-
Notifications
You must be signed in to change notification settings - Fork 420
4.3. Import table reconstruction (imp)
The listing of identified imports is provided by PE-sieve in form of a file with .imports.txt extension. Example of such file available here. The listing can be imported into IDA with the help of IFL plugin.
PE-sieve offers multiple modes of Import Table recovery.
imp <*imprec_mode>
: Set in which mode the ImportTable should be recovered
*imprec_mode:
0 (N) - none: do not recover imports (default)
1 (A) - try to autodetect the most suitable mode
2 (U) - unerase the erased parts of the partialy damaged ImportTable
3 (R0) - build the ImportTable from scratch, basing on the found IATs:
use only terminated blocks (restrictive mode)
4 (R1) - build the ImportTable from scratch, basing on the found IATs:
use terminated blocks, or blocks with more than 1 thunk
5 (R2) - build the ImportTable from scratch, basing on the found IATs:
use all found blocks (aggressive mode)
The 'unerase' mode (enabled by /imp U) works in the cases if the Import Table exist, but it has been corrupt. PE-sieve can recover the erased parts.
The 'rebuild' mode (enabled by /imp R0 to R2) rebuilds the Import Table from scratch, and appends it at the end of the last section.
The difference between particular variants of this mode lie in how much restrictive they are towards which of the found blocks of imports should be included in the new Import Table. The last one is the most permissive, but also prone to false positives.
The 'autodetect' mode (enabled by /imp A) works in the following way:
- If the PE has a valid Import Table, do nothing.
- If the PE has a partially corrupt Import Table, try to recover it ('unerase')
- If no Import Table was found, or additional, dynamically loaded IATs were detected, rebuild the full table from scratch ('rebuild')
The modes of the Import Table recovery have been demonstrated on the following videos: