Skip to content

Import adding

hasherezade edited this page Jan 24, 2023 · 14 revisions

PE-bear allows for manual adding of new imports into the import table. To do so, you can follow this small tutorial.

Step 1 - Make a space by adding a new section

In order to accomodate a new record, the Import Table needs to have sufficient free space at the end. Usually this is not the case. That's why the first step will be to move the table into a new location. Firstly, we will create a section where we want to move our table.

Right click on the PE tree view, and select from a menu option of adding a new section.

Step 2 - Copy the RVA of the new section

Step 3 - Move the table into the new section

Step 4 - Add a new library record

Now, since the table can accommodate a new record, we are free to add it.

Click 'Add new library' to add a new record:

Step 5 - Fill the RVAs in the new record

Before we will be able to fill the information in, we need to manually define where in the PE we want to store it, by pointing to appropriate RVAs.

Fill the new record by valid RVAs[*] pointing to an empty space within the PE, sufficient to fit the appropriate element in. At least NameRVA and FirstThunk must be filled:

*-before edit, make sure that "Follow on click" is disabled - otherwise PE-bear will attempt to follow the invalid address, and you will be blocked from editing the field:

Step 6 - Type a library name

Step 7 - Add a function to the new library

When you filled FirstThunk you can add new function. Select the library and click 'Add a function to the library'.

A new record will appear - start by filling the thunk.

Step 8 - Fill the new import's name

If you want to import by name, you must fill the thunk by valid RVA.

Then, fill the function name