Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
BSD 2-Clause "Simplified" License
3.01k
stars
421
forks
source link
Bug: the module is detected, but not reconstructed or dumped (Kovter) #45
Closed
hasherezade closed 4 years ago
Test case
088597a57480fb76054cae34b94820f35b46a03129e536e495c97aff9112ebc8 - Kovter sample
Affected version
The bug was observed in the past, but was patched. It does not occur in v0.2.3 (the last release), but it was re-introduced by the latest changes.
Problem
The implanted PE is properly detected, but the reconstruction of the PE is unsuccessful. Example of the report fragment:
Expected payload: 539c20437c8266352fef989b834d1e1ba2061364a07f63817fbea62714b8a96a