Offset of the original Import Table is replaced pointing to its part

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

3.01k stars 421 forks source link

Offset of the original Import Table is replaced pointing to its part #56

Closed hasherezade closed 4 years ago

hasherezade commented 4 years ago

Problem

In case if the first record in the Import Table is filled with a shim, this import is not recognized by PE-sieve. So, PE-sieve marks the Import Table as incorrect, and try to find a new one, setting the offset after the shim as the beginning of the Import Table.

Expected behavior

PE-sieve should not be overwriting Import Table's offset in such cases.

hasherezade commented 4 years ago

This issue was an invalid interpretation of a correct behavior.