PDA

View Full Version : Finessing Import REConstructor


REBlog
October 19th, 2007, 20:55
Most malware these days is obfuscated with "packers." These packers take an executable file as input and will often do a combination of compressing, encrypting, and obfuscating it. The packer produces as output an executable containing an unpacking stub along with the packed input file. Often times the unpacker stub will contain anti-debugging and anti-disassembling code.

One of the most common things that packers do is destroy the Import Table (IT) of the original executable and then have the unpacker stub build the Import Address Table (IAT) at runtime. Thus, after dumping the memory of a packed process, a disassembler can't interpret the imported functions being used in the dumped image. This problem can be solved with tools such as Import REConstructor ("http://wave.prohosting.com/mackt/projects.htm") (also known as ImpREC), which rebuilds the IT based on the IAT. From my experience, Import REConstructor works about 90% of the time. However, sometimes it takes a little finessing.

I was looking at a malware sample earlier today that was packed with an uncommon packer. It was simple enough to trace through the unpacker stub to reach the Original Entry Point (OEP) of the target and then dump it. However, after opening the process with Import REConstructor, plugging in the OEP, and pressing "IAT AutoSearch" and "Get Imports," I saw the following:


http://malwareanalysis.com/CommunityServer/blogs/geffner/2005_07_26_1.jpg

Figure 1. Import REConstructor only found imports from kernel32.dll.


It's extremely unlikely that this piece of malware only imports functions from kernel32.dll.

Import REConstructor's IAT AutoSearch seemed to believe that the Relative Virtual Address (RVA) of the IAT was at 0x0020D890, and was only 0x000002C8 bytes long (which means it ends at RVA 0x0020DB58) . Let's take a look at that RVA in memory with a debugger:

Code:
0060D890 00 00 00 00 52 70 82 7C 2F FE 80 7C 47 2D 82 7C
0060D8A0 77 9B 80 7C 9F 0F 81 7C 24 1A 80 7C CF C6 80 7C
0060D8B0 2D FF 80 7C 65 A0 80 7C F1 BA 80 7C B1 C7 80 7C
0060D8C0 4D 11 86 7C B9 8F 83 7C 63 4C 81 7C 42 24 80 7C
0060D8D0 53 00 83 7C 57 B3 80 7C 66 AA 80 7C 4E 99 80 7C
0060D8E0 28 AC 80 7C 77 1D 80 7C B7 2B 82 7C 54 2A 82 7C
0060D8F0 00 3C 86 7C 8D 3A 86 7C B7 47 86 7C 16 1E 80 7C
0060D900 79 E0 81 7C 5C E8 81 7C BE 3E 82 7C FC B7 80 7C
0060D910 8D B7 80 7C 6C 94 80 7C 37 97 80 7C 19 99 80 7C
0060D920 29 B9 80 7C 79 EE 81 7C 9A E1 81 7C 19 01 81 7C
0060D930 30 25 80 7C 28 9C 80 7C 10 8F 83 7C BD E4 81 7C
0060D940 E0 C6 80 7C 82 D5 82 7C 82 00 81 7C 31 03 91 7C
0060D950 40 03 91 7C 67 CC 80 7C 26 CC 80 7C 2A E9 81 7C
0060D960 7B 97 80 7C 94 97 80 7C C7 A0 80 7C AD 9C 80 7C
0060D970 11 03 81 7C 29 C7 80 7C 5D 99 80 7C BD 99 80 7C
0060D980 62 5F 82 7C 29 B5 80 7C 94 30 82 7C 39 30 82 7C
0060D990 73 B0 85 7C F4 97 80 7C D7 EF 80 7C 59 35 81 7C
0060D9A0 19 90 83 7C A1 9F 80 7C 0F 2B 81 7C 8A 18 91 7C
0060D9B0 36 8F 83 7C 53 34 81 7C ED 10 90 7C C9 25 81 7C
0060D9C0 05 10 90 7C F5 9B 80 7C B1 E2 81 7C 50 97 80 7C
0060D9D0 F0 78 82 7C A1 97 83 7C 96 29 81 7C CD A5 80 7C
0060D9E0 4C F0 81 7C 29 9F 80 7C B3 9E 80 7C EC E9 80 7C
0060D9F0 66 EA 80 7C D0 1A 80 7C 37 3F 82 7C 05 A4 80 7C
0060DA00 5C 9B 85 7C 16 E0 80 7C 0D E0 80 7C 0E 18 80 7C
0060DA10 A6 0D 81 7C 58 CD 80 7C 92 FE 81 7C DD FD 81 7C
0060DA20 50 F8 81 7C 94 22 82 7C AB 14 81 7C 7C 36 81 7C
0060DA30 7F 5D 87 7C 87 1F 82 7C 4C 17 81 7C 8F 0C 81 7C
0060DA40 E2 F8 81 7C EA 95 83 7C 34 0D 81 7C 55 F9 81 7C
0060DA50 44 FB 81 7C FE 40 83 7C 4C 9C 80 7C E6 2B 81 7C
0060DA60 2A E8 81 7C 97 AA 80 7C DF 06 86 7C 73 73 82 7C
0060DA70 39 9A 80 7C AC 92 80 7C 8D 2B 81 7C C4 C8 80 7C
0060DA80 3F EB 80 7C A7 24 80 7C 6E 9C 80 7C 66 91 83 7C
0060DA90 EC B8 80 7C 40 7A 93 7C 9B E7 85 7C A2 CA 81 7C
0060DAA0 EE 1E 80 7C 8D 2C 81 7C 2F 08 81 7C A9 CC 80 7C
0060DAB0 E1 EA 81 7C 56 99 85 7C A9 2C 81 7C 43 99 80 7C
0060DAC0 AE 94 83 7C 6B 17 80 7C C1 C9 80 7C CB D8 81 7C
0060DAD0 69 10 81 7C D8 0A 86 7C D4 05 91 7C FD 79 91 7C
0060DAE0 3D 04 91 7C 10 11 81 7C 29 29 81 7C 14 9B 80 7C
0060DAF0 81 9A 80 7C CF C6 80 7C 8A 2B 86 7C 3F DC 81 7C
0060DB00 5F 48 81 7C 23 CC 81 7C 78 2C 81 7C 2B 2E 83 7C
0060DB10 C4 CE 80 7C 93 D2 80 7C 4E A3 80 7C 86 03 81 7C
0060DB20 B9 8C 83 7C 80 A4 80 7C FB 2C 82 7C 5B B2 81 7C
0060DB30 57 BB 80 7C 53 C1 81 7C E3 12 81 7C 7E D4 80 7C
0060DB40 ED 70 83 7C C0 9F 80 7C 51 28 81 7C A9 26 82 7C
0060DB50 72 17 81 7C
00 00 00 00 00 00 00 00 00 00 00 00
0060DB60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DB70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DB80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DB90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DBA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DBB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DBC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DBD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DBE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DBF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DC00 00 00 00 00 00 00 00 00 00 00 00 00 C8 25 16 77
0060DC10 50 48 12 77 59 4B 12 77 C0 48 12 77 ED D1 14 77
0060DC20 95 D2 14 77 D9 66 12 77 9D C9 14 77 C2 4B 12 77
0060DC30 3F 50 12 77 10 50 12 77 4F 50 12 77 9B 50 12 77
0060DC40 98 D4 14 77 82 4E 12 77 DB C5 14 77 E9 C2 14 77
0060DC50 55 4C 12 77 A8 4C 12 77 A3 37 16 77 1F DA 16 77
0060DC60 74 8D 14 77 15 42 13 77 74 C2 14 77 0E 99 16 77
0060DC70 27 C4 14 77 A4 C3 14 77 CD C4 14 77 A0 4D 12 77
0060DC80 CD 4D 12 77 9A 4E 12 77 56 0E 14 77 A5 B5 12 77
0060DC90 B9 53 16 77 3B 4C 12 77 2D A6 12 77 00 00 00 00
0060DCA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DCB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DCC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DCD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DCE0 00 00 00 00 C7 1F DD 5E 00 00 00 00 00 00 00 00
0060DCF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DD00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DD10 00 00 00 00 E4 36 A0 7C B3 3F A7 7C A2 3F A7 7C
0060DD20 37 A2 A3 7C 77 FD A6 7C 00 00 00 00 00 00 00 00
0060DD30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DD40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060DD50 00 00 00 00 00 00 00 00 D7 B5 D4 77 3E 4E D6 77
0060DD60 92 C5 D4 77 0B 05 D8 77 D4 C4 D4 77 A8 C6 D4 77
0060DD70 EB ED D6 77 C6 F3 D6 77 D0 F7 D6 77 98 C2 D4 77
0060DD80 AE E2 D4 77 62 DB D4 77 DE A2 D4 77 75 8F D4 77
0060DD90 C5 B4 D4 77 97 86 D4 77 F9 8F D4 77 6D 86 D4 77
0060DDA0 64 C0 D4 77 EC BC D4 77 3B CE D4 77 9D B4 D4 77
0060DDB0 9F 01 D5 77 DA CE D4 77 8E BD D4 77 BF 5E D8 77
0060DDC0 ED CD D4 77 6D 29 D6 77 41 A0 D4 77 8E BC D4 77
0060DDD0 00 8E D4 77 CE E8 D4 77 03 8D D4 77 D3 02 D7 77
0060DDE0 69 69 D8 77 40 EC D6 77 DC 5C D8 77 CE E8 D4 77
0060DDF0 8C 5E D8 77 51 D0 D4 77 45 03 D7 77 98 EC D6 77
0060DE00 BF B5 D8 77 D5 B6 D8 77 A1 E3 D4 77 23 FE D4 77
0060DE10 0D F5 D6 77 58 8A D4 77 A4 C9 D4 77 9A 4F D9 77
0060DE20 F7 4E D9 77 5E CA D9 77 A3 1B D5 77 A3 F7 D7 77
0060DE30 4D 72 D6 77 2B EF D7 77 9A 4F D6 77 5A 35 D5 77
0060DE40 EC 38 D5 77 6E EF D7 77 9F 74 D6 77 E8 EE D7 77
0060DE50 5B 37 D5 77 9E 71 D6 77 EB 70 D6 77 3C FC D4 77
0060DE60 1B 71 D5 77 6C 71 D5 77 7B E8 D4 77 A1 54 D6 77
0060DE70 38 71 D6 77 3F 36 D5 77 86 B0 D4 77 DD 57 D8 77
0060DE80 99 A2 D8 77 61 5D D6 77 23 F6 D4 77 20 24 D6 77
0060DE90 07 F8 D4 77 20 EE D7 77 EF 01 D6 77 7C 94 D4 77
0060DEA0 FE F5 D4 77 C5 D3 D4 77 27 CE D4 77 57 D7 D4 77
0060DEB0 83 8E D4 77 72 7C D6 77 FD C0 D4 77 4D C6 D4 77
0060DEC0 50 D4 D4 77 6E B4 D4 77 31 C5 D4 77 76 C6 D4 77
0060DED0 DE D4 D4 77 79 C3 D4 77 5A DC D4 77 98 5C D6 77
0060DEE0 A9 F8 D6 77 15 03 D7 77 D5 60 D6 77 03 B8 D8 77
0060DEF0 06 AC D9 77 85 B8 D8 77 DB B9 D8 77 A8 89 D5 77
0060DF00 2F 15 D6 77 50 8E D4 77 DC E5 D4 77 A2 20 D5 77
0060DF10 D1 BD D4 77 13 CE D4 77 CB CD D4 77 3D C0 D4 77
0060DF20 9F CD D4 77 38 04 D5 77 2F 3A D5 77 2C 90 D4 77
0060DF30 CF 50 D6 77 4A 4D D6 77 16 23 D5 77 16 4F D9 77
0060DF40 EA FB D6 77 AB EE D7 77 2E F8 D6 77 6B DF D4 77
0060DF50 32 E0 D4 77 5C C3 D4 77 0B 19 D5 77 9A E4 D4 77
0060DF60 FA ED D4 77 9F F2 D6 77 3C EE D4 77 4B E3 D4 77
0060DF70 A2 EE D4 77 10 C2 D4 77 E4 C6 D4 77 D3 DE D4 77
0060DF80 4F F8 D5 77 38 E4 D6 77 9D 75 D5 77 16 C4 D4 77
0060DF90 BC C6 D4 77 BD BC D4 77 CE 8B D4 77 45 EA D6 77
0060DFA0 40 C6 D4 77 D2 F7 D7 77 A8 67 D5 77 19 00 D8 77
0060DFB0 00 8E D4 77 D9 B4 D4 77 E7 B3 D4 77 54 05 D5 77
0060DFC0 14 EB D4 77 F2 EC D6 77 9B AD D4 77 C0 5D D8 77
0060DFD0 58 5C D8 77 AE 21 D5 77 FA E8 D4 77 B0 EB D6 77
0060DFE0 BB F6 D4 77 B7 F7 D4 77 80 F7 D4 77 B2 02 D7 77
0060DFF0 66 C5 D4 77 FD CE D4 77 29 EC D6 77 92 F9 D7 77
0060E000 6E ED D4 77 6F F6 D4 77 59 5E D8 77 68 36 D8 77
0060E010 AE C4 D4 77 A7 66 D5 77 5F CB D4 77 4B CB D4 77
0060E020 0B CC D4 77 F1 F0 D6 77 F7 CB D4 77 30 C7 D9 77
0060E030 94 FE D6 77 8E FA D6 77 F7 EE D4 77 7E F4 D6 77
0060E040 92 F4 D6 77 9D 5C D8 77 7E C5 D4 77 AE FD D4 77
0060E050 F3 BE D4 77 6F D1 D4 77 51 85 D6 77 65 85 D6 77
0060E060 42 01 D5 77 D3 63 D6 77 21 BB D8 77 52 72 D8 77
0060E070 F7 36 D9 77 94 71 D8 77 D8 34 D9 77 BB D7 D4 77
0060E080 88 C9 D4 77 FF 94 D4 77 AD 7B D9 77 DB B7 D4 77
0060E090 DD A1 D8 77 A4 52 D5 77 66 E6 D4 77 41 FD D5 77
0060E0A0 80 53 D5 77 1E DF D4 77 C9 6C D5 77 3B 56 D6 77
0060E0B0 8E C7 D4 77 46 BA D8 77 1A 8C D4 77 E9 93 D4 77
0060E0C0 06 8C D4 77 BE EA D6 77 16 F1 D7 77 BC F3 D7 77
0060E0D0 B8 E7 D4 77 BE C8 D9 77 8A C4 D4 77 20 D4 D4 77
0060E0E0 1F 5C D8 77 E0 1D D5 77 D1 2D D6 77 17 F1 D6 77
0060E0F0 7C B5 D4 77 56 B5 D4 77 D7 B9 D4 77 2C BF D4 77
0060E100 B8 C5 D4 77 15 D5 D4 77 B1 B4 D4 77 1D F2 D4 77
0060E110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E1A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E1B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E1C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E1D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E1E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E1F0 00 00 00 00 00 00 00 00 BD 8B 20 77 16 72 1F 77
0060E200 85 93 20 77 C2 7B 1F 77 F3 3F 20 77 6A 8C 1C 77
0060E210 0D 19 21 77 73 19 21 77 B8 76 1C 77 CA 54 1C 77
0060E220 5D BC 22 77 C5 4A 1C 77 BA 98 20 77 2C 8C 20 77
0060E230 91 89 20 77 D9 18 20 77 EF 19 20 77 19 40 20 77
0060E240 02 2E 20 77 4D 2C 20 77 AB 2A 20 77 E7 28 20 77
0060E250 01 27 20 77 47 25 20 77 DB 44 1C 77 5F 32 1D 77
0060E260 55 95 1C 77 53 79 1F 77 A5 71 1F 77 81 46 21 77
0060E270 67 48 21 77 45 3C 1D 77 AE 99 1F 77 DD 6F 1C 77
0060E280 DC 61 1C 77 2A 6D 1C 77 A7 81 1B 77 47 44 1C 77
0060E290 40 88 1C 77 00 00 00 00 00 00 00 00 00 00 00 00
0060E2A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E2B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E2C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E2D0 00 00 00 00 00 00 00 00 00 00 00 00 90 53 00 73
0060E2E0 73 66 01 73 67 37 01 73 00 00 00 00 00 00 00 00
0060E2F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E310 00 00 00 00 91 3B AB 71 DE 0B AC 71 D3 88 AB 71
0060E320 19 45 AB 71 00 3E AB 71 DA 2E AD 71 30 2E AD 71
0060E330 1E 95 AB 71 50 0B AC 71 6A 40 AB 71 69 2C AB 71
0060E340 05 30 AD 71 DC 94 AB 71 79 09 AC 71 8A 42 AB 71
0060E350 70 2E AD 71 D4 4F AB 71 39 96 AB 71 C0 2B AB 71
0060E360 F4 2B AB 71 66 2B AB 71 28 10 AC 71 66 2B AB 71
0060E370 41 3F AB 71 5E 2A AB 71 4D 66 AB 71 28 44 AB 71
0060E380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E3A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E3B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E3C0 D8 7C 3C 76 1E 31 3B 76 33 25 3B 76 CE EE 3B 76
0060E3D0 B1 47 3D 76 CE 00 3C 76 CD 46 3D 76 00 00 00 00
0060E3E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E3F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E400 00 00 00 00 00 00 00 00 00 00 00 00 C4 5E 51 77
0060E410 BA 89 51 77 AC 89 57 77 A0 2D 55 77 F7 57 52 77
0060E420 DD 29 54 77 04 84 57 77 A4 48 55 77 56 F3 53 77
0060E430 75 B3 5D 77 91 EB 51 77 61 EA 51 77 FA 2C 4F 77
0060E440 4C 20 4F 77 68 20 4F 77 09 60 52 77 4F 40 54 77
0060E450 69 DD 50 77 9B 94 52 77 39 95 52 77 E0 D1 52 77
0060E460 20 87 5C 77 5B 82 57 77 1B 47 4F 77 1F 9D 57 77
0060E470 7B 20 51 77 E2 3C 50 77 79 59 57 77 B8 7B 51 77
0060E480 0C 3D 50 77 0D 0F 53 77 99 B8 50 77 79 2B 4F 77
0060E490 FC 1B 54 77 12 87 57 77 33 4E 51 77 1D 79 57 77
0060E4A0 0A FB 5C 77 B3 3F 54 77 DE CA 52 77 32 D0 52 77
0060E4B0 64 D0 52 77 E7 40 51 77 0E E3 53 77 81 E3 53 77
0060E4C0 33 26 5D 77 E9 E6 51 77 CA B6 5D 77 9E A1 51 77
0060E4D0 9D 7C 57 77 B1 B5 57 77 19 99 5C 77 64 99 5C 77
0060E4E0 A8 8E 5C 77 D2 63 51 77 84 BB 57 77 52 80 5C 77
0060E4F0 FC 7F 5C 77 BF 58 57 77 59 AE 4F 77 42 3A 50 77
0060E500 53 30 4F 77 4A 97 4F 77 1F E5 57 77 53 BB 50 77
0060E510 B3 AC 50 77 D5 A4 50 77 29 A5 57 77 03 47 52 77
0060E520 79 A3 57 77 1A 43 52 77 EA 1F 58 77 00 00 00 00
0060E530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060E590 14 E9 D3 74 59 EF D3 74 7D EE D3 74 32 F5 D3 74
0060E5A0 23 F6 D3 74 47 EA D3 74 F3 F0 D3 74 00 00 00 00
< all 00s below this >


Figure 2. Full IAT.


The IAT is typically terminated with two null-DWORDs in a row. In the data above, the first null-DWORD is at RVA 0x0020DB54 and the second null-DWORD is at RVA 0x0020DB58. Thus, Import REConstructor inferred that this was the end of the IAT. However, the packer in question seems to insert extra null-DWORDs between the import address for different libraries. There are no import addresses past RVA 0x0020E5B0, so we can change the IAT length in Import REConstructor to 0x0020E5B0 - 0x0020D890 = 0x00000D20. Now when we press "Get Imports," the full IT is resolved:


http://malwareanalysis.com/CommunityServer/blogs/geffner/2005_07_26_2.jpg

Figure 3. Import REConstructor now resolves the full IT.


http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2005/07/26/5.aspx ("http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2005/07/26/5.aspx")