
 dzzie@yahoo.com
 http://sandsprite.com

ImpReb - Import Rebuilder

What is this?

It will allow you to write a completly new import table 
into a target PE file.

The best tutor i can give is quick follow along example.

Small exe included was compiled with flat assembler. It has
2 imports for simplicity. If you run telock_hello.exe and then
attach to it at messagebox, you will find the following intermodular
calls:

0040103A   CALL DWORD PTR DS:[40207A]                user32.MessageBoxA
00401042   CALL DWORD PTR DS:[40205C]                kernel32.ExitProcess


address 40207A holds pointer for address of user32.MessageBoxA
        40205C              for             kernel32.ExitProcess

That is all the info we need to rebuild import table.

First drag and drop raw dump file into pe file textbox and then 
click load sections.

Now click on import list for dlls. In new form enter dll names one 
per line.

kernel32.dll
user32.dll

Now click on user32.dll to select it and make active. On function side
of UI click add and enter MessageBoxA.

Now for first thunk, pointer table for user32 dll starts at offset 40207A
so enter rva value 207a for 1st thunk and press update.

Now select kernel32 dll and fill out its function and thunk data as before.

This now handles case where rva values != file offset. Note that this thing
requires that new import table offset is before original thunk table offset
it does this to prevent a weird loader thing that cost me allot of time. 
It will set first thunk = original thunk and place lookup table right at
that thunk offset. idd will always be before this. If it doesnt like your
offset, it will suggest one which should work.

SO make your changes and hit embed if all goes well you will get a done 
message.

Now load exe in lordPE and look at listing of import table 
it should find all of the dll and function names.

Now give it a click.

please dont repost my code on other sites... 

I guarantee this thing has bugs and/or will be updated frequently with new stuff and
reposting will only make a version mess.

At current this thing is a little finicky about placement of table and still
screws up sometimes (i had to totally change how it embed stuff from way i wanted
at last minute due to the loader thing) so user beware..might take a couple tries..

-dzzie
