In these days I wanted to fix my Reveal Imports plugin. I wrote it some months ago while I was checking a malware (click here for the full story); it’s bugged and it works on some malwares only.
The bad news is that I lost the source code… yes, it sometimes happens. It’s not the end of the world because if you were able to code a bugged program you should be able to write a new bugged one!
The idea of the new plugin is the same: it reveals imports of a dumped process loaded inside Ida.
In general, for a non rebuilded dump you’ll have some problems guessing what kind of code will you face after “jmp 7C810DA6″ instruction. The plugin will come in handy when you need to analyze a dump without rebuilding the file using an external tool (i.e. Import Reconstructor).
To use the plugin is pretty easy, start saving it inside IDA plugin directory. Load the file in Ida, move the cursor inside the section containing the code you want to check and hit ALT+z to reveal hidden imports. If there’s something to reveal a window will appear showing the result.
It’s the first release and it’s far from being perfect. Anyway, if you like the plugin idea you can help me telling every kind of bug/problem/strange behaviour it has. This time I’ll try to fix/improve it.
June 16, 2009 at 2:55 pm
I would like to recommend to everyone.
Orbasoft Antispyware is an excellent scanner that I would like to recommend to everyone. I simply love it. In the past I have tried many different types of scans. Some of them were free and others cost quite a bit of money but they all seem to pick up the same types of bugs. The antispyware solution from Orbasoft is less expensive than most and it will clean your computer and keep it working great just like the more costly scanners. Click on http://www.orbasoft.com to learn more about this scan and how it can help you protect your computer.