Manually Find the IAT and Rebuild It Using ImportREC
The sample program can be downloaded from this link: manually_fix_iat.zip
Our commonly used
ImportREC shelling is the
IAT auto search that comes with the software, but if we want to manually find the address of
dump, what should we do?
First use the ESP law, you can quickly jump to
We right click and select `Find->call between all modules.
Shows the list of functions called, we double-click on one of the functions (note that the double-click here should be the function of the program instead of the system function)
We came to the function call
Right click on
follow to enter the function
Then right click on the
data window to follow -> memory address
Here, because the display is a hexadecimal value, it is not convenient to view, we can right-click in the data window and select
long->address to display the function name.
Note that we have to scroll up to the beginning of the IAT table. We can see that the initial function address is
004050D8. We find the last function down, which is the
user32.MessageBoxA function. Look at the size of the entire IAT table. At the bottom of the OD there is a display of 'block size: 0x7C
, so our entire IAT block size is0x7C`
ImportREC, select the program we are debugging, then enter
OEP:1110, RVA:50D8, SIZE:7C, and then click
Get Input Table.
Here in the input table window, right click and select "Advanced Command -> Select Code Block".
Then a pop-up window will appear, select the full dump, save as
After the dump is complete, select
Dump to file, here choose to repair the dump.exe we just dumped, get a
dump\_.exe. At this point, the whole shelling is completed.
本页面的全部内容在 CC BY-NC-SA 4.0 协议之条款下提供，附加条款亦可能应用。