seliaste/lief-iat-reconstruction
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fixed some formatting stuff

Browse source
This commit is contained in:
Aéna Aria 2026-03-31 10:55:08 +02:00
parent dc8ab65614
commit 3e665cd11a
1 changed files with 10 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

48
iat.py
View file

@ -13,9 +13,7 @@ iat_json_path = "rsc/upx-hostname.exe.bin_iat_wave1.json"
# iat_json_path = "rsc/000155f2e0360f6ff6cd.exe_iat_wave2.json" # iat_json_path = "rsc/000155f2e0360f6ff6cd.exe_iat_wave2.json"
def hex_address_to_memory_representation( def hex_address_to_memory_representation(hex_addr: str, is_32b: bool, is_little_endian: bool) -> list[int]:
hex_addr: str, is_32b: bool, is_little_endian: bool
) -> list[int]:
adress_size = 4 if is_32b else 8 adress_size = 4 if is_32b else 8
mem_value = [0x00] * adress_size mem_value = [0x00] * adress_size
hex_addr = hex_addr[::-1][:-2] # reversing order and stripping zero hex_addr = hex_addr[::-1][:-2] # reversing order and stripping zero
@ -51,9 +49,7 @@ def patch_direct_adress_call(pe: lief.PE.Binary, rva: int, instruction_offset: i
pe.abstract.header.is_32, pe.abstract.header.is_32,
pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE,
) )
pe.patch_address( pe.patch_address(instruction_offset, [0xFF, 0x15] + new_value, lief.Binary.VA_TYPES.RVA)
instruction_offset, [0xFF, 0x15] + new_value, lief.Binary.VA_TYPES.RVA
)
def patch_direct_adress_jump(pe: lief.PE.Binary, rva: int, instruction_offset: int): def patch_direct_adress_jump(pe: lief.PE.Binary, rva: int, instruction_offset: int):
@ -63,9 +59,7 @@ def patch_direct_adress_jump(pe: lief.PE.Binary, rva: int, instruction_offset: i
pe.abstract.header.is_32, pe.abstract.header.is_32,
pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE, pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE,
) )
pe.patch_address( pe.patch_address(instruction_offset, [0xFF, 0x25] + new_value, lief.Binary.VA_TYPES.RVA)
instruction_offset, [0xFF, 0x25] + new_value, lief.Binary.VA_TYPES.RVA
)
def patch_instr_to_new_IAT_entry(pe: lief.PE.Binary, call: dict[str, str], rva: int): def patch_instr_to_new_IAT_entry(pe: lief.PE.Binary, call: dict[str, str], rva: int):
@ -97,10 +91,7 @@ def patch_addr_found_in_mem(pe: lief.PE.Binary, rva: int, old_addr: str):
for i in range(len(section.content)): for i in range(len(section.content)):
found = True found = True
for j in range(len(old_addr_mem_repr)): for j in range(len(old_addr_mem_repr)):
if ( if i + j >= len(section.content) or section.content[i + j] != old_addr_mem_repr[j]:
i + j >= len(section.content)
or section.content[i + j] != old_addr_mem_repr[j]
):
found = False found = False
break break
if found: if found:
@ -111,21 +102,11 @@ def patch_addr_found_in_mem(pe: lief.PE.Binary, rva: int, old_addr: str):
is_32, is_32,
little_endian, little_endian,
) )
# print(
# f"ref= {
# hex(
# section.virtual_address + i + pe.imagebase,
# )
# }"
# )
for section in pe.sections: for section in pe.sections:
for k in range(len(section.content)): for k in range(len(section.content)):
foundxref = True foundxref = True
for l in range(len(old_addr_ref)): for L in range(len(old_addr_ref)):
if ( if k + L < len(section.content) and section.content[k + L] != old_addr_ref[L]:
k + l < len(section.content)
and section.content[k + l] != old_addr_ref[l]
):
foundxref = False foundxref = False
break break
if foundxref: if foundxref:
@ -135,19 +116,13 @@ def patch_addr_found_in_mem(pe: lief.PE.Binary, rva: int, old_addr: str):
pe.patch_address(addr, new_addr, lief.Binary.VA_TYPES.RVA) pe.patch_address(addr, new_addr, lief.Binary.VA_TYPES.RVA)
def patch_to_new_IAT( def patch_to_new_IAT(pe: lief.PE.Binary, imp: lief.PE.Import, entry: lief.PE.ImportEntry, rva: int):
pe: lief.PE.Binary, imp: lief.PE.Import, entry: lief.PE.ImportEntry, rva: int
):
# print(f"{imp.name}!{entry.name}: 0x{rva:010x}") # print(f"{imp.name}!{entry.name}: 0x{rva:010x}")
for call in filter( for call in filter(lambda x: x["name"] == f"{imp.name.upper()}!{entry.name}", calls):
lambda x: x["name"] == f"{imp.name.upper()}!{entry.name}", calls
):
patch_instr_to_new_IAT_entry(pe, call, rva) patch_instr_to_new_IAT_entry(pe, call, rva)
# patch additional non-call related info # patch additional non-call related info
print(entry.name) print(entry.name)
for func in filter( for func in filter(lambda x: x["name"] == entry.name and x["dll"] == imp.name, procaddr_list):
lambda x: x["name"] == entry.name and x["dll"] == imp.name, procaddr_list
):
# print(func["name"]) # print(func["name"])
patch_addr_found_in_mem(pe, rva, func["addr"]) patch_addr_found_in_mem(pe, rva, func["addr"])
@ -158,10 +133,7 @@ def get_list_of_procaddr_functions(prevwave_info):
# first only including imported dlls # first only including imported dlls
res_new = {} res_new = {}
for export in api_info: for export in api_info:
if ( if export["dllname"] in dll_calls_list and export["exportname"] == call["function"]:
export["dllname"] in dll_calls_list
and export["exportname"] == call["function"]
):
res_new = { res_new = {
"name": export["exportname"], "name": export["exportname"],
"dll": export["dllname"], "dll": export["dllname"],