Reverse Engineering: Rebuilding the IAT

Malware is somtimes packed in order to make it harder to analyse. Some times, the author deliberately changes the IAT so that the malware does not behave as expected and becomes really hard to disassemble.

Follow this process to rebuild the IAT -

Load the malware into a disassembler (Olly or IDA)

Locate the OEP (Original Entry Point)

Dump the process (eg. use OllyDumpEx)

Attach the process to a tool like Scylla while it's paused in the debugger

Hit the search function to find the IAT

Fix Dump in order to dump the process with the fixed IAT.

Now you can reload the fixed process into the debugger/disassembler and continue to reverse.

If Scylla does not find the IAT, use other tools.

No comments:

Powered by Blogger.