpRec and
select IAT autosearch and the Get imports.Then,Save tree to dump the IAT in a txt.
Now open the txt.I will explain to U the basic format of it,so U can change anything
U may want (I saved it as simple.txt in zip):



Target: C:Documents and SettingsasdDesktopsimple.exe
OEP: 00001000 IATRVA: 00002000 IATSize: 00000058

FThunk: 00002000 NbFunc: 00000003
1 00002000 kernel32.dll 016F GetModuleHandleA
1 00002004 kernel32.dll 03A0 lstrcmp
1 00002008 kernel32.dll 00B0 ExitProcess

FThunk: 00002010 NbFunc: 00000011
1 00002010 user32.dll 0061 CreateWindowExA
1 00002014 user32.dll 008F DefWindowProcA

bla...bla...bla...




Well,OEP is the Original Entry Point,IAT RVA is the virtual address where the start of
the IAT in the exe is and IAT size,what it sais.First number after FThunk string is
the RVA of the first API in IAT,for the API os this same dll and the NbFunc is the
number of all APIs in this dll.After the line of FThunk string,are lines that describe
the API's.The first number (here is 1) says that API is valid (check simple.txt for
more info about it).The second number is the Virtual address that fills with the
Address of the first opcode of the API that a line of this txt is reffering to.The
next is a string that says which dll has this API code,the next number is a number
that makes as to know the relative position of this API,in the IAT and among all
other API's inside IAT and finally the last is the string name of the API.

Let us see the IAT of simple.exe now,then take a line from the simple.txt and
see how those things described in a line of txt can be seen in the exe.So,the IAT
of simple.txt is that (.rdata section in Olly's memory image):



00402000 >86 AD E7 77 EC 5D E7 77 FD 98 E7 77 00 00 00 00 w]ww....
00402010 >26 8B D4 77 55 5C D4 77 81 43 D4 77 DC 79 D4 77 &wUwCwyw
00402020 >0A 1A D6 77 8F 43 D4 77 17 60 D4 77 81 9C D4 77 .wCw`ww
00402030 >24 97 D4 77 76 64 D6 77 E9 B9 D4 77 92 BD D4 77 $wvdwww
00402040 >03 6E D5 77 05 79 D4 77 14 79 D4 77 FA 3D D4 77 nwywyw=w
00402050 >89 5B D4 77 00 00 00 00 00 00 00 00 00 00 00 00 [w............
00402060 00 00 00 00 3B 27 F9 3C 00 00 00 00 01 00 00 00 ....;'<.......
00402070 15 0B 00 00 00 00 00 00 00 1E 00 00 00 00 00 00  .............
00402080 3B 27 F9 3C 00 00 00 00 04 00 00 00 10 01 00 00 ;'<.........
00402090 00 00 00 00 18 29 00 00 00 00 00 00 00 00 00 00 ....)..........
004020A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
004020B0 00 00 00 00 F0 20 00 00 00 00 00 00 00 00 00 00 .... ..........
004020C0 76 21 00 00 00 20 00 00 00 21 00 00 00 00 00 00 v!... ...!......
004020D0 00 00 00 00 A2 22 00 00 10 20 00 00 00 00 00 00 ....".. ......
004020E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
004020F0 56 21 00 00 6A 21 00 00 48 21 00 00 00 00 00 00 V!..j!..H!......
00402100 84 21 00 00 96 21 00 00 A8 21 00 00 BC 21 00 00 !..!..!..!..
00402110 CC 21 00 00 DE 21 00 00 EC 21 00 00 00 22 00 00 !..!..!..."..
00402120 0E 22 00 00 1A 22 00 00 28 22 00 00 3A 22 00 00 ".."..("..:"..
00402130 4E 22 00 00 60 22 00 00 70 22 00 00 7E 22 00 00 N"..`"..p"..~"..
00402140 92 22 00 00 00 00 00 00 75 00 45 78 69 74 50 72 "......u.ExitPr
00402150 6F 63 65 73 73 00 11 01 47 65 74 4D 6F 64 75 6C ocess.GetModul
00402160 65 48 61 6E 64 6C 65 41 00 00 D6 02 6C 73 74 72 eHandleA..lstr
00402170 63 6D 70 41 00 00 4B 45 52 4E 45 4C 33 32 2E 64 cmpA..KERNEL32.d
00402180 6C 6C 00 00 58 00 43 72 65 61 74 65 57 69 6E 64 ll..X.CreateWind
00402190 6F 77 45 78 41 00 83 00 44 65 66 57 69 6E 64 6F owExA..DefWindo
004021A0 77 50 72 6F 63 41 00 00 94 00 44 69 73 70 61 74 wProcA...Dispat
004021B0 63 68 4D 65 73 73 61 67 65 41 00 00 B6 00 45 6E chMessageA...En
004021C0 61 62 6C 65 57 69 6E 64 6F 77 00 00 02 01 47 65 ableWindow..Ge
004021D0 74 44 6C 67 49 74 65 6D 54 65 78 74 41 00 28 01 tDlgItemTextA.(
004021E0 47 65 74 4D 65 73 73 61 67 65 41 00 43 01 47 65 GetMessageA.CGe
004021F0 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 tSystemMetrics..
00402200 97 01 4C 6F 61 64 43 75 72 73 6F 72 41 00 9B 01 LoadCursorA.
00402210 4C 6F 61 64 49 63 6F 6E 41 00 BB 01 4D 65 73 73 LoadIconA.Mess
00402220 61 67 65 42 6F 78 41 00 DD 01 50 6F 73 74 51 75 ageBoxA.PostQu
00402230 69 74 4D 65 73 73 61 67 65 00 EF 01 52 65 67 69 itMessage.Regi
00402240 73 74 65 72 43 6C 61 73 73 45 78 41 00 00 28 02 sterClassExA..(
00402250 53 65 74 44 6C 67 49 74 65 6D 54 65 78 74 41 00 SetDlgItemTextA.
00402260 56 02 53 65 74 57 69 6E 64 6F 77 50 6F 73 00 00 VSetWindowPos..
00402270 65 02 53 68 6F 77 57 69 6E 64 6F 77 00 00 7D 02 eShowWindow..}
00402280 54 72 61 6E 73 6C 61 74 65 4D 65 73 73 61 67 65 TranslateMessage
00402290 00 00 8B 02 55 70 64 61 74 65 57 69 6E 64 6F 77 ..UpdateWindow
004022A0 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 00 00 00 ..USER32.dll....


Let's take a line from the simple.txt file:


1 00002008 kernel32.dll 00B0 ExitProcess


So,this line says thet the address of this API is at 00002008 (+ImageBase=00400000) so
lets look at 00402008,there are those strings:

FD 98 E7 77


Inreverse,this is the start of code of ExitProcess,check it in Olly doing a search
at all modules name (well,your numbers may be different because of the version of
Windows,but still pointing at ExitProcess).ExitProcess belongs to kernel32.dll as U
also can see in Olly.The final value of 00B0 is the same for every IAT txt dump that
U will make in your system,in every exe.Don't change this.It just is an ID in case we
don't want to declare a name for the API.Just let it be the same that is at any exe IAT
dump.

Ok.Assume now that U have the dump of an exe,U have the OEP and manually U have
traced and found what calls are made to APIs.But there is not any valid IAT,and Imprec
doesn't find any imports to validate.If there is not an IAT at all,meaning that all the above
IAT from 00402000 are filled with 00's,then Imprec doesn't give U anyhing to fix manually.So,
just assume U have the following code of the exe (it is target.exe in zip):


00401000 > $ 6A 00 PUSH 0
00401002 . 68 04204000 PUSH dumped.00402004 ; ASCII "Hey man ;)"
00401007 . 68 0F204000 PUSH dumped.0040200F ; ASCII "Try to Run Me under Olly or See APIs using WinDasm"
0040100C . 6A 00 PUSH 0
0040100E . E8 0D000000 CALL dumped.00401020
00401013 . 6A 00 PUSH 0
00401015 . E8 00000000 CALL dumped.0040101A
0040101A FF25 4C304000 JMP DWORD PTR DS:[40304C]
00401020 FF25 54304000 JMP DWORD PTR DS:[403054]




Now,assume U know that the first call goes at MessageBoxA and the second at ExitProcess.U can
also see the section where tha IAT should have been:


00403000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00403010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00403020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00403030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00403040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00403050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00403060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00403070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................


So,U have to create a txt file,with the proper format and load it in ImpRec.So,U have
OEP=00001000 and IATRVA=00002000 and u can choose any size (big enough though to fit the
new IAT).Choose also the RVA's of the addresses of API's U like.Generally,a good idea is to
just dump from a known exe and IAT in a txt with Imprec,find those API's U are interested
to fix in new exe,and erase all the others,fixing also the RVA's properelly to your
section where the IAT is to be created.Do,in our case,a good txt file is:


Target: C:Documents and SettingsasdDesktopdumped.exe
OEP: 00001000 IATRVA: 00003000 IATSize: 00000070


FThunk: 0000304C NbFunc: 00000001
1 0000304C kernel32.dll 00B0 ExitProcess

FThunk: 00003054 NbFunc: 00000001
1 00003054 user32.dll 010E MessageBoxA



Now,load it as tree in ImpRec and Fix the dump.Open the new fixed exe and see the new Import
that is created by ImpRec:


00405000 00 00 00 00 00 00 00 00 00 00 00 00 3C 50 00 00 ............<P..
00405010 4C 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 L0..............
00405020 58 50 00 00 54 30 00 00 00 00 00 00 00 00 00 00 XP..T0..........
00405030 00 00 00 00 00 00 00 00 00 00 00 00 6B 65 72 6E ............kern
00405040 65 6C 33 32 2E 64 6C 6C 00 00 B0 00 45 78 69 74 el32.dll...Exit
00405050 50 72 6F 63 65 73 73 00 75 73 65 72 33 32 2E 64 Process.user32.d
00405060 6C 6C 00 00 0E 01 4D 65 73 73 61 67 65 42 6F 78 ll..MessageBox
00405070 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A...............



Althought IATRVA was 00003000,the fixed has RVA=00005000,because we have checked in
ImpRec to create a new section for IAT,don't mind.It's working just fine.

Have in your mind that the jamps in code section,at 0040101A may also have been
erased from packer,and U may have either to write them as code after IAT rebuilding
or just create a way to emulate them,at any part of your code or other section U may
create.


Well,that was it.I will continue writing tutorz in MUPing,but the rebuilding if
IAT is being at any case done like that,if IAT completely destroyed.So,I won't
repeat this technik at every tutor!


That's it.GreedinGz to my Thersa...




What's Related

Story Options

RebuilDing IAT From Scratch Using ImpRec Tutorial | 0 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
 Copyright © 2020 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.71 seconds