-
Notifications
You must be signed in to change notification settings - Fork 434
4.3. Import table reconstruction (imp)
@hasherezade edited this page Jun 25, 2019
·
16 revisions
PE-sieve offers two modes of Import Table recovery.
/imp <*imprec_mode>
: Set in which mode the ImportTable should be recovered.
*imprec_mode:
0 - none: do not recover imports (default)
1 - try to autodetect the most suitable mode
2 - recover erased parts of the partialy damaged ImportTable
3 - build the ImportTable from the scratch, basing on the found IAT(s)```
- The 'unerase' mode (enabled by
/imp 2) works in the cases if the Import Table exist, but it has been corrupt. PE-sieve can recover the erased parts. - The 'rebuild' mode (enabled by
/imp 3) rebuilds the Import Table from the scratch, and append it at the end of the last section. - The 'autodetect' mode (enabled by
/imp 1) works in the following way:- If the PE has a valid Import Table, do nothing.
- If the PE has a partially corrupt Import Table, try to recover it ('unerase')
- If no Import Table was found, rebuild it from the scratch ('rebuild')
If we use a parameter /imp (without defining a mode), the mode 1 will be used by default.
The modes of the Import Table recovery have been demonstrated on the following videos:
- Unpacking UPX and reconstructing Import Table
- Unpackign ASPack and unerasing Import Table
- Unerasing Import Table in Emotet.
WARNING: If you want to reconstruct an import table of a 32 bit application, it is recommended to run it natively, on a 32 bit system. If a 32 bit app runs using Wow64, some of the imported functions may get handled differently - called via proxy DLL, shimmed etc - it may disrupt the Import Table reconstruction, making results incomplete or corrupt.