该PE文件破坏了其导入地址表。但是,所有函数地址都在以下_rdata段中:



是否有任何直接方法来重命名这些函数?

#1 楼

在将进程的内存转储到磁盘之前,请使用Scylla之类的工具来重建导入表。



#2 楼

在调试器中,选择导入表并运行idc\renimp.idc

文件中的顶部注释:

/*
   Rename imports.

   This script renames entries of a dynamically built import table.
   For example, from a table like this:

      dd offset ntdll_NtPowerInformation
      dd offset ntdll_NtInitiatePowerAction
      dd offset ntdll_NtSetThreadExecutionState
      dd offset ntdll_NtRequestWakeupLatency
      dd offset ntdll_NtGetDevicePowerState
      dd offset ntdll_NtIsSystemResumeAutomatic
      dd offset ntdll_NtRequestDeviceWakeup
      dd offset ntdll_NtCancelDeviceWakeupRequest
      dd offset ntdll_RtlQueryRegistryValues


   it will create a table like this:

      NtPowerInformation dd offset ntdll_NtPowerInformation
      NtInitiatePowerAction dd offset ntdll_NtInitiatePowerAction
      NtSetThreadExecutionState dd offset ntdll_NtSetThreadExecutionState
      NtRequestWakeupLatency dd offset ntdll_NtRequestWakeupLatency
      NtGetDevicePowerState dd offset ntdll_NtGetDevicePowerState
      NtIsSystemResumeAutomatic dd offset ntdll_NtIsSystemResumeAutomatic
      NtRequestDeviceWakeup dd offset ntdll_NtRequestDeviceWakeup
      NtCancelDeviceWakeupRequest dd offset ntdll_NtCancelDeviceWakeupRequest
      RtlQueryRegistryValues dd offset ntdll_RtlQueryRegistryValues

   Usage: select the import table and run the script.

   Known problems: if the dll name contains an underscore, the function
   names might be incorrect. Special care is taken for the ws2_32.dll but
   other dlls will have wrong function names.

*/


#3 楼

您最有可能使用进程转储。这些地址将取决于Windows版本和Service Pack。如果您有机会在VM中运行它,请尝试波动。执行procdump然后进行扫描。 impscan可以为您提供一个IDC,将这些地址重命名为其各自的API名称。

即使使用非PE注入代码,此方法也能很好地工作。 com / volatilityfoundation / volatility / wiki / Command%20Reference%20Mal#impscan