PEFix – simple PE file re-aligner

July 9, 2016 in Malware Analysis, PEFix, Software Releases

Every time you dump a PE file from memory its dump is aligned on the memory page size boundary (4096) instead of a typical file alignment boundary which is 512 (except for some PE tricks and less common file alignments).

There are many really cool tools that rebuild PE files directly from memory and do it in an excellent way, but sometimes it’s good to have a simple, stupid script at hand that does the re-alignment only. The re-aligned file can’t be executed, but will make more sense when you load them into IDA. And such stupid script comes handy when images are loaded using manual/reflective loading, and there is more of them in the same process space (or you just have lots of them); rebuilding such memory dumps manually is a pain, so the script that I am attaching to this post will just do this dirty job for you (you can run it as a batch job).

So, say you locate a memory dump where malware hides its PE file, you then dump it f.ex. using Process Hacker, hiperdrop, or any memdumping tool, and then you can run over it (or them) and you should get a ‘.fixed’ file (or files) that will be just a realigned version(s) of your memory dump(s).

Load it into IDA, happy analysis…

In case malware wipes out the MZ/PE markers you can always mod the script a bit to bypass it and still rebuild the file. For completely wiped out MZ/PE markers/header/section table/etc. it’s going to be a manual job although one could think of some heuristics… who knows.. maybe in the next version :).

This is the script.