From bd4b656dab75e6086273ca343a12dea723d1a11c Mon Sep 17 00:00:00 2001 From: hasherezade Date: Fri, 1 Nov 2024 15:19:28 -0700 Subject: [PATCH] [FEATURE] If module was rebased, save the base in the dump report --- postprocessors/dump_report.cpp | 4 ++++ postprocessors/dump_report.h | 3 ++- postprocessors/results_dumper.cpp | 3 +++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/postprocessors/dump_report.cpp b/postprocessors/dump_report.cpp index 6cfbaba01..91702c690 100644 --- a/postprocessors/dump_report.cpp +++ b/postprocessors/dump_report.cpp @@ -10,6 +10,10 @@ const bool pesieve::ModuleDumpReport::toJSON(std::stringstream &outs, size_t lev outs << "\"" << std::hex << moduleStart << "\"" << ",\n"; OUT_PADDED(outs, level, "\"module_size\" : "); outs << "\"" << std::hex << moduleSize << "\"" << ",\n"; + if (moduleStart != rebasedTo) { + OUT_PADDED(outs, level, "\"dump_base\" : "); + outs << "\"" << std::hex << rebasedTo << "\"" << ",\n"; + } if (dumpFileName.length()) { OUT_PADDED(outs, level, "\"dump_file\" : "); outs << "\"" << peconv::get_file_name(dumpFileName) << "\"" << ",\n"; diff --git a/postprocessors/dump_report.h b/postprocessors/dump_report.h index 997293753..4a28b258f 100644 --- a/postprocessors/dump_report.h +++ b/postprocessors/dump_report.h @@ -18,7 +18,7 @@ namespace pesieve { public: ModuleDumpReport(ULONGLONG module_start, size_t module_size) - : moduleStart(module_start), moduleSize(module_size), + : moduleStart(module_start), moduleSize(module_size), rebasedTo(module_start), isDumped(false), isReportDumped(false), is_corrupt_pe(false), is_shellcode(false) @@ -29,6 +29,7 @@ namespace pesieve { ULONGLONG moduleStart; size_t moduleSize; + ULONGLONG rebasedTo; bool is_corrupt_pe; bool is_shellcode; std::string impRecMode; diff --git a/postprocessors/results_dumper.cpp b/postprocessors/results_dumper.cpp index de56f9c82..aa325eaa2 100644 --- a/postprocessors/results_dumper.cpp +++ b/postprocessors/results_dumper.cpp @@ -311,6 +311,9 @@ bool pesieve::ResultsDumper::dumpModule(IN HANDLE processHandle, ModuleDumpReport *modDumpReport = new ModuleDumpReport(module_buf.getModuleBase(), module_buf.getBufferSize()); dumpReport.appendReport(modDumpReport); + if (out_base) { + modDumpReport->rebasedTo = out_base; + } modDumpReport->dumpFileName = makeModuleDumpPath(module_buf.getModuleBase(), module_name, payload_ext); modDumpReport->is_corrupt_pe = is_corrupt_pe; modDumpReport->is_shellcode = !module_buf.isValidPe() && module_buf.isCode();