search

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://hshrzd.wordpress.com/pe-sieve/
BSD 2-Clause "Simplified" License
3.1k stars 433 forks source link

Error in appending a new Import Table #96

Closed hasherezade closed 2 years ago

hasherezade commented 2 years ago

Sample:

Commandline:

mal_unpack.exe /exe ce9f47913b5d50a6f0cc5f1b6c730956cdcc851e731d30ee11c18376a16e95ee.exe /trigger T /timeout 10000 /data 3 /imp A

Problem: PE-sieve validly detects imports, and attempts to reconstruct import table. But, due to the malformed PE header, the new import table is not properly written to the dump.

Trace log (from TinyTracer): s1.exe.tag The dumped import table: c450000.exe.imports.txt The dumped payload: 1376707cb15d0b098dc6ade4cca6c80b64c8de64b241f29fef59456e432f87d9 Sections of the unpacked payload:

invalid_sections

hasherezade commented 2 years ago

Improved in: https://github.com/hasherezade/pe-sieve/commit/5c14d2aca1cdb9211af6b8d9f231818234cb3e1e

hasherezade commented 2 years ago

The invalid sections are now cut out:

sections_removed

And the new import table is validly appended.