Incomplete dump: unable to read inaccessible pages

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

2.97k stars 420 forks source link

Incomplete dump: unable to read inaccessible pages #86

Closed hasherezade closed 3 years ago

hasherezade commented 3 years ago

Sample: 5c77d41394b0af55ecb0b458af391bbea9ac1b76555fe574bcaea0bc3851783b - Ursnif (unpacked)

This malware manually loads the payload: fda3439c3d23b729daea5b9d6c775b37318f1ab4052f3c07d068efba250a860d

The payload is detected and dumped with PE-sieve, yet, the dump is incomplete. The .bss section is missing (empty), because it was set as inaccessible:

read_non_accessible

However, x64dbg is able to read it:

content

This type of a content should be read by PE-sieve too.

hasherezade commented 3 years ago

As a result of changes, valid .bss section was dumped:

valid_bss