Closed hasherezade closed 5 years ago
Addressed in the commits: 1) https://github.com/hasherezade/pe-sieve/commit/8d9e20957eef997e45a98be96e0174e8d85e8a1c 2) https://github.com/hasherezade/pe-sieve/commit/2a8345b9c2ed908a10c8ad343d239aad566791dc 3) https://github.com/hasherezade/pe-sieve/commit/85bee894e543540ed34e754bfc7972c45164c631 4) https://github.com/hasherezade/pe-sieve/commit/07b40ea9c04126e5a2fbb45ca635cf8b2815e088
All mentioned above is implemented. Additionally, the module is marked with 0 (if not detected as suspicious) or 1 (if detected as suspicious).
Test cases
Case 1: c999ab160f652e1c6980c50507e1aacb9058d3aa359c92dd74bf3fc5ae5fd47b - KeygenMe v7 by MaxXor Case 2: 5e1967db286d886b87d1ec655559b9af694fc6e002fea3a6c7fd3c6b0b49ea6e - Floki Bot
How it is
The hooks are tagged in the following way:
We can see the offset where the hook is installed, and the name of the hooked function. Hook target is represented by its VA. However, finding what is the module where the hook leads to, requires manual analysis.
How it should be
The target module should be mentioned in the report, i.e.:
or, in case if the hook leads to unnamed implant, it should be marked as unnamed: