Merge branch 'check_payload_ext'

hasherezade · Aug 18, 2018 · bcf6daf · bcf6daf
2 parents 24fd1c3 + 6198836
commit bcf6daf
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 6 deletions.
diff --git a/pe_sieve.cpp b/pe_sieve.cpp
@@ -14,7 +14,7 @@
 HANDLE open_process(DWORD processID)
 {
 	HANDLE hProcess = OpenProcess(
-		PROCESS_QUERY_INFORMATION |PROCESS_VM_READ,
+		PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
 		FALSE, processID
 	);
 	if (hProcess != nullptr) {

diff --git a/pe_sieve.h b/pe_sieve.h
@@ -7,8 +7,8 @@
 #include "scanners/scan_report.h"
 #include "report_formatter.h"
 
-static char PESIEVE_VERSION[] = "0.1.3.8";
-static DWORD PESIEVE_VERSION_ID = 0x00010308; // 00 01 03 08
+static char PESIEVE_VERSION[] = "0.1.4";
+static DWORD PESIEVE_VERSION_ID = 0x00010400; // 00 01 04 00
 static char PESIEVE_URL[] = "https://github.com/hasherezade/pe-sieve";
 
 std::string info();

diff --git a/results_dumper.cpp b/results_dumper.cpp
@@ -59,6 +59,18 @@ bool dumpAsShellcode(std::string dumpFileName, HANDLE processHandle, PBYTE modul
 	return is_ok;
 }
 
+std::string get_payload_ext(ModuleScanReport* mod)
+{
+	ArtefactScanReport* artefactRepot = dynamic_cast<ArtefactScanReport*>(mod);
+	if (!artefactRepot) {
+		return ".dll"; //default
+	}
+	if (artefactRepot->artefacts.isDll) {
+		return ".dll";
+	}
+	return ".exe";
+}
+
 size_t ResultsDumper::dumpAllModified(HANDLE processHandle, ProcessScanReport &process_report)
 {
 	if (processHandle == nullptr) {
@@ -85,8 +97,8 @@ size_t ResultsDumper::dumpAllModified(HANDLE processHandle, ProcessScanReport &p
 		if (GetModuleFileNameExA(processHandle, mod->module, szModName, MAX_PATH)) {
 			modulePath = get_file_name(szModName);
 		}
-
-		std::string dumpFileName = makeModuleDumpPath((ULONGLONG)mod->module, modulePath, ".dll");
+		const std::string payload_ext = get_payload_ext(mod);
+		std::string dumpFileName = makeModuleDumpPath((ULONGLONG)mod->module, modulePath, payload_ext);
 
 		if (!peconv::dump_remote_pe(
 			dumpFileName.c_str(), //output file
@@ -106,7 +118,7 @@ size_t ResultsDumper::dumpAllModified(HANDLE processHandle, ProcessScanReport &p
 				ULONGLONG found_pe_base = artefactRepot->artefacts.peImageBase();
 				PeReconstructor peRec(artefactRepot->artefacts);
 				if (peRec.reconstruct(processHandle)) {
-					std::string dumpFileName = makeModuleDumpPath(found_pe_base, modulePath, ".rec.dll");
+					std::string dumpFileName = makeModuleDumpPath(found_pe_base, modulePath, ".rec" + payload_ext);
 					peRec.dumpToFile(dumpFileName, process_report.exportsMap);
 				}
 			}

diff --git a/scanners/artefact_scanner.cpp b/scanners/artefact_scanner.cpp
@@ -387,6 +387,10 @@ PeArtefacts* ArtefactScanner::generateArtefacts(ArtefactScanner::ArtefactsMappin
 	}
 	peArt->peBaseOffset = size_t(aMap.pe_image_base - memPage.region_start);
 	peArt->calculatedImgSize = calcImageSize(memPage, aMap.sec_hdr, aMap.pe_image_base);
+
+	if (aMap.nt_file_hdr) {
+		peArt->isDll = aMap.nt_file_hdr->Characteristics & IMAGE_FILE_DLL;
+	}
 	return peArt;
 }
 

diff --git a/scanners/artefact_scanner.h b/scanners/artefact_scanner.h
@@ -25,6 +25,7 @@ class PeArtefacts {
 		secCount = 0;
 		calculatedImgSize = 0;
 		isMzPeFound = false;
+		isDll = true;
 	}
 
 	bool hasNtHdrs()
@@ -57,6 +58,9 @@ class PeArtefacts {
 		outs << ",\n";
 		OUT_PADDED(outs, level, "\"sections_count\" : ");
 		outs << std::hex << secCount;
+		outs << ",\n";
+		OUT_PADDED(outs, level, "\"is_dll\" : ");
+		outs << std::dec << isDll;
 		return true;
 	}
 
@@ -76,6 +80,7 @@ class PeArtefacts {
 	size_t secCount;
 	size_t calculatedImgSize;
 	bool isMzPeFound;
+	bool isDll;
 };
 
 class ArtefactScanReport : public MemPageScanReport