Bug in path interpretation (in MappingScanner)

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

3.03k stars 423 forks source link

Bug in path interpretation (in MappingScanner) #8

Closed hasherezade closed 6 years ago

hasherezade commented 6 years ago

Paths should be expanded to their full format before the comparison - otherwise they are mistakenly reported as different. Example of the invalid report:

"mapping_scan" : {
"module" : "6cc90000",
"status" : 1,
"mapped_file" : "C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL",
"module_file" : "C:\PROGRA~1\MIF5BA~1\Office15\URLREDIR.DLL"
}