Include image=True binaries in load_binaries_from_memory

CERT-Polska · Oct 11, 2023 · 543eff3 · 543eff3
1 parent f274a2e
commit 543eff3
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/malduck/extractor/extract_manager.py b/malduck/extractor/extract_manager.py
@@ -214,9 +214,6 @@ def push_procmem(
         family = self._extract_procmem(p, matches)
         for binary in binaries:
             family = self._extract_procmem(binary, matches) or family
-            binary_image = binary.image
-            if binary_image:
-                family = self._extract_procmem(binary_image, matches) or family
         return family
 
     @property

diff --git a/malduck/procmem/binmem.py b/malduck/procmem/binmem.py
@@ -75,9 +75,12 @@ def load_binaries_from_memory(cls: Type[T], procmem: ProcessMemory) -> Iterator[
         if cls.__magic__ is None:
             raise NotImplementedError()
         for binary_va in procmem.findv(cls.__magic__):
-            binary_procmem = cls.from_memory(procmem, base=binary_va)
-            if binary_procmem.is_valid():
-                yield binary_procmem
+            binary_procmem_dmp = cls.from_memory(procmem, base=binary_va)
+            if binary_procmem_dmp.is_valid():
+                yield binary_procmem_dmp
+            binary_procmem_img = cls.from_memory(procmem, base=binary_va, image=True)
+            if binary_procmem_img.is_valid():
+                yield binary_procmem_img
 
     @abstractmethod
     def is_image_loaded_as_memdump(self) -> bool: