From Collaborative RCE Tool Library

Jump to: navigation, search

IAT Restore Tools


Tool name: Universal Import Fixer
Rating: 5.0 (1 vote)
Author: Magic_h2001                        
Website: http://magic.shabgard.org
Current version: 1.2
Last updated: December 31, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: Use this tool for fixing Import Elimination, Directly Imports, Shuffled, Disordered, Scattered and Hashed Imports.

So you can use this tool for changing IAT Base Address and Sorting IATs.

Tested on:

Armadillo
ASProtect
Enigma
ExeCryptor
eXPressor
PeSpin
RlPack
TheMida
WinLicense
HyperUnpackMe

and any protector with Import Elimination, Directly Imports and Hashed Imports.

A Flash tutorial for unpacking eXPressor with Universal Import Fixer is included in the local download package.

Use this tool for fixing Import Elimination, Directly Imports and Shuffled, Disordered, Scattered Imports.

So you can use this tool for changing IAT Base Address and Sorting IATs in New (other) Address.

Tested on:

Armadillo
ASProtect
Enigma
ExeCryptor
eXPressor
PeSpin
RlPack
TheMida
WinLicense

and any protector with Import Elimination, Directly Imports and Shuffled, Disordered, Scattered Imports.

Notes:
======
This tool is an Import Fixer (not Import Rebuilder ImpRec etc) and Just work in memory of target process.

Always first use UIF then Dump target process.

UIF can fix actual APIs, dont use it for fixing Emulated/Redirected APIs to protector's stub.you must use UIF After fixing Magic IAT jump (or use any methods) to convert Emulated/Redirected APIs to Actual APIs.

Samples:

Armadillo : Import Elimination
ASProtect : Directly Imports
Enigma : Shuffled, Disordered, Scattered Imports
ExeCryptor : Scattered Imports in Protector Stub
eXPressor : Directly Imports
PeSpin : Directly, Shuffled, Disordered, Scattered Imports
RlPack : Shuffled, Disordered, Scattered Imports
TheMida : Directly Imports
WinLicense : Directly Imports
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ImpREC
Rating: 4.0 (3 votes)
Author: MackT                        
Website: http://www.tuts4you.com/forum/index.php?showtopic=6410
Current version: Official version 1.6 - Unofficial version with misc. fixes 1.7e
Last updated: October 1, 2010
Direct D/L link: Locally archived copy
License type: Free
Description: The world's most famous IAT rebuilder tool.

NOTE:
The last official version from MackT is still 1.6. The 1.7a update is a third-party patched version of 1.6, which contains the following patches:

- Fixed RestoreLastError API set to SetLastError for WinXP/Vista compatibility (MaRKuS_TH-DJM)
- user32.dll is always read from the system, prevents a crash from corrupted PE of user32.dll (MaRKuS_TH-DJM)
- Latest version of psapi.dll (6.0.6000.16386) included
- Fixed Vista64 crash bug (jstorme)
- GUI modified and improved (based upon Fly's modification)
- Updated/corrected plugins and deleted dups

v. 1.7a added the following fixes:

- Misc
- Fixed Win2K crash, AllocConsole was replaced with ActivateActCtx (jstorme)

The local download here contains the last unofficial patch, 1.7e. In addition to that, it also contains a big bunch of plugins, and also source code for many of these plugins (in all well-known programming languages, which is good for use as templates for new plugins etc).

Changes in Version 1.7b:

- Misc
- Fixed invalid API bug in user32.dll on Windows 98 (jstorme)
- Modified code to improve support for discardable/unreadable sections (jstorme)
- Fixed ImageBase problem with DLL's when "Use PE Header from Disk" is checked (jstorme)
- Added an "ImpREC Classic" looking version

Changes in 1.7c:

- Fixed bug introduced in 1.7b when DLL's have discardable sections (jstorme)

Changes in 1.7d:

- Misc
- Fixed bug introduced in 1.7b which destroys IAT Autosearch feature in some packed targets, like eXpressor 1.8 (Newbie_Cracker).
- Fixed crash introduced in 1.7b when DLL's PE header has "NO Access" flag (Newbie_Cracker).


Changes in Version v1.7e

- Misc
- Fixed a bug which avoids ImpREC to fix JMP DWORD [...] if it is located at the end of code section (Newbie_Cracker)
( Thanks to Nexus6 for report the bug and provide samples)
Also listed in: Process Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ACProtect 2.0 OEP Finder + IAT Repair OllyScript
Rating: 0.0 (0 votes)
Author: ColdFever                        
Website: N/A
Current version:
Last updated: February 10, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: ACProtect 2.0 OEP Finder + IAT Repair
Also listed in: OEP Finders, OllyScript Scripts
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CHimpREC
Rating: 0.0 (0 votes)
Author: Sébastien Doucet (TiGa)                        
Website: http://www.iitac.org
Current version: ReCon Edition
Last updated: June 23rd, 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: CHimpREC: The Cheap Imports Reconstructor
by TiGa of ARTeam
IITAC (http://www.iitac.org)

This is the 32/64-bit imports rebuilder that I introduced at ReCon 2008 in Montreal.
Made for the best compatibility with WoW64 on x64-based Windows XP or Vista.

This is the same version that was used at the conference.
The first official release will come soon.

+Features
The first universal 64-bit imports rebuilder
32-bit version included
Interface similar to ImpREC
Integrated 32/64-bit process dumper
IAT AutoSearch from ImageBase or OEP
Unshuffle thunks function
Manual imports editor

-Limitations
No plugin support yet
No AutoTrace feature
No disassembler

The Visual Studio 2005 SP1 redistributable package might be necessary too:
x86:
http://www.microsoft.com/downloads/details.aspx?familyid=200b2fd9-ae1a-4a14-984d-389c36f85647&displaylang=en
x64:
http://www.microsoft.com/downloads/details.aspx?familyid=EB4EBE2D-33C0-4A47-9DD4-B9A6D7BD44DA&displaylang=en
Also listed in: Dump Fixers, Import Editors, Process Dumpers, Unpacking Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: imp64
Rating: 0.0 (0 votes)
Author: deroko                        
Website: http://deroko.phearless.org/imp64.rar
Current version:
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Here is one tool to fix imports on x64 target (and to dump them as well). This tool was done almost a year ago. GUI really sucks as I'm not very experienced with GUI programming. However import fixing code should do just fine as it uses 1API = 1IID technique which I described in one of my Blog entries. Good thing is that import scanning/fixing code can be extracted from source without a problem as those are held in separate files.

Hope that someone will find this tool useful, at least source code.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Scylla
Rating: 0.0 (0 votes)
Author: Aguila                        
Website: http://forum.tuts4you.com/forum/132-scylla-imports-reconstruction/
Current version: 0.5
Last updated: October 17, 2011
Direct D/L link: N/A
License type: GNU GPL v3
Description: Scylla is a Windows Import Table Reconstructor. It aims to be a replacement for ImpRec, keeping the best features and removing most of its limitations.

Key features:

- x64 and x86 support
- full unicode support
- written in C/C++
- plugin support, legacy support for ImpRec plugins
- process dumper, PE rebuilder
- dll injection
- works great with Windows 7
- open source

Current limitations:

- no autotrace
Also listed in: Dump Fixers, Process Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Retrieved from "http://www.woodmann.com/collaborative/tools/index.php/Category:IAT_Restore_Tools"



Views
Category Navigation Tree
RCE Tools
   Categorized by Target Type  (235)
   Categorized by Tool Type  (1196)
   Anti Anti Test Tools  (16)
   Assemblers  (19)
   Code Coverage Tools  (13)
   Code Injection Tools  (35)
   Code Ripping Tools  (2)
   Crypto Tools  (13)
   Data Extraction Tools  (24)
   Debuggers  (47)
   Decompilers  (27)
   Deobfuscation Tools  (16)
   Dependency Analyzer Tools  (5)
   Diff Tools  (44)
   Disassemblers  (65)
   Dongle Analysis Tools  (24)
   Exe Analyzers  (39)
   Executable File Editors & Patchers  (92)
   Firefox Extensions  (3)
   GUI Manipulation Tools  (18)
   Hardware Reversing Tools  (24)
   Helper Tools  (3)
   Hex Editors  (12)
   IDA Signature Creation Tools  (5)
   Kernel Tools  (13)
   Memory Data Tracing Tools  (7)
   Memory Patchers  (6)
   Memory Search Tools  (7)
   Monitoring Tools  (130)
   Network Tools  (19)
   Packers  (18)
   Patch Packaging Tools  (12)
   Profiler Tools  (11)
   Programming Libraries  (45)
   Regular Expression Tools  (3)
   Resource Editors  (13)
   Reverse Engineering Frameworks  (8)
   Source Code Tools  (11)
   String Finders  (5)
   Symbol Tools  (11)
   System Information Extraction Tools  (9)
   Technical PoC Tools  (8)
   Test and Sandbox Environments  (22)
   Tool Extensions  (169)
   Tool Hiding Tools  (7)
   Tool Signatures  (17)
   Tracers  (19)
   Unpacking Tools  (80)
   Automated Unpackers  (33)
   Dump Fixers  (4)
   IAT Restore Tools  (6)
   Memory Dumpers  (23)
   OEP Finders  (6)
   Needs New Category