Overeager imports reconstruction

[hasherezade]

Sample:

• ce9f47913b5d50a6f0cc5f1b6c730956cdcc851e731d30ee11c18376a16e95ee

Problem:

During the full import table reconstruction, PE-sieve finds imported functions by pattern search. By default it is done very aggressively, and every chunk that matches the address of exported function, is treated as Import. This is very prone to false-positives. It may happen coincidentally, that the code contains a DWORD that look exactly like the Import's address.

For example:

790000.exe.imports.txt

---
IAT at: 31cd, size: 4, thunks: 1, is_terminated: 0
---
31cd,74f685f0,shcore.SHCreateStreamOnFileW #45
---

This chunk (0x74f685f0):

Coincidentally matched the address of exported function:

31cd,74f685f0,shcore.SHCreateStreamOnFileW #45

and as the result, has been (mistakenly) included in the import table.

PE-sieve should allow to regulate the mode of reconstructing Import Table, and by default, skip single thunks.

[hasherezade]

After the changes, it is possible to specify how much aggressive the Import detection should be. In the lowest (restrictive) mode, only the terminated blocks will be included.

Results for aforementioned sample (restrictive mode):

In the second (middle) mode, unterminated blocks can be included too, if the contain more than 1 thunk.

Results for aforementioned sample (middle mode):

The most aggressive mode works just like the previous default mode - all the thunks are included.

Results for aforementioned sample (aggressive mode):