Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page ActiveM***
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #26  
Old 05-31-2005, 20:52
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
  
Join Date: Mar 2005
Posts: 211
Rept. Given: 16
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 137 Times in 41 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
when you need to add a lost api
Because of adding a new API, deleted by the AM protection, in the action of rebuilding the program, you will find at least two possibilities:

- Adding it following the last name of function in the import table. This is only possible whether the dll owner of the function has to be added too, because previously did not exist in the file.

- Inserting it in the middle of the import table. This case is when the dll owner of the function exists in the import table.


The first case is more or less easy to solve. But it is necessary rewriting all the values of IAT and Original First thunk, and adding a new function name. It has to be done with a lot of care in order to get the rebuild working.

The second case means that you need to rewrite all values of first thunk, IAT and original first thunk, plus modifying the function names list. It involves the appropriate changes in a lot of calls to api's, in order to remain calling to the original api.

This is another issue that a rebuilder of this protection needs to fix.

I have found in internet some tools "doing" this, but none of them working totally.


Cheers


Nacho_dj
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT +8. The time now is 23:59.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )