Skip to content

Commit

Permalink
[FEATURE] If module was rebased, save the base in the dump report
Browse files Browse the repository at this point in the history
hasherezade committed Nov 1, 2024
1 parent fe5f81b commit bd4b656
Showing 3 changed files with 9 additions and 1 deletion.
4 changes: 4 additions & 0 deletions postprocessors/dump_report.cpp
Original file line number Diff line number Diff line change
@@ -10,6 +10,10 @@ const bool pesieve::ModuleDumpReport::toJSON(std::stringstream &outs, size_t lev
outs << "\"" << std::hex << moduleStart << "\"" << ",\n";
OUT_PADDED(outs, level, "\"module_size\" : ");
outs << "\"" << std::hex << moduleSize << "\"" << ",\n";
if (moduleStart != rebasedTo) {
OUT_PADDED(outs, level, "\"dump_base\" : ");
outs << "\"" << std::hex << rebasedTo << "\"" << ",\n";
}
if (dumpFileName.length()) {
OUT_PADDED(outs, level, "\"dump_file\" : ");
outs << "\"" << peconv::get_file_name(dumpFileName) << "\"" << ",\n";
3 changes: 2 additions & 1 deletion postprocessors/dump_report.h
Original file line number Diff line number Diff line change
@@ -18,7 +18,7 @@ namespace pesieve {
public:

ModuleDumpReport(ULONGLONG module_start, size_t module_size)
: moduleStart(module_start), moduleSize(module_size),
: moduleStart(module_start), moduleSize(module_size), rebasedTo(module_start),
isDumped(false), isReportDumped(false),
is_corrupt_pe(false),
is_shellcode(false)
@@ -29,6 +29,7 @@ namespace pesieve {

ULONGLONG moduleStart;
size_t moduleSize;
ULONGLONG rebasedTo;
bool is_corrupt_pe;
bool is_shellcode;
std::string impRecMode;
3 changes: 3 additions & 0 deletions postprocessors/results_dumper.cpp
Original file line number Diff line number Diff line change
@@ -311,6 +311,9 @@ bool pesieve::ResultsDumper::dumpModule(IN HANDLE processHandle,
ModuleDumpReport *modDumpReport = new ModuleDumpReport(module_buf.getModuleBase(), module_buf.getBufferSize());
dumpReport.appendReport(modDumpReport);

if (out_base) {
modDumpReport->rebasedTo = out_base;
}
modDumpReport->dumpFileName = makeModuleDumpPath(module_buf.getModuleBase(), module_name, payload_ext);
modDumpReport->is_corrupt_pe = is_corrupt_pe;
modDumpReport->is_shellcode = !module_buf.isValidPe() && module_buf.isCode();

0 comments on commit bd4b656

Please sign in to comment.