pe-sieve icon indicating copy to clipboard operation
pe-sieve copied to clipboard
verified publisher icon hasherezade

Error reconstructing PE from the found artifacts (64 bit PE)

Open hasherezade opened this issue 4 years ago • 1 comments

Sample: e818738311bc1d540a23f3235d75e5a9d79ee75e8661bf34e54cdb7755e619e3

The implanted PEs are detected, yet, they are dumped as .corrupt_dlls. The reconstructions fails. Detected artifacts:

   "workingset_scan" : {
    "module" : "4d1f9b0000",
    "status" : 1,
    "has_pe" : 1,
    "has_shellcode" : 0,
    "is_listed_module" : 0,
    "protection" : "40",
    "mapping_type" : "MEM_PRIVATE",
    "pe_artefacts" : {
     "pe_base_offset" : "0",
     "sections_hdrs" : "1f8",
     "sections_count" : 5,
     "is_dll" : 1,
     "is_64_bit" : 1
    }
   }
  },
  {
   "workingset_scan" : {
    "module" : "4d21340000",
    "status" : 1,
    "has_pe" : 1,
    "has_shellcode" : 1,
    "is_listed_module" : 0,
    "protection" : "40",
    "mapping_type" : "MEM_PRIVATE",
    "pe_artefacts" : {
     "pe_base_offset" : "ce8",
     "nt_file_hdr" : "ddc",
     "sections_hdrs" : "ee0",
     "sections_count" : 5,
     "is_dll" : 1,
     "is_64_bit" : 1
    }
   }

Dumped artifacts: artifacts.zip

hasherezade avatar Jun 25 '21 18:06 hasherezade

The PE with more complete artifacts was dumped properly:

dumped_dll

hasherezade avatar Jun 27 '21 15:06 hasherezade