[FEATURE] Dump the same module only once (even when it was detected b…

…y multiple scan types)
hasherezade · Nov 2, 2024 · 0783178 · 0783178
1 parent 6d1e6a9
commit 0783178
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/postprocessors/dump_report.h b/postprocessors/dump_report.h
@@ -89,6 +89,20 @@ namespace pesieve {
 			return dumped;
 		}
 
+		bool hasModule(const ULONGLONG modBase, const size_t modSize) const
+		{
+			if (!modBase) return false;
+
+			for (auto itr = moduleReports.begin(); itr != moduleReports.end(); ++itr) {
+				const ModuleDumpReport* report = *itr;
+				if (!report->isDumped) continue; // dumping failed
+				if (report->moduleStart == modBase && report->moduleSize == modSize) {
+					return true;
+				}
+			}
+			return false;
+		}
+
 		virtual bool toJSON(std::stringstream &stream, size_t level) const;
 
 		DWORD getPid() const { return pid; }

diff --git a/postprocessors/results_dumper.cpp b/postprocessors/results_dumper.cpp
@@ -223,6 +223,10 @@ pesieve::ProcessDumpReport* pesieve::ResultsDumper::dumpDetectedModules(
 		if (mod->status != SCAN_SUSPICIOUS) {
 			continue;
 		}
+		// skip already dumped:
+		if (dumpReport->hasModule((ULONGLONG)mod->module, mod->moduleSize)) {
+			continue;
+		}
 		ULONGLONG out_base = rebase ? mod->origBase : 0;
 		dumpModule(processHandle,
 			isRefl,