首页 星云 工具 资源 星选 资讯 热门工具
:

PDF转图片 完全免费 小红书视频下载 无水印 抖音视频下载 无水印 数字星空

importREC下载

安全技术 698.34KB 31 需要积分: 1
立即下载

资源介绍:

importREC下载
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= ~ Import REConstructor v1.6 FINAL by MackT/uCF2000 in 2001-2003 ~ = = ~ - *for Windows 9x, ME, NT, 2K and XP* - ~ =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= Disclaimer: ----------- This program may crash, or in a worse case it may even reboot your computer, so please use it with caution. (Do not run it 3 hours into an unsaved coding session for example) I am *NOT* responsible for any damage caused by the use of it. Purpose: -------- This tool is designed to rebuild imports for protected/packed Win32 executables. It reconstructs a new Image Import Descriptor (IID), Import Array Table (IAT) and all ASCII module and function names. It can also inject into your output executable, a loader which is able to fill the IAT with real pointers to API or a ripped code from the protector/packer (very useful against emulated API in a thunk). Sorry but this tool is not designed for newbies, you should be familiar a bit with manual unpacking first (some tutorials are easy to find on internet). Features: --------- - Imports - An original tree view - 2 different methods to find original imports (by IAT and/or API calls) - A *FULL* complete rebuilder (including a new fresh IAT) - Loader - An analyzer and ripper of redirected API code - An injected loader code to support mix of imports + ripped code in a thunk - A heuristic relocator - Tracers - 3 default tracers (disasm, hook & ring3) to find APIs in redirected code - A plugin interface to develop your own tracers - Misc - Support ALL 32bits Windows (9x, ME, NT, 2k and XP) - An export renormalizer for Win9x/ME (ala Icedump) - A built-in coloured disasm/hex-viewer to analyze the redirected code - A built-in dumper - Support almost all known antidump tricks What does it need? ------------------ - A full dump of the target (RAW and VIRTUAL infos of sections DO NOT NEED to be equal) - A running process of your target - You have to find the Original Entry Point (OEP) manually (or with /tracex command of Icedump) for using the 'IAT AutoSearch' command How does it work? ----------------- 1 - Select the target in the "Attach to an Active Process" combobox. (Its Entry Point (EP) will be automatically put in the OEP editbox) * If the target is a dll, choose the process which uses it and click on "Pick DLL" to select it. * IF AND ONLY IF you have suspended your target at OEP (with a "jmp eip" at OEP for example), you can dump it with the "Full Dump" button on the dialogbox of the "Select Code Section(s)" command (right click on the tree). NOTE: ----- The "Full Dump" button does not take care of the selected sections near it so you do not need to select all sections. 2 - If you have the OEP: - Enter it (IN Relative Virtual Address (RVA)) in the appropriate editbox and press "IAT AutoSearch" button to get a possible rva address and size values which can contain the original IAT Else: - Enter the RVA and size of IAT 3 - Press "Get Imports" button if the "IAT AutoSearch" has found something. For Borland targets (for example), you will notice you will not have the complete IAT. It is because these targets do not have a contigous IAT. For this case, enter the RVA and Size of the whole section which contains that IAT (that information is ALWAYS written in the messagebox and the Log window just after clicking on "Get Imports"). NOTE: ----- The IAT could be completely (or partially) removed by the packer/protector so the "IAT AutoSearch" will fail. In this case, use the "Get API Call" command (right click on the tree). It will add to your imports, all pointers of all and directly in the code. Do not forget to precise all sections which contain or are supposed to contain code (usually it is only the first section so you have nothing to do because it is the default configuration). To precise these sections, right click on the tree for a "Select Code Section(s)". This method is based on heuristics so you might have to analyze and remove by hand all invalid slots. 4 - Use the "Show Invalid" button to see all unresolved slots. You will need to trace into them to find the real API. Always try the Tracer Level1 first because it does not execute any code of the target. The Tracer Level2 is to be used in the last resort because it is the less stable one (it uses a global hook). * If you need to retrace into an already traced slot, you have to invalidate it (right click on it and use "Invalidate function(s)" command. * Use "Cut thunk(s)" to remove individually each function * Use "Delete thunk(s)" to remove individually each module * Double click on a slot to edit it manually if you know the real API 5 - Use the "Show Suspect" button to check 'supposed' wrong traced slot. This is possible because of the Tracer Level1 for example. * A suspect slot is an alone valid function in a thunk or an API which already exists in the same thunk (ie several same apis in the same module) * A suspect slot is not necessary invalid. It only needs a quick analyze of your part. 6 - After playing with all tracers, if you still have some unresolved slots, you can try to use the "Loader". This feature will allow you to rip the redirected code to be used directly in your dump. To use the loader, select your invalid slots and right click on the tree for a "*Switch Loader*". A tag "*LOADER*" will appear near the module which contains your slots. If you want to disable it, just "*Switch Loader*" again. You are allowed to have invalid functions in all modules which have a tag "*LOADER*". * The loader is to be used only for rebuilding executable (not dll) * The loader analyzer is based on "Max Recursion" and "Buffer Size" options to find all needed regions from the invalid slots 7 - If you do not want to add a new section and know where you can put the new rebuilt import (in the last section for example), uncheck "Add new section" and enter the wanted RVA. (the easiest way is to add a new section though (by default)) * If the "Loader" is enabled, a new section will be added necessary 8 - Press "Fix Dump" to fix your DUMPED file. You do not need to make a backup. If your filename is "Dump.exe", it will create "Dump_.exe". Moreover the EP of your dump will be fixed to the value you have entered if you turned "Fix EP to OEP" on, in Options. * If you have some modules with a tag "*LOADER*" and some unresolved functions in them, a dialogbox will appear and allow you to customize the rip processing. You will see all regions which will be ripped of the target. You can add, remove and modify them if needed (for advanced users only). You will also have these options: * "Auto reloc" : Normal mode for relocations. It will reloc only the ripped region by tracing instruction per instruction (with the disasm engine) * "Hardcore reloc" : Hardcore mode for relocations. It will reloc the whole region in addition to the "Auto reloc" * "Rebuild Imports" : All imports in the regions will be rebuilt. It means ImportREC will stick to the current imports, the imports needed by the ripped code. 9 - Pheee

资源文件列表:

0评论
提交 加载更多评论
其他资源 win 64下upx加壳脱壳
win 64下upx加壳脱壳
2024年10月最新zblog,wordpress站群系统,一键批量搭建
2024年10月最新zblog,wordpress站群系统,一键批量搭建
第三届“奇安信杯”网络安全技能竞赛MISC GIF
第三届“奇安信杯”网络安全技能竞赛MISC GIF
pyc_10966253234bac5f95a82ef68b363092.zip
第三届“奇安信杯”网络安全技能竞赛部分题目
1_abot_ws2024-DMX.zip
1_abot_ws2024-DMX.zip
mysql-connector-java-5.1.7-bin.jar
用于jmeter中安装mysql驱动包
ESP8266 for MicroPython编辑器
内容见文章 https://blog.csdn.net/bakw/article/details/80508497 这里是这个编辑器的代码,用Lazarus写的,用了windows的库,也只能在windows下跑了。
nssm-2.24xxst
nssm-2.24