Thread: small problem with ImpRec
View Single Post
  #8  
Old 07-09-2008, 07:21
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
  
Join Date: Mar 2005
Posts: 211
Rept. Given: 16
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 137 Times in 41 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Hello Hero:

What I find in your fixed dump is that the Original First Thunk and the First Thunk are in the .mackT section.

Original First Thunk begins at the offset: 0x95E000
First Thunk begins at the offset: 0x95EA90

They are pointed by the Import Table, beginning at the offset 0x95F520.

You could compare at these offsets that the values of either Thunk are the same in the dumped fixed file.

However, when you execute your target, in memory the Original First Thunk will get the handles of the functions in the places of the pointers to the names of functions, loaded by the system, becoming in that way the IAT. So in memory, content of Original First Thunk won't be the same than First Thunk.

Forget the previous Import Table of dumped at offset 0x595F84. It won't be used any more, since the tool has changed in Data Directories the Import Table Relative Virtual Address to 0x95F520.

But it is a right Import Table. Is there any issue for running the target?

Cheers

Nacho_dj
__________________
http://arteam.accessroot.com
Reply With Quote