Dumping the new trickbot module - import recontruction does not seem to work

[hodgav]

Hi, The new trickbot variant (SHA256: 374ef83de2b254c4970b830bb93a1dd79955945d24b824a0b35636e14355fe05) spawns 4 instances of svchost.exe

the 2nd instance contains the new password grabbing module (pwgrab32) I run: pesieve-32.exe /pid PID_OF_SVCHOST /imp version is 0.1.6 (x86) and I run it on windows 7 32-bit. It indeed dumped the dll located at 0x10000000 but it was missing its imports. I tried with the various dump modes but none of them helped to solve the issue.

I tried to do the same operation with Process-Dump (https://github.com/glmcdona/Process-Dump) and it worked just fine - imports were successfully reconstructed.

In the zip file below you can find the new trickbot variant, along with the relevant dumps of both pesieve and process-dump. password is: trickbot

https://ufile.io/x7oyw

[hasherezade]

Thank you for reporting, I reproduced it, and it will be fixed as soon as I get some free time. The problem lies in the fact, that the RVA of import table is erased, and PE-sieve mistakenly interprets it as the PE does not have any imports. This is from the dump: While this is from the original pwgrab32.dll: I have ideas how to fix it, but I am currently busy, so please be patient. I will keep you updated.

[hasherezade]

BTW - in fact only the import's table RVA is erased. But the import table is untouched - still present in the binary. So it does not need to be reconstructed, it just need to be found.

[hasherezade]

Please check the latest builds (attached to the README) and let me know if it helped.

[hodgav]

Please check the latest builds (attached to the README) and let me know if it helped.

I have checked it now and it works fine, thank you! :)

[hodgav]

@hasherezade Hi, I tested it again and looked carefully into the imports. I found out that some imports are missing. For example, I see no imports from kernel32.dll, although this DLL imports many functions from it, for example: FindFirstFileA.

in the zip file below you can find both of the dumps, again one with the updated pe-sieve and one with ProcessDumper. password is: trickbot

https://ufile.io/4lmbw

[hasherezade]

You are right, thanks for noticing! I hope my latest fix solves the problem, please check the latest builds and let me know: https://github.com/hasherezade/pe-sieve/blob/master/README.md (BTW - please note that this particular feature is different than reconstruction of a fully damaged import table. Reconstruction from the scratch will be also done soon, but it is another issue. I want to use and rebuild the original one whenever possible, and do the full reconstruction only if there is no other option.)

[hodgav]

I tested it again, the imports from kernel32.dll appear now.

However, now I noticed now that none of the imports from vaultcli.dll appear.

When I open the DLL dumped by ProcessDumper in IDA, I don't see in the imports tab any of the functions from vaultcli.dll, but you can see they are used (check sub_1000A68A) And you can see them too in PE-Bear.

In the DLL dumped by pe-sieve you can't see them - not in PE-Bear, not in IDA imports tab and not inside sub_1000A68A

[hasherezade]

This is not a bug, because that DLL was not present in the original import table. Please check the original modules: trick_modules.zip or this particular module: pwgrab32.dll. The above modules are in their raw form, not dumped from the memory but decoded from the dropped files using trickbot decoder. The differences between the dump from ProcessDumper and PE-sieve comes from the fact that they both are doing different type of recovery. PE-sieve searches the original import table, and recover it to the original form. ProcessDumper don't even try to find artefacts from the original table, just builds a fully new table from all the imported addresses it can find, even if they were loaded later.

[hodgav]

I understand, thanks again for the explanation and the fix!

[hasherezade]

cool, feel free to close the issue whenever you think it is ready.