CHimpREC
Jump to navigation
Jump to search
Description
CHimpREC (The Cheap Imports Reconstructor) is developed by TiGa of ARTeam. The tool has first been presented at ReCon 2008 in Montreal.
Some of the features:
- The first universal 64-bit imports rebuilder
- 32-bit version included
- Interface similar to ImpREC
- Integrated 32/64-bit process dumper
- IAT AutoSearch from ImageBase or OEP
- Unshuffle thunks function
- Manual imports editor
Some limitations
- No plugin support yet
- No AutoTrace feature
- No disassembler
CHimpREC can be used to dump a packed executable in memory in order to gather the unpacked version.
Installation
Prerequisites
The Visual Studio 2005 SP1 redistributable package is required:
- x86: http://www.microsoft.com/downloads/details.aspx?familyid=200b2fd9-ae1a-4a14-984d-389c36f85647&displaylang=en
- x64: http://www.microsoft.com/downloads/details.aspx?familyid=EB4EBE2D-33C0-4A47-9DD4-B9A6D7BD44DA&displaylang=en
CHimpREC
Download link: http://www.woodmann.com/collaborative/tools/images/Bin_CHimpREC_2008-6-24_13.59_CHimpREC.zip
Usage
Dump process in memory
- Start the executable (e.g. malware to unpack) and run CHimpREC.
- Select the process to dump from the dropdown list
- Click "Dump" and Save the file
Using this approach:
- you will get a dumped executable which is an unpacked version
- You will be able to analyze strings it contains
but
- You won't be able to run the file
- You will most likely get such errors when trying to open it in a disassembler such as IDA Pro:
It's because the Import Address Table (IAT) is incorrect.
Fix Import Address Table (IAT)
To fix it, you can:
- use the "IAT Autosearch" feature to locate the original import table
- click on "Get Imports"
- and then on "Fix Dump"
During this process, CHimpREC will ask you to provide the dumped executable and will save the fixed version under the same directory, with an underscore ("_") at the end of the file name.
Limitations
- The fixed version of the dumped process might still not be executable
- However, you can now open it in a disassembler (IDA Pro won't complain about IAT this time)