-
Notifications
You must be signed in to change notification settings - Fork 175
Import adding
PE-bear allows for manual adding of new imports into the import table. To do so, you can follow this small tutorial.
In order to accomodate a new record, the Import Table needs to have sufficient free space at the end. Usually this is not the case. That's why the first step will be to move the table into a new location. Firstly, we will create a section where we want to move our table.
Right click on the PE tree view, and select from a menu option of adding a new section.
Now, since the table can accommodate a new record, we are free to add it.
Click 'Add new library' to add a new record:
Before we will be able to fill the information in, we need to manually define where in the PE we want to store it, by pointing to appropriate RVAs.
Fill the new record by valid RVAs[*] pointing to an empty space within the PE, sufficient to fit the appropriate element in. At least NameRVA and FirstThunk must be filled:
*-before edit, make sure that "Follow on click" is disabled - otherwise PE-bear will attempt to follow the invalid address, and you will be blocked from editing the field:
When you filled FirstThunk you can add new function. Select the library and click 'Add a function to the library'.
A new record will appear - start by filling the thunk.
If you want to import by name, you must fill the thunk by valid RVA.
Then, fill the function name
~ hasherezade (@hasherezade), 2022 ~