bootleg
jmp in memory allocation : "Could not get module base" (2)
Hi !
I just wanted to find a solution to a previous issue #64, so there is the thing (I have tried the proposed solution). I have a malware with a injected PE into another process (explorer.exe). There is a hook at the entry point of explorer.exe to jump inside a memory region allocated to this injected PE. I want to debug this PE inside explorer.exe because there are some messages handling with the malicious injector process.
I have tried several ways to be able to debug the extracted injected PE file :
- Loading the injected PE as segment at the same loading offset inside an IDB of the victim process (explorer.exe).
- Create a IDB with the extracted injected PE with the same base address and the same name of the debugged process in x64dbg
- Load the injected PE as an external binary inside the extracted process in IDA.
I have extracted all of them with PE-Sieve that gives the better results. The mentioned commands above don't prevent the error message "Could not get module base..."
I don't know how to handle this since a need to debug the running victim process.
