search

glmcdona / Process-Dump

Windows tool for dumping malware PE files from memory back to disk for analysis.
http://split-code.com/processdump.html
MIT License
1.63k stars 261 forks source link

can not dump some 32 bit .net exe file which run as 64 bit jit code,like Reflector.exe #13

Closed sonyps5201314 closed 4 years ago

sonyps5201314 commented 7 years ago

below is the bugfix patch:


diff --git "a/Z:\\Temp\\TortoiseGit\\pe_header-413a51b.001.cpp" "b/M:\\Open_Code\\Process-Dump\\pd\\pe_header.cpp"
index c55a956..29d613d 100644
--- "a/Z:\\Temp\\TortoiseGit\\pe_header-413a51b.001.cpp"
+++ "b/M:\\Open_Code\\Process-Dump\\pd\\pe_header.cpp"
@@ -720,10 +720,14 @@ bool pe_header::process_pe_header( )
                        {
                            // We are unsure if we need to process this as a 32bit or 64bit PE header, lets figure it out.
                            // The first part is independent of the 32 or 64 bit definition.
-                           if( ((IMAGE_NT_HEADERS64*) base_pe)->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 )
+                           
+                           // previous conditional judgment is wrong, now need to be commented out
+                           // previous can not dump some  .net exe module,like Reflector.exe
+                           //if( ((IMAGE_NT_HEADERS64*) base_pe)->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 )
                            {
                                // 32bit module
                                this->_header_pe32 = ((IMAGE_NT_HEADERS32*) base_pe);
+                               this->_header_pe64 = NULL;

                                if( _header_pe32->Signature == 0x4550 && _header_pe32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC )
                                {
@@ -733,11 +737,12 @@ bool pe_header::process_pe_header( )
                                    return true;
                                }
                            }
-                           else if( ((IMAGE_NT_HEADERS64*) base_pe)->FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 ||
-                               ((IMAGE_NT_HEADERS64*) base_pe)->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
+                           //else if( ((IMAGE_NT_HEADERS64*) base_pe)->FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 ||
+                           //  ((IMAGE_NT_HEADERS64*) base_pe)->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
                            {
                                // 64bit module
                                this->_header_pe64 = ((IMAGE_NT_HEADERS64*) base_pe);
+                               this->_header_pe32 = NULL;

                                if( _header_pe64->Signature == 0x4550 && _header_pe64->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC )
                                {
@@ -747,7 +752,7 @@ bool pe_header::process_pe_header( )
                                    return true;
                                }
                            }
-                           else
+                           //else
                            {
                                // error
                            }
glmcdona commented 7 years ago

Thanks for reporting this. I've repro'd here locally. The changes above didn't come through well, but it looks like you figured it out. Looking at the header processing. Looks like the solution might be only checking the characteristics to IMAGE_NT_OPTIONAL_HDR32_MAGIC/IMAGE_NT_OPTIONAL_HDR64_MAGIC instead of looking at the FileHeader.Machine. Will test and commit the change afterwards.

glmcdona commented 4 years ago

Fixed with this commit: https://github.com/glmcdona/Process-Dump/commit/07782e5e5b868bf80258fba5e20dd7cf0a1cc498