From 078317854adae97e6ff242acfd9843f6e9913d81 Mon Sep 17 00:00:00 2001
From: hasherezade <hasherezade@gmail.com>
Date: Sat, 2 Nov 2024 15:09:20 -0700
Subject: [PATCH] [FEATURE] Dump the same module only once (even when it was
 detected by multiple scan types)

---
 postprocessors/dump_report.h      | 14 ++++++++++++++
 postprocessors/results_dumper.cpp |  4 ++++
 2 files changed, 18 insertions(+)

diff --git a/postprocessors/dump_report.h b/postprocessors/dump_report.h
index 4a28b258f..58140d662 100644
--- a/postprocessors/dump_report.h
+++ b/postprocessors/dump_report.h
@@ -89,6 +89,20 @@ namespace pesieve {
 			return dumped;
 		}
 
+		bool hasModule(const ULONGLONG modBase, const size_t modSize) const
+		{
+			if (!modBase) return false;
+
+			for (auto itr = moduleReports.begin(); itr != moduleReports.end(); ++itr) {
+				const ModuleDumpReport* report = *itr;
+				if (!report->isDumped) continue; // dumping failed
+				if (report->moduleStart == modBase && report->moduleSize == modSize) {
+					return true;
+				}
+			}
+			return false;
+		}
+
 		virtual bool toJSON(std::stringstream &stream, size_t level) const;
 
 		DWORD getPid() const { return pid; }
diff --git a/postprocessors/results_dumper.cpp b/postprocessors/results_dumper.cpp
index 96904772d..787c80297 100644
--- a/postprocessors/results_dumper.cpp
+++ b/postprocessors/results_dumper.cpp
@@ -223,6 +223,10 @@ pesieve::ProcessDumpReport* pesieve::ResultsDumper::dumpDetectedModules(
 		if (mod->status != SCAN_SUSPICIOUS) {
 			continue;
 		}
+		// skip already dumped:
+		if (dumpReport->hasModule((ULONGLONG)mod->module, mod->moduleSize)) {
+			continue;
+		}
 		ULONGLONG out_base = rebase ? mod->origBase : 0;
 		dumpModule(processHandle,
 			isRefl,