[FEATURE] Relocate the realigned modules back to their original base

hasherezade · Sep 7, 2024 · d7542b2 · d7542b2
1 parent d1cfae8
commit d7542b2
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 6 deletions.
diff --git a/libpeconv b/libpeconv
diff --git a/postprocessors/pe_buffer.h b/postprocessors/pe_buffer.h
@@ -9,7 +9,8 @@ namespace pesieve {
 	public:
 		PeBuffer(HANDLE _process_hndl, bool _is_refl)
 			: processHndl(_process_hndl), isRefl(_is_refl),
-			vBuf(nullptr), vBufSize(0), moduleBase(0), relocBase(0)
+			vBuf(nullptr), vBufSize(0), 
+			moduleBase(0), relocBase(0)
 		{
 		}
 

diff --git a/postprocessors/results_dumper.cpp b/postprocessors/results_dumper.cpp
@@ -293,15 +293,16 @@ bool pesieve::ResultsDumper::dumpModule(IN HANDLE processHandle,
 		ImpReconstructor::t_imprec_res imprec_res = impRec.rebuildImportTable(exportsMap, imprec_mode);
 		modDumpReport->impRecMode = get_imprec_res_name(imprec_res);
 
-
 		module_buf.setRelocBase(mod->getRelocBase());
+		if (mod->origBase) {
+			module_buf.setRelocBase(mod->origBase);
+		}
 		if (imprec_mode == pesieve::PE_IMPREC_NONE) {
 			modDumpReport->isDumped = module_buf.dumpPeToFile(modDumpReport->dumpFileName, curr_dump_mode);
 		}
 		else {
 			modDumpReport->isDumped = module_buf.dumpPeToFile(modDumpReport->dumpFileName, curr_dump_mode, exportsMap, &notCovered);
 		}
-
 
 		if (!modDumpReport->isDumped) {
 			modDumpReport->isDumped = module_buf.dumpToFile(modDumpReport->dumpFileName);

diff --git a/scanners/code_scanner.h b/scanners/code_scanner.h
@@ -43,7 +43,6 @@ namespace pesieve {
 			const size_t inaccessibleCount = countInaccessibleSections();
 			const size_t scannedCount = sectionToResult.size() - inaccessibleCount;
 			ModuleScanReport::_toJSON(outs, level);
-			outs << ",\n";
 			if (sectionToResult.size() > 0) {
 				outs << ",\n";
 				OUT_PADDED(outs, level, "\"scanned_sections\" : ");
@@ -60,7 +59,6 @@ namespace pesieve {
 				OUT_PADDED(outs, level, "\"unpacked_sections\" : ");
 				outs << std::dec << unpacked;
 			}
-			outs << ",\n";
 			if (patchesList.size() > 0) {
 				outs << ",\n";
 				OUT_PADDED(outs, level, "\"patches\" : ");

diff --git a/scanners/module_scan_report.h b/scanners/module_scan_report.h
@@ -71,10 +71,12 @@ namespace pesieve {
 					outs << "\"" << std::hex << (ULONGLONG)moduleSize << "\"" << ",\n";
 				}
 			}
+#ifdef _DEBUG
 			if (origBase) {
 				OUT_PADDED(outs, level, "\"original_base\" : ");
 				outs << std::hex << "\"" << origBase << "\"" << ",\n";
 			}
+#endif //_DEBUG
 			if (relocBase != (ULONGLONG)module) {
 				OUT_PADDED(outs, level, "\"reloc_base\" : ");
 				outs << std::hex << "\"" << relocBase << "\"" << ",\n";
+4 −0		libpeconv/src/exceptions_parser.cpp
+4 −1		libpeconv/src/pe_dumper.cpp
+10 −2		libpeconv/src/peb_lookup.cpp
+6 −3		run_pe/run_pe.cpp