Failed reconstructing the payload (Ursnif) #32
Comments
hasherezade
changed the title
|
Was going to open an issue about this over the weekend, but seems like you already identified it 😄 Another sample if needed: For me, pe-sieve crashes as soon as it starts scanning the memory regions.
Seems like header is corrupted and RVA can't be fetched. |
|
@bartblaze - the crash was another issue (#28), and I already fixed it, please check the latest builds and let me know if it works for you: https://github.com/hasherezade/pe-sieve/blob/master/README.md |
|
Thanks @hasherezade, I can confirm that solved the crashing issue. (and thanks for a great tool!) |
|
Result: the payload got shifted (to make space for the DOS header), realigned to Virtual (because of damaged raw headers) and dumped: |
Test case
633521d921ddad8671293319f0fd9daab9a0a606887ada3ab3709027cbb1e591
Problem
The payload has a partially corrupt header (starting from file header):
PE-sieve was able to find some artefacts:
However, if failed to reconstruct the PE.
The text was updated successfully, but these errors were encountered: