Crash on import reconstruction

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

3.06k stars 425 forks source link

Crash on import reconstruction #84

Closed hasherezade closed 3 years ago

hasherezade commented 3 years ago

Sample: d578128922e3990112b2275f3cd7b6c0b4f6df4b4d6c9c98959fa1c9862e7db0 - Dridex

run by:

rundll32.exe sample.dll,#1

The crash occurs during the scan by PE-sieve/HH with an option /imp.

hasherezade commented 3 years ago

Fixed in v0.2.9.6:

pe-sieve
hollows_hunter