Because of adding a new API, deleted by the AM protection, in the action of rebuilding the program, you will find at least two possibilities:
- Adding it following the last name of function in the import table. This is only possible whether the dll owner of the function has to be added too, because previously did not exist in the file.
- Inserting it in the middle of the import table. This case is when the dll owner of the function exists in the import table.
The first case is more or less easy to solve. But it is necessary rewriting all the values of IAT and Original First thunk, and adding a new function name. It has to be done with a lot of care in order to get the rebuild working.
The second case means that you need to rewrite all values of first thunk, IAT and original first thunk, plus modifying the function names list. It involves the appropriate changes in a lot of calls to api's, in order to remain calling to the original api.
This is another issue that a rebuilder of this protection needs to fix.
I have found in internet some tools "doing" this, but none of them working totally.
Cheers
Nacho_dj