Bug: the module is detected, but not reconstructed or dumped (Kovter) - Githubissues

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

3.01k stars 421 forks source link

Bug: the module is detected, but not reconstructed or dumped (Kovter) #45

Closed hasherezade closed 4 years ago

hasherezade commented 4 years ago

Test case

088597a57480fb76054cae34b94820f35b46a03129e536e495c97aff9112ebc8 - Kovter sample

Affected version

The bug was observed in the past, but was patched. It does not occur in v0.2.3 (the last release), but it was re-introduced by the latest changes.

Problem

The implanted PE is properly detected, but the reconstruction of the PE is unsuccessful. Example of the report fragment:

 "scans" : [
  {
   "workingset_scan" : {
    "module" : "1320000",
    "status" : 1,
    "has_pe" : 1,
    "has_shellcode" : 0,
    "is_listed_module" : 0,
    "protection" : 64,
    "pe_artefacts" : {
     "pe_base_offset" : "0",
     "nt_file_hdr" : "104",
     "sections_hdrs" : "1f8",
     "sections_count" : 7,
     "is_dll" : 0,
     "is_64_bit" : 0
    }
   }
  }

Expected payload: 539c20437c8266352fef989b834d1e1ba2061364a07f63817fbea62714b8a96a