Construct the module directly from the pefile.PE structure

Author: mrexodia

src/dumpulator/dumpulator.py

@@ -400,8 +400,12 @@ def _parse_module_exports(self, module):
     def _setup_modules(self):
         minidump_module: minidump.MinidumpModule
         for minidump_module in self._minidump.modules.modules:
-            module = self.modules.add(minidump_module.baseaddress, minidump_module.size, minidump_module.name)
-            header = self.read(module.base, PAGE_SIZE)
+            base = minidump_module.baseaddress
+            size = minidump_module.size
+            path = minidump_module.name
+
+            # Parse the header to dump the sections from memory
+            header = self.read(base, PAGE_SIZE)
             pe = PE(data=header, fast_load=True)
             image_size = pe.OPTIONAL_HEADER.SizeOfImage
             section_alignment = pe.OPTIONAL_HEADER.SectionAlignment
@@ -412,7 +416,7 @@ def _setup_modules(self):
                 mask = section_alignment - 1
                 rva = (section.VirtualAddress + mask) & ~mask
                 size = self.memory.align_page(section.Misc_VirtualSize)
-                va = module.base + rva
+                va = base + rva
                 for page in range(va, va + size, PAGE_SIZE):
                     region = self.memory.find_commit(page)
                     if region is not None:
@@ -421,17 +425,15 @@ def _setup_modules(self):
                     data = self.read(va, size)
                     mapped_data[rva:size] = data
                 except UcError:
-                    self.error(f"Failed to read section {name} from module {module.path}")
+                    self.error(f"Failed to read section {name} from module {path}")
             # Load the PE dumped from memory
             pe = PE(data=mapped_data, fast_load=True)
             # Hack to adjust pefile to accept in-memory modules
             for section in pe.sections:
                 # Potentially interesting members: Misc_PhysicalAddress, Misc_VirtualSize, SizeOfRawData
                 section.PointerToRawData = section.VirtualAddress
                 section.PointerToRawData_adj = section.VirtualAddress
-            # Extract the relevant information from the PE
-            module.parse_pe(pe)
-
+            self.modules.add(pe, path)
 
     def _setup_syscalls(self):
         # Load the ntdll module from memory
@@ -816,9 +818,7 @@ def map_module(self, file_data: bytes, file_path: str = "", requested_base: int
             self.write(va, data)
 
         # Add the module to the module manager
-        module = self.modules.add(image_base, image_size, file_path)
-        module.parse_pe(pe)
-        return module
+        return self.modules.add(pe, file_path)
 
     def load_dll(self, file_name: str, file_data: bytes):
         self.handles.map_file("\\??\\" + file_name, FileObject(file_name, file_data))

src/dumpulator/modules.py

@@ -11,21 +11,22 @@ def __init__(self, address: int, ordinal: int, name: str):
         self.name = name
 
 class Module:
-    def __init__(self, base: int, size: int, path: str):
-        self.base = base
-        self.size = size
+    def __init__(self, pe: pefile.PE, path: str):
+        self.pe = pe
         self.path = path
-        self.name = path.split('\\')[-1]
-        self.pe: pefile.PE = None
+        self.name = path.split("\\")[-1]
         self._exports_by_address: Dict[int, int] = {}
         self._exports_by_ordinal: Dict[int, int] = {}
         self._exports_by_name: Dict[str, int] = {}
         self.exports: List[ModuleExport] = []
+        self._parse_pe()
 
-    def parse_pe(self, pe: pefile.PE):
-        self.pe = pe
+    def _parse_pe(self):
+        self.base: int = self.pe.OPTIONAL_HEADER.ImageBase
+        self.size: int = self.pe.OPTIONAL_HEADER.SizeOfImage
+        self.entry: int = self.base + self.pe.OPTIONAL_HEADER.AddressOfEntryPoint
         self.pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_EXPORT"]])
-        pe_exports = pe.DIRECTORY_ENTRY_EXPORT.symbols if hasattr(pe, "DIRECTORY_ENTRY_EXPORT") else []
+        pe_exports = self.pe.DIRECTORY_ENTRY_EXPORT.symbols if hasattr(self.pe, "DIRECTORY_ENTRY_EXPORT") else []
         for pe_export in pe_exports:
             va = self.base + pe_export.address
             if pe_export.name:
@@ -66,11 +67,11 @@ def __init__(self, memory: MemoryManager):
         self._name_lookup: Dict[str, int] = {}
         self._modules: Dict[int, Module] = {}
 
-    def add(self, base: int, size: int, path: str):
-        module = Module(base, size, path)
-        self._modules[base] = module
+    def add(self, pe: pefile.PE, path: str):
+        module = Module(pe, path)
+        self._modules[module.base] = module
         region = self._memory.find_region(module.base)
-        assert region.start == base
+        assert region.start == module.base
         assert region is not None
         region.info = module
         self._name_lookup[module.name] = module.base