Files cached as either ImageSectionObject or DataSectionObject can be dumped in the same way using the _CONTROL_AREA structure. However, we've found that when iterating through the _SUBSECTION values of the _CONTROL_AREA, the sector size for these is different. The current code uses a sector size of 0x200. This works for ImageSectionObjects as the subsections in the control area correspond to PE file sections that are then mapped into different sections in memory. For DataSectionObjects, this generally works as most files mapped as data use only one subsection. In cases where a DataSectionObject has more than one subsection, this sector size needs to be 0x1000. Info on subsections: https://www.linkedin.com/pulse/dissecting-windows-section-objects-artem-baranov/#:~:text=few%20words%20about-,Subsections,-Subsection%20(_SUBSECTION)%20is
As seen in the output below, this doesn't generally affect many files across a sample. The example surge_collect.exe file from the output shows the size of the output DataSectionObject file with the new sector_size more closely matches the ImageSectionObject file sizes. The difference in data between the two files also starts at a much later offset with the new sector_size and is really only different at the very end when comparing to the ImageSectionObject output.
To Reproduce
Just run dumpfiles on a Windows sample.
Example output
Here are the results of running dumpfiles before and after the change.
Describe the bug
Files cached as either ImageSectionObject or DataSectionObject can be dumped in the same way using the _CONTROL_AREA structure. However, we've found that when iterating through the _SUBSECTION values of the _CONTROL_AREA, the sector size for these is different. The current code uses a sector size of 0x200. This works for ImageSectionObjects as the subsections in the control area correspond to PE file sections that are then mapped into different sections in memory. For DataSectionObjects, this generally works as most files mapped as data use only one subsection. In cases where a DataSectionObject has more than one subsection, this sector size needs to be 0x1000. Info on subsections: https://www.linkedin.com/pulse/dissecting-windows-section-objects-artem-baranov/#:~:text=few%20words%20about-,Subsections,-Subsection%20(_SUBSECTION)%20is
As seen in the output below, this doesn't generally affect many files across a sample. The example surge_collect.exe file from the output shows the size of the output DataSectionObject file with the new sector_size more closely matches the ImageSectionObject file sizes. The difference in data between the two files also starts at a much later offset with the new sector_size and is really only different at the very end when comparing to the ImageSectionObject output.
To Reproduce Just run dumpfiles on a Windows sample.
Example output
Here are the results of running dumpfiles before and after the change.
Sample 1
$ ls -l dumpfiles_before_sample1 | wc 1731 15615 219579 $ ls -l dumpfiles_after_sample1| wc 1731 15615 219579 $ diff -r dumpfiles_before dumpfiles_after Binary files dumpfiles_before_sample1/file.0xfa8005874a90.0xfa80071b7600.DataSectionObject.CiST0000.000.dat and dumpfiles_after_sample1/file.0xfa8005874a90.0xfa80071b7600.DataSectionObject.CiST0000.000.dat differ Binary files dumpfiles_before_sample1/file.0xfa800721bcc0.0xfa8006caab60.DataSectionObject.INDEX.000.dat and dumpfiles_after_sample1/file.0xfa800721bcc0.0xfa8006caab60.DataSectionObject.INDEX.000.dat differ Binary files dumpfiles_before_sample1/file.0xfa80074f9070.0xfa8007514520.DataSectionObject.Security.evtx.dat and dumpfiles_after_sample1/file.0xfa80074f9070.0xfa8007514520.DataSectionObject.Security.evtx.dat differ Binary files dumpfiles_before_sample1/file.0xfa800bfdaa90.0xfa80068c6010.DataSectionObject._surge-collect.exe.dat and dumpfiles_after_sample1/file.0xfa800bfdaa90.0xfa80068c6010.DataSectionObject._surge-collect.exe.dat differ Binary files dumpfiles_before_sample1/file.0xfa8010754b60.0xfa8010988af0.DataSectionObject.thumbcache_32.db.dat and dumpfiles_after_sample1/file.0xfa8010754b60.0xfa8010988af0.DataSectionObject.thumbcache_32.db.dat differ Binary files dumpfiles_before_sample1/file.0xfa80108893f0.0xfa8006c10b40.DataSectionObject.thumbcache_256.db.dat and dumpfiles_after_sample1/file.0xfa80108893f0.0xfa8006c10b40.DataSectionObject.thumbcache_256.db.dat differ Binary files dumpfiles_before_sample1/file.0xfa801094b510.0xfa80109889f0.DataSectionObject.thumbcache_96.db.dat and dumpfiles_after_sample1/file.0xfa801094b510.0xfa80109889f0.DataSectionObject.thumbcache_96.db.dat differ Binary files dumpfiles_before_sample1/file.0xfa8010cc78e0.0xfa8006c10b40.DataSectionObject.thumbcache_256.db.dat and dumpfiles_after_sample1/file.0xfa8010cc78e0.0xfa8006c10b40.DataSectionObject.thumbcache_256.db.dat differ $ ls -l dumpfiles_*sample*/*Section*._surge* -rw------- 1 dave staff 5429760 Oct 5 07:50 dumpfiles_after_sample1/file.0xfa800bfdaa90.0xfa8006664950.ImageSectionObject._surge-collect.exe.img -rw------- 1 dave staff 5435392 Oct 5 07:50 dumpfiles_after_sample1/file.0xfa800bfdaa90.0xfa80068c6010.DataSectionObject._surge-collect.exe.dat -rw------- 1 dave staff 5429760 Oct 5 07:44 dumpfiles_before_sample1/file.0xfa800bfdaa90.0xfa8006664950.ImageSectionObject._surge-collect.exe.img -rw------- 1 dave staff 2490368 Oct 5 07:44 dumpfiles_before_sample1/file.0xfa800bfdaa90.0xfa80068c6010.DataSectionObject._surge-collect.exe.dat $ diff surge_before_data surge_after_data| head 8193,155648c8193,339712 < 00020000: 0f86 0202 0000 83ec 240f b61d ff31 9300 ........$....1.. < 00020010: 80fb 0074 170f b61d ff31 9300 80fb 0275 ...t.....1.....u < 00020020: 0483 c424 c3e8 a6e9 f2ff 0f0b c605 ff31 ...$...........1 < 00020030: 9300 01e8 4820 1000 e803 f7f9 ffe8 eeab ....H .......... < 00020040: f5ff e889 db0c 00e8 443e 0300 e8ef cbf5 ........D>...... $ diff surge_after_data surge_after_img | head 339169,339712c339169,339360 < 0052ce00: 101c 0000 0002 0200 3082 1c01 0609 2a86 ........0.....*. < 0052ce10: 4886 f70d 0107 02a0 821b f230 821b ee02 H..........0.... < 0052ce20: 0101 310b 3009 0605 2b0e 0302 1a05 0030 ..1.0...+......0 < 0052ce30: 4c06 0a2b 0601 0401 8237 0201 04a0 3e30 L..+.....7....>0 < 0052ce40: 3c30 1706 0a2b 0601 0401 8237 0201 0f30 <0...+.....7...0 < 0052ce50: 0903 0100 a004 a202 8000 3021 3009 0605 ..........0!0... >>> hex(5429760) '0x52da00'Sample 2
$ ls -l dumpfiles_before_sample2 | wc 1799 16250 233425 $ ls -l dumpfiles_after_sample2 | wc 1799 16250 233425 $ diff -r dumpfiles_before_sample2/ dumpfiles_after_sample2 Binary files dumpfiles_before_sample2/file.0xe6851261e540.0xe6851252b6f0.DataSectionObject.EtwRTDefenderApiLogger.etl.dat and dumpfiles_after_sample2/file.0xe6851261e540.0xe6851252b6f0.DataSectionObject.EtwRTDefenderApiLogger.etl.dat differ Binary files dumpfiles_before_sample2/file.0xe68514c6a380.0xe6851668fdd0.DataSectionObject.WebCacheV01.dat.dat and dumpfiles_after_sample2/file.0xe68514c6a380.0xe6851668fdd0.DataSectionObject.WebCacheV01.dat.dat differ Binary files dumpfiles_before_sample2/file.0xe6851774eef0.0xe685176207d0.DataSectionObject.CacheStorage.edb.dat and dumpfiles_after_sample2/file.0xe6851774eef0.0xe685176207d0.DataSectionObject.CacheStorage.edb.dat differ Binary files dumpfiles_before_sample2/file.0xe68517965cb0.0xe68517a0dd10.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.01.dat and dumpfiles_after_sample2/file.0xe68517965cb0.0xe68517a0dd10.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.01.dat differ Binary files dumpfiles_before_sample2/file.0xe685179680a0.0xe68517a0dd10.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.01.dat and dumpfiles_after_sample2/file.0xe685179680a0.0xe68517a0dd10.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.01.dat differ Binary files dumpfiles_before_sample2/file.0xe6851796db40.0xe68517a0c690.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.6C.dat and dumpfiles_after_sample2/file.0xe6851796db40.0xe68517a0c690.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.6C.dat differ Binary files dumpfiles_before_sample2/file.0xe6851796dcd0.0xe68517a0da90.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.7E.dat and dumpfiles_after_sample2/file.0xe6851796dcd0.0xe68517a0da90.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.7E.dat differ Binary files dumpfiles_before_sample2/file.0xe6851796e180.0xe68517a0da90.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.7E.dat and dumpfiles_after_sample2/file.0xe6851796e180.0xe68517a0da90.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.7E.dat differ Binary files dumpfiles_before_sample2/file.0xe6851796e630.0xe68517a0d590.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.7C.dat and dumpfiles_after_sample2/file.0xe6851796e630.0xe68517a0d590.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.7C.dat differ Binary files dumpfiles_before_sample2/file.0xe6851796e7c0.0xe68517a0d810.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.80.dat and dumpfiles_after_sample2/file.0xe6851796e7c0.0xe68517a0d810.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.80.dat differ Binary files dumpfiles_before_sample2/file.0xe6851796e950.0xe68517a0d950.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.87.dat and dumpfiles_after_sample2/file.0xe6851796e950.0xe68517a0d950.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.87.dat differ Binary files dumpfiles_before_sample2/file.0xe6851796eae0.0xe68517a0d950.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.87.dat and dumpfiles_after_sample2/file.0xe6851796eae0.0xe68517a0d950.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.87.dat differ Binary files dumpfiles_before_sample2/file.0xe6851796f760.0xe68517a0c690.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.6C.dat and dumpfiles_after_sample2/file.0xe6851796f760.0xe68517a0c690.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.6C.dat differ Binary files dumpfiles_before_sample2/file.0xe6851796f8f0.0xe68517a0cb90.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.79.dat and dumpfiles_after_sample2/file.0xe6851796f8f0.0xe68517a0cb90.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.79.dat differ Binary files dumpfiles_before_sample2/file.0xe6851796fc10.0xe68517a0dbd0.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.67.dat and dumpfiles_after_sample2/file.0xe6851796fc10.0xe68517a0dbd0.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.67.dat differ Binary files dumpfiles_before_sample2/file.0xe685179700c0.0xe68517a0d810.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.80.dat and dumpfiles_after_sample2/file.0xe685179700c0.0xe68517a0d810.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.80.dat differ Binary files dumpfiles_before_sample2/file.0xe68517970250.0xe68517a0dbd0.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.67.dat and dumpfiles_after_sample2/file.0xe68517970250.0xe68517a0dbd0.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.67.dat differ Binary files dumpfiles_before_sample2/file.0xe685179703e0.0xe68517a11050.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.DB.dat and dumpfiles_after_sample2/file.0xe685179703e0.0xe68517a11050.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.DB.dat differ Binary files dumpfiles_before_sample2/file.0xe68517971ce0.0xe68517a11050.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.DB.dat and dumpfiles_after_sample2/file.0xe68517971ce0.0xe68517a11050.DataSectionObject.mpcache-6EDD6714AE5B1BF3A6B6A475993B5ED69B4E5A00.bin.DB.dat differ Binary files dumpfiles_before_sample2/file.0xe68517972c80.0xe68515f9feb0.DataSectionObject.mpenginedb.db-wal.dat and dumpfiles_after_sample2/file.0xe68517972c80.0xe68515f9feb0.DataSectionObject.mpenginedb.db-wal.dat differ