[FEATURE] Added new argument: rebase to regulate if the dumped module should be rebased to its original base

Author: hasherezade

include/pe_sieve_types.h

@@ -56,9 +56,9 @@ namespace pesieve {
 	} t_obfusc_mode;
 
 	typedef enum {
-		PE_IMPREC_NONE = 0, ///< do not try to recover imports
-		PE_IMPREC_AUTO,     ///< try to autodetect the most suitable mode
-		PE_IMPREC_UNERASE,  ///< recover erased parts of the partialy damaged import table
+		PE_IMPREC_NONE = 0,  ///< do not try to recover imports
+		PE_IMPREC_AUTO,      ///< try to autodetect the most suitable mode
+		PE_IMPREC_UNERASE,   ///< recover erased parts of the partialy damaged import table
 		PE_IMPREC_REBUILD0,  ///< build the import table from the scratch, basing on the found IAT(s): use only terminated blocks (restrictive mode)
 		PE_IMPREC_REBUILD1,  ///< build the import table from the scratch, basing on the found IAT(s): use terminated blocks, or blocks with more than 1 thunk
 		PE_IMPREC_REBUILD2,  ///< build the import table from the scratch, basing on the found IAT(s): use all found blocks (aggressive mode)
@@ -134,6 +134,7 @@ namespace pesieve {
 		t_iat_scan_mode iat;    ///< detect IAT hooking
 		t_data_scan_mode data;  ///< should scan non-executable pages?
 		bool minidump;          ///< make minidump of full process
+		bool rebase;            ///< rebase the module to its original base (if known)
 		t_dump_mode dump_mode;  ///< in which mode the detected PE implants should be dumped
 		bool json_output;       ///< display the final summary as the JSON report
 		bool make_reflection;   ///< operate on a process reflection rather than on the live process (this allows i.e. to force-read inaccessible pages)

params.h

@@ -23,6 +23,7 @@ using namespace pesieve;
 //dump options:
 #define PARAM_IMP_REC "imp"
 #define PARAM_DUMP_MODE "dmode"
+#define PARAM_REBASE "rebase"
 //output options:
 #define PARAM_OUT_FILTER "ofilter"
 #define PARAM_RESULTS_FILTER "report"
@@ -103,7 +104,10 @@ class PEsieveParams : public Params
 			ss2 << INFO_SPACER << "Example: kernel32.dll" << PARAM_LIST_SEPARATOR << "user32.dll";
 			this->setInfo(PARAM_MODULES_IGNORE, ss1.str(), ss2.str());
 		}
-		
+
+		this->addParam(new BoolParam(PARAM_REBASE, false));
+		this->setInfo(PARAM_REBASE, "Rebase the module to its original base (if known).");
+
 		this->addParam(new BoolParam(PARAM_QUIET, false));
 		this->setInfo(PARAM_QUIET, "Print only the summary. Do not log on stdout during the scan.");
 
@@ -236,6 +240,7 @@ class PEsieveParams : public Params
 		this->addParamToGroup(PARAM_MINIDUMP, str_group);
 		this->addParamToGroup(PARAM_IMP_REC, str_group);
 		this->addParamToGroup(PARAM_DUMP_MODE, str_group);
+		this->addParamToGroup(PARAM_REBASE, str_group);
 
 		str_group = "2. scan exclusions";
 		this->addGroup(new ParamGroup(str_group));
@@ -270,7 +275,7 @@ class PEsieveParams : public Params
 		copyVal<EnumParam>(PARAM_RESULTS_FILTER, ps.results_filter);
 
 		fillStringParam(PARAM_MODULES_IGNORE, ps.modules_ignored);
-
+		copyVal<BoolParam>(PARAM_REBASE, ps.rebase);
 		copyVal<BoolParam>(PARAM_QUIET, ps.quiet);
 		copyVal<BoolParam>(PARAM_JSON, ps.json_output);
 

pe_sieve.cpp

@@ -137,7 +137,7 @@ namespace pesieve {
 				dump_mode = pesieve::t_dump_mode(args.dump_mode);
 			}
 			size_t dumped_modules = 0;
-			dumpReport = dumper.dumpDetectedModules(hProcess, isRefl, process_report, dump_mode, args.imprec_mode);
+			dumpReport = dumper.dumpDetectedModules(hProcess, isRefl, process_report, dump_mode, args.imprec_mode, args.rebase);
 			if (dumpReport && dumpReport->countDumped()) {
 				dumped_modules = dumpReport->countDumped();
 			}

postprocessors/results_dumper.cpp

@@ -206,7 +206,8 @@ pesieve::ProcessDumpReport* pesieve::ResultsDumper::dumpDetectedModules(
 	bool isRefl,
 	ProcessScanReport &process_report, 
 	const pesieve::t_dump_mode dump_mode, 
-	const t_imprec_mode imprec_mode)
+	const t_imprec_mode imprec_mode,
+	const bool rebase)
 {
 	if (processHandle == nullptr) {
 		return nullptr;
@@ -222,13 +223,15 @@ pesieve::ProcessDumpReport* pesieve::ResultsDumper::dumpDetectedModules(
 		if (mod->status != SCAN_SUSPICIOUS) {
 			continue;
 		}
+		ULONGLONG out_base = rebase ? mod->origBase : 0;
 		dumpModule(processHandle,
 			isRefl,
 			process_report.modulesInfo,
 			mod,
 			process_report.exportsMap,
 			dump_mode,
 			imprec_mode,
+			out_base,
 			*dumpReport
 		);
 	}
@@ -260,6 +263,7 @@ bool pesieve::ResultsDumper::dumpModule(IN HANDLE processHandle,
 	IN const peconv::ExportsMapper *exportsMap,
 	IN const pesieve::t_dump_mode dump_mode,
 	IN const t_imprec_mode imprec_mode,
+	IN ULONGLONG out_base,
 	OUT ProcessDumpReport &dumpReport
 )
 {
@@ -321,8 +325,8 @@ bool pesieve::ResultsDumper::dumpModule(IN HANDLE processHandle,
 		modDumpReport->impRecMode = get_imprec_res_name(imprec_res);
 
 		module_buf.setRelocBase(mod->getRelocBase());
-		if (mod->origBase) {
-			module_buf.setRelocBase(mod->origBase);
+		if (out_base) {
+			module_buf.setRelocBase(out_base);
 		}
 		if (imprec_mode == pesieve::PE_IMPREC_NONE) {
 			modDumpReport->isDumped = module_buf.dumpPeToFile(modDumpReport->dumpFileName, curr_dump_mode);

postprocessors/results_dumper.h

@@ -18,7 +18,14 @@ namespace pesieve {
 		}
 
 		// dump all modules detected as suspicious during the process scan
-		ProcessDumpReport* dumpDetectedModules(HANDLE hProcess, bool isRefl, ProcessScanReport &process_report, const pesieve::t_dump_mode dump_mode, const pesieve::t_imprec_mode imprec_mode);
+		ProcessDumpReport* dumpDetectedModules(
+			HANDLE hProcess, 
+			bool isRefl, 
+			ProcessScanReport &process_report, 
+			const pesieve::t_dump_mode dump_mode,
+			const t_imprec_mode imprec_mode,
+			const bool rebase
+		);
 
 		// dump JSON report from the process scan
 		bool dumpJsonReport(ProcessScanReport &process_report, const t_results_filter &filter, const pesieve::t_json_level &jdetails);
@@ -42,6 +49,7 @@ namespace pesieve {
 		\param modReport : ModuleScanReport defining artefacts to be dumped
 		\param exportsMap : mapping of all the exported APIs available within the process (for imports reconstruction)
 		\param imprec_mode : mode in which imports reconstruction will be attempted
+		\param out_base : the base to which the output module should be rebased, 0 if default
 		\param dumpReport : ProcessDumpReport to which reports from the current dump will be appended
 		*/
 		bool dumpModule(
@@ -52,6 +60,7 @@ namespace pesieve {
 			IN const peconv::ExportsMapper *exportsMap,
 			IN const pesieve::t_dump_mode dump_mode,
 			IN const pesieve::t_imprec_mode imprec_mode,
+			IN ULONGLONG out_base,
 			OUT ProcessDumpReport &dumpReport
 		);