Small tool for recovering erased imports of a dumped PE file
Useful in recovering executables dumped from the memory. Dedicated to cases when the imports has been destroyed after loading (anti-dumping trick used by malware).
WARNING: This tool covers cases when the names of the imported functions/DLLs are erased. Does not provide rebuilding full import table.
imports_unerase.exe [PID] [dumped_file] [output_file*]
PID - (decimal) PID of the application from where the module was dumped dumped_file - dumped module (in a Virtual format) output_file* - name of the output file (defaule: out.bin) * - optional
This is unfinished/early beta version and it has some limitations, i.e.:
- works only for PE 32 bit