Hello,
SHA256:
dff7820b2b0b877c46a0cbc6be22b45b11511af7d50e36c7d83fa27f3db277b0
This is a HawkEye sample.
PESIEVE VERSION: 0.2.1 x86 running on Windows 7 32-bit.
It creates a suspended RegAsm.exe and injects into it. Just before ResumeThread is called on the child process, I dumped its contents using both MegaDumper (for .NET executables) and PESIEVE
The PE dumped by PESIEVE doesn't seem to work.
The PE dumped by MegaDumper (ofi.exe) works fine.
As we discussed this is related to the section alignment field of the PE structure as you have discovered. in the PE by PESIEVE it is 0x1000 (wrong value) while the correct value is 0x2000
The following zip file contains
Original HawkEye sample
PESIEVE dump of RegAsm.exe
MegaDumper dump of RegAsm.exe
Error message screenshot after running the dump by PESIEVE
hodgav
commented
5 years ago
Hello, SHA256: dff7820b2b0b877c46a0cbc6be22b45b11511af7d50e36c7d83fa27f3db277b0 This is a HawkEye sample. PESIEVE VERSION: 0.2.1 x86 running on Windows 7 32-bit.
It creates a suspended RegAsm.exe and injects into it. Just before ResumeThread is called on the child process, I dumped its contents using both MegaDumper (for .NET executables) and PESIEVE
The PE dumped by PESIEVE doesn't seem to work. The PE dumped by MegaDumper (ofi.exe) works fine.
As we discussed this is related to the section alignment field of the PE structure as you have discovered. in the PE by PESIEVE it is 0x1000 (wrong value) while the correct value is 0x2000
The following zip file contains
https://ufile.io/l2jbzynr password: hawkeye