Sp1k3r1s/DeLazyImporter

# DeLazyImporter DeLazyImporter is a free and open source deobfuscator for [lazy_importer](https://github.com/JustasMasiulis/lazy_importer), the popular C++ import obfuscation/hashing library created by Justas Masiulis. It is designed to simplify reverse engineering and malware analysis by automatically resolving and reconstructing obfuscated imports generated by `lazy_importer`. This project was heavily inspired by and compared against [lazy-import-deobfuscator](https://github.com/mmert11/lazy-import-deobfuscator) and uses it as a reference source for implementation ideas and testing. ## Features * Resolves `lazy_importer` hashed imports * Detects and reconstructs obfuscated API calls * Works with multiple import resolution patterns * Built for reverse engineering workflows * Uses the Zydis disassembler library for instruction decoding * Uses LIEF for PE parsing and binary analysis * Lightweight and easy to integrate * Open source and free to use ## Dependencies DeLazyImporter relies on the following libraries: * [Zydis](https://github.com/zyantific/zydis) — fast x86/x64 disassembler library * [LIEF](https://github.com/lief-project/LIEF) — library for parsing and modifying executable formats * [lazy_importer](https://github.com/JustasMasiulis/lazy_importer) — target obfuscation library * [lazy-import-deobfuscator](https://github.com/mmert11/lazy-import-deobfuscator) — reference project used for comparison and inspiration ## What is lazy_importer? `lazy_importer` is a header-only library that hides imports and resolves Windows APIs dynamically at runtime to make reverse engineering harder. Typical goals of `lazy_importer` include: * Removing imports from the PE import table * Avoiding plaintext API names in binaries * Making static analysis more difficult * Producing smaller and more obfuscated assembly Example usage from `lazy_importer`: LI_FN(MessageBoxA)(0, "Hello", "Title", MB_OK); Instead of using a normal imported function, the API is resolved dynamically through hashed export lookups. ## Purpose DeLazyImporter reverses this process by: 1. Identifying lazy import resolver patterns 2. Disassembling resolver code using Zydis 3. Recovering hashed API names 4. Resolving the original imported functions 5. Replacing or annotating obfuscated calls This makes binaries significantly easier to analyze in tools like: * IDA Pro * Ghidra * Binary Ninja * x64dbg ## Comparison Compared against: * [lazy-import-deobfuscator](https://github.com/mmert11/lazy-import-deobfuscator) Main goals of this project is making deobfuscation process as optimised as possible ## Installation git clone https://github.com/YOUR_USERNAME/DeLazyImporter.git cd DeLazyImporter Build using your preferred compiler or IDE. Example using CMake: mkdir build cd build cmake .. cmake --build . ## Usage Example: DeLazyImporter.exe target.exe Or integrate it into your reverse engineering pipeline/toolchain. ## Example Output Before: call sub_140001000 After: call kernel32!VirtualAlloc ## Why? `lazy_importer` is commonly used in: * Malware * Game cheats * Packers * Protectors * Obfuscated software While useful for legitimate software protection, it also complicates malware analysis and reverse engineering. DeLazyImporter exists to make analysis easier and faster. ## Disclaimer This project is intended for: * Reverse engineering * Malware analysis * Security research * Educational purposes Use responsibly and only where legally permitted.