Skip to content

Commit

Permalink
[FEATURE] Added new argument: rebase to regulate if the dumped module…
Browse files Browse the repository at this point in the history
… should be rebased to its original base
hasherezade committed Nov 1, 2024
1 parent 14aa1bb commit fe5f81b
Showing 5 changed files with 29 additions and 10 deletions.
7 changes: 4 additions & 3 deletions include/pe_sieve_types.h
Original file line number Diff line number Diff line change
@@ -56,9 +56,9 @@ namespace pesieve {
} t_obfusc_mode;

typedef enum {
PE_IMPREC_NONE = 0, ///< do not try to recover imports
PE_IMPREC_AUTO, ///< try to autodetect the most suitable mode
PE_IMPREC_UNERASE, ///< recover erased parts of the partialy damaged import table
PE_IMPREC_NONE = 0, ///< do not try to recover imports
PE_IMPREC_AUTO, ///< try to autodetect the most suitable mode
PE_IMPREC_UNERASE, ///< recover erased parts of the partialy damaged import table
PE_IMPREC_REBUILD0, ///< build the import table from the scratch, basing on the found IAT(s): use only terminated blocks (restrictive mode)
PE_IMPREC_REBUILD1, ///< build the import table from the scratch, basing on the found IAT(s): use terminated blocks, or blocks with more than 1 thunk
PE_IMPREC_REBUILD2, ///< build the import table from the scratch, basing on the found IAT(s): use all found blocks (aggressive mode)
@@ -134,6 +134,7 @@ namespace pesieve {
t_iat_scan_mode iat; ///< detect IAT hooking
t_data_scan_mode data; ///< should scan non-executable pages?
bool minidump; ///< make minidump of full process
bool rebase; ///< rebase the module to its original base (if known)
t_dump_mode dump_mode; ///< in which mode the detected PE implants should be dumped
bool json_output; ///< display the final summary as the JSON report
bool make_reflection; ///< operate on a process reflection rather than on the live process (this allows i.e. to force-read inaccessible pages)
9 changes: 7 additions & 2 deletions params.h
Original file line number Diff line number Diff line change
@@ -23,6 +23,7 @@ using namespace pesieve;
//dump options:
#define PARAM_IMP_REC "imp"
#define PARAM_DUMP_MODE "dmode"
#define PARAM_REBASE "rebase"
//output options:
#define PARAM_OUT_FILTER "ofilter"
#define PARAM_RESULTS_FILTER "report"
@@ -103,7 +104,10 @@ class PEsieveParams : public Params
ss2 << INFO_SPACER << "Example: kernel32.dll" << PARAM_LIST_SEPARATOR << "user32.dll";
this->setInfo(PARAM_MODULES_IGNORE, ss1.str(), ss2.str());
}


this->addParam(new BoolParam(PARAM_REBASE, false));
this->setInfo(PARAM_REBASE, "Rebase the module to its original base (if known).");

this->addParam(new BoolParam(PARAM_QUIET, false));
this->setInfo(PARAM_QUIET, "Print only the summary. Do not log on stdout during the scan.");

@@ -236,6 +240,7 @@ class PEsieveParams : public Params
this->addParamToGroup(PARAM_MINIDUMP, str_group);
this->addParamToGroup(PARAM_IMP_REC, str_group);
this->addParamToGroup(PARAM_DUMP_MODE, str_group);
this->addParamToGroup(PARAM_REBASE, str_group);

str_group = "2. scan exclusions";
this->addGroup(new ParamGroup(str_group));
@@ -270,7 +275,7 @@ class PEsieveParams : public Params
copyVal<EnumParam>(PARAM_RESULTS_FILTER, ps.results_filter);

fillStringParam(PARAM_MODULES_IGNORE, ps.modules_ignored);

copyVal<BoolParam>(PARAM_REBASE, ps.rebase);
copyVal<BoolParam>(PARAM_QUIET, ps.quiet);
copyVal<BoolParam>(PARAM_JSON, ps.json_output);

2 changes: 1 addition & 1 deletion pe_sieve.cpp
Original file line number Diff line number Diff line change
@@ -137,7 +137,7 @@ namespace pesieve {
dump_mode = pesieve::t_dump_mode(args.dump_mode);
}
size_t dumped_modules = 0;
dumpReport = dumper.dumpDetectedModules(hProcess, isRefl, process_report, dump_mode, args.imprec_mode);
dumpReport = dumper.dumpDetectedModules(hProcess, isRefl, process_report, dump_mode, args.imprec_mode, args.rebase);
if (dumpReport && dumpReport->countDumped()) {
dumped_modules = dumpReport->countDumped();
}
10 changes: 7 additions & 3 deletions postprocessors/results_dumper.cpp
Original file line number Diff line number Diff line change
@@ -206,7 +206,8 @@ pesieve::ProcessDumpReport* pesieve::ResultsDumper::dumpDetectedModules(
bool isRefl,
ProcessScanReport &process_report,
const pesieve::t_dump_mode dump_mode,
const t_imprec_mode imprec_mode)
const t_imprec_mode imprec_mode,
const bool rebase)
{
if (processHandle == nullptr) {
return nullptr;
@@ -222,13 +223,15 @@ pesieve::ProcessDumpReport* pesieve::ResultsDumper::dumpDetectedModules(
if (mod->status != SCAN_SUSPICIOUS) {
continue;
}
ULONGLONG out_base = rebase ? mod->origBase : 0;
dumpModule(processHandle,
isRefl,
process_report.modulesInfo,
mod,
process_report.exportsMap,
dump_mode,
imprec_mode,
out_base,
*dumpReport
);
}
@@ -260,6 +263,7 @@ bool pesieve::ResultsDumper::dumpModule(IN HANDLE processHandle,
IN const peconv::ExportsMapper *exportsMap,
IN const pesieve::t_dump_mode dump_mode,
IN const t_imprec_mode imprec_mode,
IN ULONGLONG out_base,
OUT ProcessDumpReport &dumpReport
)
{
@@ -321,8 +325,8 @@ bool pesieve::ResultsDumper::dumpModule(IN HANDLE processHandle,
modDumpReport->impRecMode = get_imprec_res_name(imprec_res);

module_buf.setRelocBase(mod->getRelocBase());
if (mod->origBase) {
module_buf.setRelocBase(mod->origBase);
if (out_base) {
module_buf.setRelocBase(out_base);
}
if (imprec_mode == pesieve::PE_IMPREC_NONE) {
modDumpReport->isDumped = module_buf.dumpPeToFile(modDumpReport->dumpFileName, curr_dump_mode);
11 changes: 10 additions & 1 deletion postprocessors/results_dumper.h
Original file line number Diff line number Diff line change
@@ -18,7 +18,14 @@ namespace pesieve {
}

// dump all modules detected as suspicious during the process scan
ProcessDumpReport* dumpDetectedModules(HANDLE hProcess, bool isRefl, ProcessScanReport &process_report, const pesieve::t_dump_mode dump_mode, const pesieve::t_imprec_mode imprec_mode);
ProcessDumpReport* dumpDetectedModules(
HANDLE hProcess,
bool isRefl,
ProcessScanReport &process_report,
const pesieve::t_dump_mode dump_mode,
const t_imprec_mode imprec_mode,
const bool rebase
);

// dump JSON report from the process scan
bool dumpJsonReport(ProcessScanReport &process_report, const t_results_filter &filter, const pesieve::t_json_level &jdetails);
@@ -42,6 +49,7 @@ namespace pesieve {
\param modReport : ModuleScanReport defining artefacts to be dumped
\param exportsMap : mapping of all the exported APIs available within the process (for imports reconstruction)
\param imprec_mode : mode in which imports reconstruction will be attempted
\param out_base : the base to which the output module should be rebased, 0 if default
\param dumpReport : ProcessDumpReport to which reports from the current dump will be appended
*/
bool dumpModule(
@@ -52,6 +60,7 @@ namespace pesieve {
IN const peconv::ExportsMapper *exportsMap,
IN const pesieve::t_dump_mode dump_mode,
IN const pesieve::t_imprec_mode imprec_mode,
IN ULONGLONG out_base,
OUT ProcessDumpReport &dumpReport
);

0 comments on commit fe5f81b

Please sign in to comment.