Patch analyze bug? - Githubissues

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

3.06k stars 425 forks source link

Patch analyze bug? #102

Closed luciouskami closed 2 years ago

luciouskami commented 2 years ago

Hi,i've used the pe-sieve (version 0.3.4) to scan the process,but some results of patches are not correct. For example:

1e0105;addr_replaced_31->cccccccc;4

     {
      "rva" : "1e0105",
      "size" : 4,
      "is_hook" : 1,
      "hook_target" : {
       "module" : "0",
       "rva" : "cccccccc",
       "status" : 0
      }

Both the hook type and the rva are not correct,the correct rva maybe


{
   "rva" : "1e0100",
}

luciouskami commented 2 years ago

5 bytes difference.

luciouskami commented 2 years ago

dumps here process_23520.zip dlls on disk dlls.zip

luciouskami commented 2 years ago

my bad sorry for confuse