CHimpREC

From aldeid
Jump to: navigation, search

Description

CHimpREC (The Cheap Imports Reconstructor) is developed by TiGa of ARTeam. The tool has first been presented at ReCon 2008 in Montreal.

Some of the features:

  • The first universal 64-bit imports rebuilder
  • 32-bit version included
  • Interface similar to ImpREC
  • Integrated 32/64-bit process dumper
  • IAT AutoSearch from ImageBase or OEP
  • Unshuffle thunks function
  • Manual imports editor

Some limitations

  • No plugin support yet
  • No AutoTrace feature
  • No disassembler

CHimpREC can be used to dump a packed executable in memory in order to gather the unpacked version.

Installation

Prerequisites

The Visual Studio 2005 SP1 redistributable package is required:

CHimpREC

Download link: http://www.woodmann.com/collaborative/tools/images/Bin_CHimpREC_2008-6-24_13.59_CHimpREC.zip

Usage

Dump process in memory

  • Start the executable (e.g. malware to unpack) and run CHimpREC.
  • Select the process to dump from the dropdown list
  • Click "Dump" and Save the file

CHimpREC.png

Using this approach:

  • you will get a dumped executable which is an unpacked version
  • You will be able to analyze strings it contains

but

  • You won't be able to run the file
  • You will most likely get such errors when trying to open it in a disassembler such as IDA Pro:

Ida-pro-iat-error.png

It's because the Import Address Table (IAT) is incorrect.

Fix Import Address Table (IAT)

To fix it, you can:

  1. use the "IAT Autosearch" feature to locate the original import table
  2. click on "Get Imports"
  3. and then on "Fix Dump"

During this process, CHimpREC will ask you to provide the dumped executable and will save the fixed version under the same directory, with an underscore ("_") at the end of the file name.

Limitations

  • The fixed version of the dumped process might still not be executable
  • However, you can now open it in a disassembler (IDA Pro won't complain about IAT this time)

Comments

blog comments powered by Disqus