rebuildimp.py

import immlib

imm = immlib.Debugger()

jmp_table1 = 0x4011F4
table1_entries = 35

jmp_table2 = 0x401330
table2_entries = 8

jmp_table3 = 0x405D88
table3_entries = 278

# Get the file name of the process, for demo.exe it is demo
filename = imm.getDebuggedName().split('.')[0]


def traceImport(start):
	global imm

	i = 0
	addr = start
	maxTrace = 10  # maximum number of instructions to tarce

	while i < maxTrace:
		# decode current address to a string representation
		decode = imm.decodeAddress(addr)

		# check if current address is already in a dll
		if not decode.startswith(filename):
			imm.log('[.] %08X -> %s (%08X)' %(start, decode, addr), address = start)
			return addr
		
		# continue tracing			
		op = imm.disasm(addr)
		i += 1

		# follow the jump for conditional/unconditional jump instructions
		if op.isJmp() or op.isConditionalJmp():
			jmpTarget = op.getJmpConst()
			addr = jmpTarget

		# for non jump instructions go to next instruction
		else:
			addr += op.getSize()

	# if we reach here, it means tracing failed
	imm.log('[!] %08X -> TRACING FAILED...' %start, address = start, highlight=True)
	return -1


def rebuildImports():
	global imm

	# parse table 1
	address = jmp_table1
	for i in xrange(table1_entries):
		address = jmp_table1 + (i*8)
		realEntry = traceImport(address)

	# parse table 2
	imm.log('')
	address = jmp_table2
	for i in xrange(table2_entries):
		address = jmp_table2 + (i*8)
		realEntry = traceImport(address)

	# parse table 3
	imm.log('')
	address = jmp_table3
	for i in xrange(table3_entries):
		address = jmp_table3 + (i*8)
		realEntry = traceImport(address)


def main(args):
	imm.log('[*] Rebuilding imports...')
	rebuildImports()
	return 'Done'