Merge branch 'preserve_base'

hasherezade · Sep 7, 2024 · 0290f8a · 0290f8a
2 parents 9d3d31f + 37ae916
commit 0290f8a
Show file tree

Hide file tree

Showing 10 changed files with 63 additions and 30 deletions.
diff --git a/libpeconv b/libpeconv
diff --git a/postprocessors/pe_buffer.h b/postprocessors/pe_buffer.h
@@ -9,7 +9,8 @@ namespace pesieve {
 	public:
 		PeBuffer(HANDLE _process_hndl, bool _is_refl)
 			: processHndl(_process_hndl), isRefl(_is_refl),
-			vBuf(nullptr), vBufSize(0), moduleBase(0), relocBase(0)
+			vBuf(nullptr), vBufSize(0), 
+			moduleBase(0), relocBase(0)
 		{
 		}
 

diff --git a/postprocessors/results_dumper.cpp b/postprocessors/results_dumper.cpp
@@ -187,8 +187,7 @@ pesieve::ProcessDumpReport* pesieve::ResultsDumper::dumpDetectedModules(
 	ProcessDumpReport *dumpReport = new ProcessDumpReport(process_report.getPid());
 	this->dumpDir = pesieve::ResultsDumper::makeDirName(process_report.getPid());
 
-	std::vector<ModuleScanReport*>::iterator itr;
-	for (itr = process_report.moduleReports.begin();
+	for (auto itr = process_report.moduleReports.begin();
 		itr != process_report.moduleReports.end();
 		++itr)
 	{
@@ -294,15 +293,16 @@ bool pesieve::ResultsDumper::dumpModule(IN HANDLE processHandle,
 		ImpReconstructor::t_imprec_res imprec_res = impRec.rebuildImportTable(exportsMap, imprec_mode);
 		modDumpReport->impRecMode = get_imprec_res_name(imprec_res);
 
-
 		module_buf.setRelocBase(mod->getRelocBase());
+		if (mod->origBase) {
+			module_buf.setRelocBase(mod->origBase);
+		}
 		if (imprec_mode == pesieve::PE_IMPREC_NONE) {
 			modDumpReport->isDumped = module_buf.dumpPeToFile(modDumpReport->dumpFileName, curr_dump_mode);
 		}
 		else {
 			modDumpReport->isDumped = module_buf.dumpPeToFile(modDumpReport->dumpFileName, curr_dump_mode, exportsMap, &notCovered);
 		}
-
 
 		if (!modDumpReport->isDumped) {
 			modDumpReport->isDumped = module_buf.dumpToFile(modDumpReport->dumpFileName);

diff --git a/scanners/code_scanner.cpp b/scanners/code_scanner.cpp
@@ -361,10 +361,9 @@ pesieve::CodeScanReport* pesieve::CodeScanner::scanRemote()
 		}
 		return my_report;
 	}
-	ULONGLONG load_base = (ULONGLONG)moduleData.moduleHandle;
-	ULONGLONG hdr_base = remoteModData.getHdrImageBase();
-
-	my_report->relocBase = load_base;
+	const ULONGLONG load_base = (ULONGLONG)moduleData.moduleHandle;
+	const ULONGLONG hdr_base = remoteModData.getHdrImageBase();
+	my_report->origBase = moduleData.getHdrImageBase();
 	last_res = scanUsingBase(load_base, remote_code, my_report->sectionToResult, my_report->patchesList);
 
 	if (load_base != hdr_base && my_report->patchesList.size() > 0) {

diff --git a/scanners/code_scanner.h b/scanners/code_scanner.h
@@ -21,7 +21,7 @@ namespace pesieve {
 		} t_section_status;
 
 		CodeScanReport(HMODULE _module, size_t _moduleSize)
-			: ModuleScanReport(_module, _moduleSize), relocBase(0)
+			: ModuleScanReport(_module, _moduleSize)
 		{
 		}
 
@@ -98,7 +98,6 @@ namespace pesieve {
 
 		size_t generateTags(std::string reportPath);
 
-		ULONGLONG relocBase;
 		std::map<DWORD, t_section_status> sectionToResult;
 		PatchList patchesList;
 	};

diff --git a/scanners/headers_scanner.cpp b/scanners/headers_scanner.cpp
@@ -20,6 +20,8 @@ HeadersScanReport* pesieve::HeadersScanner::scanRemote()
 	memcpy(hdr_buffer1, remoteModData.headerBuffer, peconv::MAX_HEADER_SIZE);
 	my_report->is64 = peconv::is64bit(hdr_buffer1);
 	my_report->isDotNetModule = moduleData.isDotNet();
+	my_report->origBase = moduleData.getHdrImageBase();
+	my_report->relocBase = remoteModData.getHdrImageBase();
 
 	size_t hdrs_size = peconv::get_hdrs_size(hdr_buffer1);
 	if (hdrs_size > peconv::MAX_HEADER_SIZE) {

diff --git a/scanners/mapping_scanner.cpp b/scanners/mapping_scanner.cpp
@@ -15,23 +15,39 @@ MappingScanReport* pesieve::MappingScanner::scanRemote()
 
 	my_report->mappedFile = mapped_name;
 	my_report->moduleFile = module_name;
-	my_report->isDotNetModule = moduleData.isDotNet();
 
 	size_t mod_name_len = module_name.length();
 	if (!is_same && mod_name_len > 0) {
 		//check Wow64
 		char path_copy[MAX_PATH] = { 0 };
-		memcpy(path_copy, moduleData.szModName, mod_name_len);
+		::memcpy(path_copy, moduleData.szModName, mod_name_len);
 		convert_to_wow64_path(path_copy);
 		is_same = (to_lowercase(mapped_name) == to_lowercase(path_copy));
 		if (is_same) {
 			moduleData.switchToWow64Path();
 		}
 	}
-	if (!is_same) {
-		my_report->status = SCAN_SUSPICIOUS;
+	if (is_same) {
+		my_report->status = SCAN_NOT_SUSPICIOUS;
 		return my_report;
 	}
-	my_report->status = SCAN_NOT_SUSPICIOUS;
+	bool isFilled = false;
+	if (moduleData.loadOriginal()) {
+		isFilled = true;
+	}
+	else {
+#ifdef _DEBUG
+		std::cout << "Failed to load module name:\n\t" << module_name << "\nswitching to mapped name:\n\t" << mapped_name << std::endl;
+#endif
+		moduleData.switchToMappedPath();
+		if (moduleData.loadOriginal()) {
+			isFilled = true;
+		}
+	}
+	if (isFilled) {
+		my_report->isDotNetModule = moduleData.isDotNet();
+		my_report->origBase = moduleData.getHdrImageBase();
+	}
+	my_report->status = SCAN_SUSPICIOUS;
 	return my_report;
 }
diff --git a/scanners/module_data.cpp b/scanners/module_data.cpp
@@ -200,6 +200,18 @@ bool pesieve::ModuleData::switchToWow64Path()
 	return false;
 }
 
+bool pesieve::ModuleData::switchToMappedPath()
+{
+	const std::string path = RemoteModuleData::getMappedName(this->processHandle, this->moduleHandle);
+	const size_t len = path.length();
+	if (len >= MAX_PATH) {
+		return false;
+	}
+	::memcpy(szModName, path.c_str(), len);
+	szModName[len] = 0;
+	return true;
+}
+
 bool pesieve::ModuleData::reloadWow64()
 {
 	if (!switchToWow64Path()) return false;

diff --git a/scanners/module_data.h b/scanners/module_data.h
@@ -89,7 +89,7 @@ namespace pesieve {
 		}
 
 		bool loadOriginal();
-
+		bool switchToMappedPath();
 		bool switchToWow64Path();
 		bool reloadWow64();
 		bool relocateToBase(ULONGLONG new_base);

diff --git a/scanners/module_scan_report.h b/scanners/module_scan_report.h
@@ -35,20 +35,12 @@ namespace pesieve {
 			return report->status;
 		}
 
-		ModuleScanReport(HMODULE _module, size_t _moduleSize, t_scan_status _status)
-		{
-			this->module = _module;
-			this->moduleSize = _moduleSize;
-			this->status = _status;
-			this->isDotNetModule = false;
-		}
 
-		ModuleScanReport(HMODULE _module, size_t _moduleSize)
+		ModuleScanReport(HMODULE _module, size_t _moduleSize, t_scan_status _status = SCAN_NOT_SUSPICIOUS)
+			: module(_module), moduleSize(_moduleSize), isDotNetModule(false), 
+			origBase(0), relocBase((ULONGLONG)_module),
+			status(_status)
 		{
-			this->module = _module;
-			this->moduleSize = _moduleSize;
-			this->isDotNetModule = false;
-			this->status = SCAN_NOT_SUSPICIOUS;
 		}
 
 		virtual ~ModuleScanReport() {}
@@ -64,6 +56,8 @@ namespace pesieve {
 		size_t moduleSize;
 		bool isDotNetModule;
 		std::string moduleFile;
+		ULONGLONG origBase;
+		ULONGLONG relocBase;
 		t_scan_status status;
 
 	protected:
@@ -77,6 +71,16 @@ namespace pesieve {
 					outs << "\"" << std::hex << (ULONGLONG)moduleSize << "\"" << ",\n";
 				}
 			}
+#ifdef _DEBUG
+			if (origBase) {
+				OUT_PADDED(outs, level, "\"original_base\" : ");
+				outs << std::hex << "\"" << origBase << "\"" << ",\n";
+			}
+#endif //_DEBUG
+			if (relocBase != (ULONGLONG)module) {
+				OUT_PADDED(outs, level, "\"reloc_base\" : ");
+				outs << std::hex << "\"" << relocBase << "\"" << ",\n";
+			}
 			if (moduleFile.length()) {
 				OUT_PADDED(outs, level, "\"module_file\" : ");
 				outs << "\"" << pesieve::util::escape_path_separators(moduleFile) << "\"" << ",\n";
+4 −0		libpeconv/src/exceptions_parser.cpp
+4 −1		libpeconv/src/pe_dumper.cpp
+10 −2		libpeconv/src/peb_lookup.cpp
+6 −3		run_pe/run_pe.cpp