Closed hodgav closed 5 years ago
Thank you! I didn't reproduce it so far, but looking at the output I think I found the root cause. This is IAT in the original DLL -at RVA 75278C (bigger address): And this is IAT found by PE-sieve - at RVA 71831C (smaller address):
The second one is not the original IAT, just a secondary IAT constructed for the functions that are loaded later. But PE-sieve stopped searching on this - and just tried to find an import table that could cover this IAT. However, such import table does not exist, so we have in logs:
[*] Trying to find ImportTable for module: 615c0000
[!] Overwriting IAT address!
[-] ImportTable NOT found!
It will be fixed soon, stay tuned!
Please check the latest builds (attached to the README) and let me know if it helps.
It helped, works fine now. Thanks!
Hi, SHA256: fcfb911e57e71174a31eae79433f12c73f72b7e6d088f2f35125cfdf10d2e1af This sample of Trickbot spawns after approximately 60-90 minutes an instance of svchost.exe with the module importdll32.dll - which is responsible for stealing browsing data. Tested on Windows 7 32-bit When using pesieve to dump it, imports were not rebuild correctly.
To verify this - i decrypted the original importdll32 on the disk with trickbot_config_decoder The decrypted module has the correct imports.
This zip file contains: the original trickbot sample, the decrypted importdll32, dumps of both pesieve and process dump and the pesieve log when trying to dump importdll32 from svchost.exe password is: trickbot https://ufile.io/yqr7u