-
Notifications
You must be signed in to change notification settings - Fork 439
4.12. Rebase dump to the default base (rebase)
By default, PE-sieve dumps PEs using the base where they were loaded at in memory. This is the most reliable way, ensuring that if any pointers have been filled in memory, that are referencing some address within the current PE, they will be still valid for the dumped binary.
Sometimes we want to dump the PE in a different mode, and make it as similar as possible to the raw PE on the disk. It can be very helpful when we want to compare both, and pinpoint what exactly were the fragments overwritten in memory. It can also be needed for comparing dumps of the same module, that were made in different analysis sessions, when the PE was loaded at a different base each time. The option to be used in this scenario is /rebase
. When we select it, PE-sieve will try to rebase the PE before dump, applying relocations from the relocations table. It will try to use the base that was in the original PE header of the corresponding module on the disk. If the module in memory was manually loaded, and does not have any equivalent on the disk, it will use a default base instead.