In artefacts scan: misaligned offsets of artefacts

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

3.01k stars 421 forks source link

In artefacts scan: misaligned offsets of artefacts #25

Closed hasherezade closed 5 years ago

hasherezade commented 5 years ago

Test case

e757457b62788c658d38e4d77a0c8cfd5272c5690389e6f51bf4349795311c63

Problem

PE Image Base was found after section headers: section_hdrs_after_base Dumped memory region: 55a075c86f2529613dd7df289d2fb6e828fa2e50b6f0be6d483d29f5393d5c90

Comment

A possible reason was that the memory area contained some bogus artefacts, that misguided the scan. This kind of situation should be prevented by additional checks.

hasherezade commented 5 years ago

Fixed:

The same sample scanned with the improved scanner: workingset_scan