Add memory PE image traces output

a0rtega · Nov 8, 2021 · f658ccc · f658ccc
1 parent c6c28ab
commit f658ccc
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 0 deletions.
diff --git a/pafish/common.c b/pafish/common.c
@@ -11,6 +11,8 @@
 #include "common.h"
 #include "types.h"
 
+char pafish_pe_img_log[2048];
+
 unsigned short init_cmd_colors() {
 	CONSOLE_SCREEN_BUFFER_INFO csbi;
 	HANDLE handler = GetStdHandle(STD_OUTPUT_HANDLE);
@@ -73,6 +75,9 @@ void write_trace(char product[]) {
 #if ENABLE_DNS_TRACE
 	write_trace_dns(product);
 #endif
+#if ENABLE_PE_IMG_TRACE
+	write_trace_pe_img(product, TRUE);
+#endif
 }
 
 void write_trace_dns(char product[]) {
@@ -95,6 +100,12 @@ void write_trace_dns(char product[]) {
 	free(dns);
 }
 
+void write_trace_pe_img(char product[], BOOLEAN add_comma) {
+	strncat(pafish_pe_img_log, product, strlen(product));
+	if (add_comma)
+		strncat(pafish_pe_img_log, ",", 2);
+}
+
 void print_check_group(char * text) {
 	printf("\n[-] %s\n", text);
 }

diff --git a/pafish/common.h b/pafish/common.h
@@ -20,6 +20,8 @@ void write_trace(char product[]);
 
 void write_trace_dns(char product[]);
 
+void write_trace_pe_img(char product[], BOOLEAN add_comma);
+
 void print_check_group(char * text);
 
 void exec_check(char * text, int (*callback)(), char * text_log, char * text_trace);

diff --git a/pafish/config.h b/pafish/config.h
@@ -2,6 +2,17 @@
 #ifndef CONFIG_H
 #define CONFIG_H
 
+/* This output flag enables sending of DNS
+ * requests when pafish detects products.
+ */
 #define ENABLE_DNS_TRACE 1
 
+/* This output flag enables writing traces of
+ * detections to a PE section of the pafish
+ * image in memory. Memory dumps of unpacked executables
+ * may reveal the detected products.
+ * Output format: "analysis-start trace1,trace2, analysis-end"
+ */
+#define ENABLE_PE_IMG_TRACE 1
+
 #endif
diff --git a/pafish/main.c b/pafish/main.c
@@ -54,6 +54,9 @@ int main(void)
 #if ENABLE_DNS_TRACE
 	write_trace_dns("analysis-start");
 #endif
+#if ENABLE_PE_IMG_TRACE
+	write_trace_pe_img("analysis-start ", FALSE);
+#endif
 
 	original_colors = init_cmd_colors();
 	print_header();
@@ -372,6 +375,9 @@ int main(void)
 #if ENABLE_DNS_TRACE
 	write_trace_dns("analysis-end");
 #endif
+#if ENABLE_PE_IMG_TRACE
+	write_trace_pe_img(" analysis-end", FALSE);
+#endif
 
 	/* Restore window */
 	ShowWindow(GetConsoleWindow(), SW_RESTORE);