From 443926aa1d66beae04fa9b13e33a88fd1635146b Mon Sep 17 00:00:00 2001 From: hasherezade Date: Mon, 15 Jun 2020 13:01:10 +0200 Subject: [PATCH] [BUGFIX] Fixed mignore option (filtering out ignored modules) --- scanners/scanner.cpp | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/scanners/scanner.cpp b/scanners/scanner.cpp index 2cc53ec84..66a77c38c 100644 --- a/scanners/scanner.cpp +++ b/scanners/scanner.cpp @@ -248,6 +248,15 @@ size_t pesieve::ProcessScanner::scanModules(ProcessScanReport &pReport) //throw //load module from file: ModuleData modData(processHandle, hMods[counter]); + ModuleScanReport *mappingScanReport = this->scanForMappingMismatch(modData, pReport); + if (!modData.loadOriginal()) { + if (!args.quiet) { + std::cout << "[!][" << args.pid << "] Suspicious: could not read the module file!" << std::endl; + } + //make a report that finding original module was not possible + pReport.appendReport(new UnreachableModuleReport(processHandle, hMods[counter], 0, modData.szModName)); + continue; + } // Don't scan modules that are in the ignore list std::string plainName = peconv::get_file_name(modData.szModName); @@ -256,23 +265,15 @@ size_t pesieve::ProcessScanner::scanModules(ProcessScanReport &pReport) //throw if (pReport.exportsMap && modData.loadOriginal()) { pReport.exportsMap->add_to_lookup(modData.szModName, (HMODULE)modData.original_module, (ULONGLONG)modData.moduleHandle); } - continue; - } - - ModuleScanReport *mappingScanReport = this->scanForMappingMismatch(modData, pReport); - - if (!modData.loadOriginal()) { if (!args.quiet) { - std::cout << "[!][" << args.pid << "] Suspicious: could not read the module file!" << std::endl; + std::cout << "[*] Skipping ignored: " << std::hex << (ULONGLONG)modData.moduleHandle << " : " << modData.szModName << std::endl; } - //make a report that finding original module was not possible - pReport.appendReport(new UnreachableModuleReport(processHandle, hMods[counter], 0, modData.szModName)); + pReport.appendReport(new SkippedModuleReport(processHandle, modData.moduleHandle, modData.original_size, modData.szModName)); continue; } if (!args.quiet) { std::cout << "[*] Scanning: " << modData.szModName << std::endl; } - if (modData.isDotNet()) { #ifdef _DEBUG std::cout << "[*] Skipping a .NET module: " << modData.szModName << std::endl;