Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error reconstructing PE from the found artifacts (64 bit PE) #85

Open
hasherezade opened this issue Jun 25, 2021 · 1 comment
Open

Error reconstructing PE from the found artifacts (64 bit PE) #85

hasherezade opened this issue Jun 25, 2021 · 1 comment
Assignees
@hasherezade

Comments

@hasherezade
Copy link
Owner

hasherezade commented Jun 25, 2021
edited
Loading

Sample:
e818738311bc1d540a23f3235d75e5a9d79ee75e8661bf34e54cdb7755e619e3

The implanted PEs are detected, yet, they are dumped as .corrupt_dlls. The reconstructions fails.
Detected artifacts:

   "workingset_scan" : {
    "module" : "4d1f9b0000",
    "status" : 1,
    "has_pe" : 1,
    "has_shellcode" : 0,
    "is_listed_module" : 0,
    "protection" : "40",
    "mapping_type" : "MEM_PRIVATE",
    "pe_artefacts" : {
     "pe_base_offset" : "0",
     "sections_hdrs" : "1f8",
     "sections_count" : 5,
     "is_dll" : 1,
     "is_64_bit" : 1
    }
   }
  },
  {
   "workingset_scan" : {
    "module" : "4d21340000",
    "status" : 1,
    "has_pe" : 1,
    "has_shellcode" : 1,
    "is_listed_module" : 0,
    "protection" : "40",
    "mapping_type" : "MEM_PRIVATE",
    "pe_artefacts" : {
     "pe_base_offset" : "ce8",
     "nt_file_hdr" : "ddc",
     "sections_hdrs" : "ee0",
     "sections_count" : 5,
     "is_dll" : 1,
     "is_64_bit" : 1
    }
   }

Dumped artifacts:
artifacts.zip
@hasherezade hasherezade self-assigned this Jun 25, 2021
hasherezade added a commit that referenced this issue Jun 27, 2021
@hasherezade
[BUGFIX] Fixed calculation of the image size: ArtefactScanner::calcIm…
27d7ed9 
…gSize (Issue #85)
@hasherezade
Copy link
Owner Author

The PE with more complete artifacts was dumped properly:

dumped_dll

hasherezade added a commit that referenced this issue Jul 29, 2021
@hasherezade
[REFACT] When calculating imgSize, skip uncommited pages (rather than…
c1f689f 
… inaccessible) - Issue #85
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hasherezade hasherezade

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hasherezade