4.3. Import table reconstruction (imp)

Option: `/imp`

PE-sieve offers two modes of Import Table recovery.

/imp <*imprec_mode>
	: Set in which mode the ImportTable should be recovered.
*imprec_mode:
	0 - none: do not recover imports (default)
	1 - try to autodetect the most suitable mode
	2 - recover erased parts of the partialy damaged ImportTable
	3 - build the ImportTable from the scratch, basing on the found IAT(s)

The 'unerase' mode (enabled by /imp 2) works in the cases if the Import Table exist, but it has been corrupt. PE-sieve can recover the erased parts.
The 'rebuild' mode (enabled by /imp 3) rebuilds the Import Table from the scratch, and append it at the end of the last section.
The 'autodetect' mode (enabled by /imp 1) works in the following way:
- If the PE has a valid Import Table, do nothing.
- If the PE has a partially corrupt Import Table, try to recover it ('unerase')
- If no Import Table was found, rebuild it from the scratch ('rebuild')

If we use a parameter /imp (without defining a mode), the mode 1 will be used by default. The modes of the Import Table recovery have been demonstrated on the following videos:

PE-sieve Wiki, by hasherezade

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

4.3. Import table reconstruction (imp)

Option: `/imp`

Clone this wiki locally

4.3. Import table reconstruction (imp)

Option: /imp

Clone this wiki locally

Option: `/imp`