Improve detecting when to realign the payload

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

2.97k stars 420 forks source link

Improve detecting when to realign the payload #90

Closed hasherezade closed 2 years ago

hasherezade commented 2 years ago

In case if the additional IAT is located in a virtual cave of the PE, it should be dumped as realigned in order to preserve it. Example:

cave_example Import Table was reconstructed correctly, but some of the thunks are not in the range of the raw file

If we request explicitly that the file should be dumped as realigned (/dmode 3), this problem does not occur. Yet, it should be detected and adjusted automatically if run in the auto-detect mode.

hasherezade commented 2 years ago

Result: the same PE is dumped automatically as realigned:

dump_realigned