Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-04-2026, 09:42
Jasi2169's Avatar
Jasi2169 Jasi2169 is offline
Family
 
Join Date: Sep 2015
Location: India/TSRh
Posts: 338
Rept. Given: 3
Rept. Rcvd 78 Times in 53 Posts
Thanks Given: 47
Thanks Rcvd at 559 Times in 214 Posts
Jasi2169 Reputation: 78
Jasi PE Builder v1.2

Jasi PE Builder v1.2 By Jasi2169
(Memory Dump to Valid Disk PE Rebuilder)

JasiPEBuilder is a command-line tool for reconstructing valid executable PE files from raw memory dumps produced by JasiNativeDumper or any other dumper that captures a flat SizeOfImage byte copy of a loaded module. It handles the full pipeline of transformations needed to turn a dump that the Windows loader can map back into a file that tools like IDA Pro, Ghidra, x64dbg, CFF Explorer and DetectitEasy can open cleanly.

It fixes section raw offsets (aligning PointerToRawData and SizeOfRawData to match the flat memory layout), recalculates SizeOfImage, SizeOfHeaders and the file checksum, strips stale debug and bound import directories, and rebuilds the import table from scratch. Import reconstruction reads the original DLL files from System32 and SysWOW64 on the current machine to reverse-resolve IAT slot values back to function names, then writes a fresh .idata section with valid IMAGE_IMPORT_DESCRIPTOR chains, IMAGE_IMPORT_BY_NAME entries, and correct ordinal thunks. It handles targets compiled with MSVC (via the original INT), Delphi and MinGW (no INT, pre-init IBN-RVA path), and running-process dumps (VA to export map lookup). Delay imports are sanitized so stale runtime pointers do not crash the rebuilt image on load. Base relocations can be kept intact for ASLR rebasing or stripped for fixed-base analysis and supports both PE32 (x86) and PE32+ (x64) targets.

Usage: JasiPEBuilder <dump.bin> [options]

Arguments:
<dump.bin> Raw PE memory dump file to rebuild

Options:
--out <file> Full output file path including filename
Default: <dump_name>_rebuilt.exe next to the dump

--install-dir <path> Path to the original installed directory of the target app used to find third-party DLLs like zlib,
custom SDKs, etc. that are not in System32.
e.g. "C:\Program Files\MyApp"


--modules <file> Path to the dumper's modules.map (loaded-module list). Auto-discovered next to the dump if omitted.
Required to resolve --attach dumps of no-INT binaries.


--no-imports Skip import reconstruction
Use for packed targets as they are resolved at runtime by packer or when original .idata is intact


--iat-force Ignore the import descriptor chain and rebuild imports by SCANNING memory for the IAT
Use for packed/OEP dumps (UPX, ASPack, Compressors etc.) where descriptor chain is a stub.


--strip-relocs Zero the BaseReloc data directory entry.
Default: relocations are KEPT - this flag is rarely needed.
Only use if the target must load at a fixed ImageBase or for static analysis at fixed address.
Without this flag ASLR rebasing works normally, or use if target had no .reloc section to begin with.

--keep-relocs Used together with --strip-relocs: zeroes the data directory entry but preserves the raw .reloc
bytes in the file for manual inspection.

--no-headers Skip header fix-ups like SizeOfImage, SizeOfHeaders, checksum, debug directory, and bound import directory
are left as it is in dump.

--keep-debug Do not strip the debug data directory

--clear-dll-flag Remove IMAGE_FILE_DLL in FileHeader.Characteristics

--help Show this help

Examples:
JasiPEBuilder dump.bin
JasiPEBuilder dump.bin --out C:\out\rebuilt.exe
JasiPEBuilder dump.bin --install-dir "C:\Program Files\MyApp"
JasiPEBuilder dump.bin --no-imports

Notes:
-> Use --install-dir <path> to resolve third-party DLLs (e.g. zlib, custom SDKs) that are not in System. Without it, imports from those DLLs cannot be resolved and their IAT slots are zeroed. The rebuilt exe will still load but any call through an unresolved slot will crash at runtime.
-> Use --no-imports for packed (Themida, VMProtect, etc.) targets as real IAT is managed by the protector at runtime. Rebuilding imports on a protected dump produces garbage that interferes with the protector's own loader

Changelog:

v1.2 (02/Jul/2026)
- Added --iat-force arguments to ignore the import descriptor chain and rebuild imports by SCANNING memory for the IAT, needed if dumped using oep arguments in Jasi Native Assembly Dumper.
- Enhanced import rebuilder with bitness check and supplied x86 PE Builder for x86 files.


v1.1 (24/Jun/2026)
- Import rebuilder now keys its export map at each module's actual load base from the Jasi Native Assembly Dumper's modules.map (built from every loaded module, not just descriptor-named DLLs), fixing runtime --attach import resolution for no-INT binaries.
- Now within-image check uses the manifest's real main-image base, auto-discovers modules.map next to the dump (--modules to override).


v1.0 (03/Jun/2026)
- Initial Release

Download: (Pwd: Jasi2169)
Site: https://pixeldrain.com/u/Adrch6yT
Attached Files
File Type: rar Jasi PE Builder v1.2.rar (145.7 KB, 2 views)

Last edited by Jasi2169; 07-03-2026 at 09:20.
Reply With Quote
The Following 2 Users Gave Reputation+1 to Jasi2169 For This Useful Post:
BAHEK (06-04-2026), MarcElBichon (06-04-2026)
The Following 2 Users Say Thank You to Jasi2169 For This Useful Post:
Gyrus (06-04-2026), user_hidden (06-05-2026)
  #2  
Old 06-04-2026, 09:52
Jasi2169's Avatar
Jasi2169 Jasi2169 is offline
Family
 
Join Date: Sep 2015
Location: India/TSRh
Posts: 338
Rept. Given: 3
Rept. Rcvd 78 Times in 53 Posts
Thanks Given: 47
Thanks Rcvd at 559 Times in 214 Posts
Jasi2169 Reputation: 78
Tested on:

Stardock Cursorfx with msvc ofcourse no issue in its case

Beyond compare 5 with delphi originalfirstthunk=0, fallback on importrebuilder, delay imports sanitized, still importbuilder is in kind of beta inside

Dumped using JasiNativeDumper using --target mode where .data is not initialized yet, preinit state

Last edited by Jasi2169; 06-04-2026 at 10:01.
Reply With Quote
The Following User Gave Reputation+1 to Jasi2169 For This Useful Post:
CodeCracker (06-06-2026)
The Following 3 Users Say Thank You to Jasi2169 For This Useful Post:
bigboss-62 (06-05-2026), CodeCracker (06-06-2026), niculaita (06-05-2026)
  #3  
Old 06-22-2026, 02:46
Jasi2169's Avatar
Jasi2169 Jasi2169 is offline
Family
 
Join Date: Sep 2015
Location: India/TSRh
Posts: 338
Rept. Given: 3
Rept. Rcvd 78 Times in 53 Posts
Thanks Given: 47
Thanks Rcvd at 559 Times in 214 Posts
Jasi2169 Reputation: 78
Even though import builder is kind of beta inside it works fine

I will try to enhance import rebuilder in future, somehow made it in fun came out as good product
I have ideas but lets see how implementation and testing goes.

Last edited by Jasi2169; 06-25-2026 at 13:33.
Reply With Quote
The Following User Says Thank You to Jasi2169 For This Useful Post:
niculaita (06-22-2026)
  #4  
Old 06-25-2026, 13:09
Jasi2169's Avatar
Jasi2169 Jasi2169 is offline
Family
 
Join Date: Sep 2015
Location: India/TSRh
Posts: 338
Rept. Given: 3
Rept. Rcvd 78 Times in 53 Posts
Thanks Given: 47
Thanks Rcvd at 559 Times in 214 Posts
Jasi2169 Reputation: 78
v1.1 (24/Jun/2026)
- Import rebuilder now keys its export map at each module's actual load base from the Jasi Native Assembly Dumper's modules.map (built from every loaded module, not just descriptor-named DLLs), fixing runtime --attach import resolution for no-INT binaries.
- Now within-image check uses the manifest's real main-image base, auto-discovers modules.map next to the dump (--modules to override).
Reply With Quote
The Following 3 Users Say Thank You to Jasi2169 For This Useful Post:
niculaita (06-25-2026), tK! (07-02-2026), user_hidden (06-25-2026)
  #5  
Old 07-03-2026, 09:20
Jasi2169's Avatar
Jasi2169 Jasi2169 is offline
Family
 
Join Date: Sep 2015
Location: India/TSRh
Posts: 338
Rept. Given: 3
Rept. Rcvd 78 Times in 53 Posts
Thanks Given: 47
Thanks Rcvd at 559 Times in 214 Posts
Jasi2169 Reputation: 78
v1.2 (02/Jul/2026)
- Added --iat-force arguments to ignore the import descriptor chain and rebuild imports by SCANNING memory for the IAT, needed if dumped using oep arguments in Jasi Native Assembly Dumper.
- Enhanced import rebuilder with bitness check and supplied x86 PE Builder for x86 files.

Quote:
Usages:
Normal target (MSVC / Delphi, not packed):
JasiNativeDumper --target app.exe --out dumped
JasiPEBuilder dumped\0_app.exe

--target gives a clean pre-init dump; the descriptor chain is intact, strategies 1/2a resolve everything.

Running process (attach):
JasiNativeDumper --attach <pid> --out dumped
JasiPEBuilder dumped\0_app.exe

Attach dumps hold runtime VAs - Strategy 2b resolves via modules.map.

Packed target (UPX / ASPack / compressor-class), via OEP:
1. Load target in x64dbg; run to the real OEP
(UPX: break on the tail jmp after popad; step once onto OEP).
2. JasiNativeDumper --attach <pid> --oep-va 0x<OEP-from-x64dbg> --out oep
3. JasiPEBuilder oep\0_app.exe --iat-force --strip-relocs

--oep-va takes the absolute address from x64dbg; the dumper subtracts the live base to get the RVA and stamps AddressOfEntryPoint.
--iat-force scans for the packer-rebuilt IAT (chain is a stub).
--strip-relocs is required: the dump is already relocated, so keeping relocations double-applies them and crashes at startup.

Notes:
- Use x86 builder for 32-bit dumps, x64 builder for 64-bit dumps.
- modules.map is required for --attach and --iat-force resolution (it carries the actual module bases). Optional for --target/MSVC.
- Use --iat-force only for packed dumps. Normal dumps have a valid descriptor chain and full strategy ladder - don't force-scan them.
- Handles unpacked binaries and compressor-class packers (UPX, ASPack, PECompact) via OEP. Not code-virtualization protectors (VMProtect, Themida) or heavy import-obfuscation (ASProtect) - those need dedicated devirtualization.

Last edited by Jasi2169; 07-03-2026 at 11:02.
Reply With Quote
The Following 4 Users Say Thank You to Jasi2169 For This Useful Post:
Gyrus (07-03-2026), user_hidden (07-03-2026), wilson bibe (07-03-2026), wx69wx2023 (07-03-2026)
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 02:34.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )