search

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://hshrzd.wordpress.com/pe-sieve/
BSD 2-Clause "Simplified" License
3.1k stars 433 forks source link

Error reconstructing PE from the found artifacts (64 bit PE) #85

Open hasherezade opened 3 years ago

hasherezade commented 3 years ago

Sample: e818738311bc1d540a23f3235d75e5a9d79ee75e8661bf34e54cdb7755e619e3

The implanted PEs are detected, yet, they are dumped as .corrupt_dlls. The reconstructions fails. Detected artifacts:

   "workingset_scan" : {
    "module" : "4d1f9b0000",
    "status" : 1,
    "has_pe" : 1,
    "has_shellcode" : 0,
    "is_listed_module" : 0,
    "protection" : "40",
    "mapping_type" : "MEM_PRIVATE",
    "pe_artefacts" : {
     "pe_base_offset" : "0",
     "sections_hdrs" : "1f8",
     "sections_count" : 5,
     "is_dll" : 1,
     "is_64_bit" : 1
    }
   }
  },
  {
   "workingset_scan" : {
    "module" : "4d21340000",
    "status" : 1,
    "has_pe" : 1,
    "has_shellcode" : 1,
    "is_listed_module" : 0,
    "protection" : "40",
    "mapping_type" : "MEM_PRIVATE",
    "pe_artefacts" : {
     "pe_base_offset" : "ce8",
     "nt_file_hdr" : "ddc",
     "sections_hdrs" : "ee0",
     "sections_count" : 5,
     "is_dll" : 1,
     "is_64_bit" : 1
    }
   }

Dumped artifacts: artifacts.zip

hasherezade commented 3 years ago

The PE with more complete artifacts was dumped properly:

dumped_dll