Closed wangray closed 6 years ago
I believe that CreateFileMapping
with SEC_IMAGE
will always set the rebased address in OptionalHeader.ImageBase
so it's rather magical that Immunity would give back a different value there (perhaps a cache?). I think the only real way to find if a module is rebased is to read the original file and compare the in-memory value with that...
Ugh, they never seem to be reading the file from disk. There's a ModuleCache but it doesn't seem be for this purpose. https://github.com/corelan/mona/blob/69ab1abf2640e0d287f58531fc1bd2becf7e21c9/mona.py#L5717
Seems like mona for WinDBG has the same issue. I'm going to just read the header off of disk with the pefile module.
See https://github.com/x64dbg/x64dbgpylib/pull/6/commits/f23d9622ec14e9a1a9a327221f0d50ef0bf0cc31 for my proposed solution.
Looks good to me! I think if this is the only thing we will use pefile
for that we should write our own implementation though, it should be rather simple...
Sure, I can do that.
To determine whether a module has been rebased, mona checks whether
ntHeader.OptionalHeader.ImageBase
is equal to the actual base address in memory. However, for all the Microsoft DLLs, it seems theImageBase
field is changed to its base address in memory?Somehow, Immunity gets the
ImageBase
field of the DLLs before they're changed, correctly marking all the Microsoft DLLs as rebased.x64dbg:
Immunity:
How do we get the same behavior as Immunity?