search

glmcdona / Process-Dump

Windows tool for dumping malware PE files from memory back to disk for analysis.
http://split-code.com/processdump.html
MIT License
1.63k stars 261 forks source link

All zeros in some regions #11

Closed xchgrbprsp closed 7 years ago

xchgrbprsp commented 7 years ago

Don't know if I should post a question here but I get zeros in some regions of the dump file when there is clearly executable code in those regions according to CE. I know little about segments and how they are arranged and loaded into memory and I've been struggling figuring out what the problem was.

glmcdona commented 7 years ago

Hi Yuping,

Could you try running process dump from command prompt like "pd.exe -pid 0x -v &> log.txt". The '-v' enables verbose mode, and it should log what it is thinking to log.txt. Could you send this with me, along with the address you are talking about? Which version of Process Dump are you using?

Thanks,

Geoff

On Sun, Jan 22, 2017 at 2:57 PM, Yuping Liang notifications@github.com wrote:

Don't know if I should post a question here but I get zeros in some regions of the dump file when there is clearly executable code in those regions according to CE. I know little about segments and how they are arranged and loaded into memory and I've been struggling figuring out what the problem was.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/glmcdona/Process-Dump/issues/11, or mute the thread https://github.com/notifications/unsubscribe-auth/AC6mXrqIepsFEo59o69QTnv_WxO1OM2Tks5rU7S2gaJpZM4Lqe9y .

xchgrbprsp commented 7 years ago

The missing region turns out to be the entire last section and I got this warning in the output: "Large section size for section 10 of 0x1649000 being truncated to 0x1648800 to fit within the image size. This could be as a result of a custom code to load a library by means other than LoadLibrary()."

I added some printfs in the function process_disk_image in pe_header.cpp and messed around with the code a bit and found out the problem seemed to be that larger_image_size was not aligned while VirtualSize was, which made larger_image_size smaller than VirtualAddress + SizeOfRawData in the _test_read check for the last section. I then replaced the line larger_image_size = this->_image_size + new_section_size; with larger_image_size =_section_align((DWORD)_image_size, _header_pe64->OptionalHeader.SectionAlignment) + new_section_size; and everything worked.

I'm not sure if it's the correct way to fix it though.

glmcdona commented 7 years ago

Thanks, great analysis! I think your adjustment is right, I will have a look in detail at the code and think on it before committing it. I'm surprised it left the entire section empty as a result of this as well, I need to review the code surrounding that truncation error.

glmcdona commented 7 years ago

Fixed. This will be released in pd v2.1 which I should have built and uploaded shortly. Thanks for finding the root cause and proposing a solution!