Improve recognizing when to rebuild import table from scratch #89

hasherezade · 2021-09-03T15:20:19Z

Example:

Project1.vmp.exe
This crackme is packed with VMProtect, and a new Import Table is loaded during the execution.

PE-sieve run with option /imp 1 (autodetect) reports that the import table is fine, and does not need the reconstruction:

However, seeing the report with imports (400000.Project1.vmp.exe.imports.txt) we can see that there are additional IATs. Such condition should be a trigger to rebuild the whole table.

The text was updated successfully, but these errors were encountered:

hasherezade · 2021-09-03T17:57:12Z

Result - if run in /imp 1 mode, detection of additional IATs cause Import Table recreation :

…ssue #89)

…bigger than the default (Issue #89)

…(Issue #89)

hasherezade added a commit that referenced this issue Sep 3, 2021

[FEATURE] If new IATs detected, recreate full table (Issue #89)

15b446b

hasherezade closed this as completed Sep 3, 2021

hasherezade added a commit that referenced this issue Sep 4, 2021

[BUGFIX] Treat as a new IAT only those that have more than 1 thunk (I…

7ccc63a

…ssue #89)

hasherezade added a commit that referenced this issue Sep 5, 2021

[FEATURE] Recreate import table on autodetect only if a new table is …

27f346e

…bigger than the default (Issue #89)

hasherezade added a commit that referenced this issue Sep 10, 2021

[BUGFIX] In imprec auto mode: do not recover imports of .NET modules …

fe11969

…(Issue #89)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improve recognizing when to rebuild import table from scratch #89

Improve recognizing when to rebuild import table from scratch #89

hasherezade commented Sep 3, 2021

hasherezade commented Sep 3, 2021

Improve recognizing when to rebuild import table from scratch #89

Improve recognizing when to rebuild import table from scratch #89

Comments

hasherezade commented Sep 3, 2021

hasherezade commented Sep 3, 2021