Government Security
Network Security Resources

Jump to content

Photo

Question About Packing And The Iat

- - - - -
  • Please log in to reply
No replies to this topic

#1 ThunkData

ThunkData

    Private

  • Members
  • 1 posts

Posted 13 January 2013 - 05:03 PM

So if you have a file, and you pack it, obviously you lose all the information in the Import Address Table, well maybe not lose it, but it's useless because its never intialized since at the time the PE loader loaded the file, it would have never been set to the function addresses. So then how does the stub make it so that the orignal code is able to use the program correctly, does the packer run over the Import Name Table, find everything it is trying to import, and then build a new import address table once the file is loaded up using LoadLibrary?

So you have something like

CALL DWORD PTR DS:[1063060]

And then that stores an address to the beginning of the function (TlsSetValue) inside of kernel32 at 760D1462.

10636060 -> 760D1462 (kernel32)

But that's in a exe that wasn't packed, so the question is, if it loads it up?

Maybe in the packer source code it has an array of all the modules that an exe will require to load up, and then it has some sort of code that fire LoadLibrary inside of the stub? And then GetProcAddress?
Then it recreates the import address table?

Now another question is, if it does this, then what about all the code within the program that relies on CALL DWORD PTR[IMAGEBASE+RVA] <-- A call to the orignal IAT

I am confused on how it handles this, would the crypter run over that code and replace it with the new IAT location? Or would it..?