expose DllBase for xrefer

modules/processing/behavior.py

@@ -352,6 +352,16 @@ def _parse(self, row):
         if call["thread_id"] not in self.threads:
             self.threads.append(call["thread_id"])
 
+        if (
+            api_name == "DllLoadNotification"
+            and len(arguments) == 3
+            and arguments[0].get("value", "") == "load"
+            and arguments[-1].get("name", "") == "DllBase"
+            and "DllBase" not in self.environdict
+            and _clean_path(arguments[1]["value"], self.options.replace_patterns) in self.environdict.get("CommandLine", "")
+        ):
+            self.environdict.setdefault("DllBase", arguments[-1]["value"])
+
         return call
 
 

web/templates/analysis/behavior/_processes.html

@@ -84,9 +84,9 @@
     }
     function load_filtered_chunk(pid, category, caller, tid) {
         // Trim leading and trailing spaces
-        var inputValue = $("#apifilter_" + pid).val().trim(); 
+        var inputValue = $("#apifilter_" + pid).val().trim();
         // Split input by commas, trim spaces, and join back with commas
-        var apis = inputValue.split(',').map(api => api.trim()).join(','); 
+        var apis = inputValue.split(',').map(api => api.trim()).join(',');
         var encodedlist = (apis === "") ? encodeURI("!null") : encodeURI(apis);
 
         $("#process_" + pid + " div.calltable").load("/analysis/filtered/{{id}}/" + pid + "/" + category + "/" + encodedlist + "/" + caller + "/" + tid + "/", function (data, status, xhr) {
@@ -135,6 +135,9 @@
                 {% if process.environ.CommandLine %}
                 <br />Command Line: <b>{{ process.environ.CommandLine }}</b>
                 {% endif %}
+                {% if process.environ.DllBase %}
+                    <br />Dll Image Base: <b>{{ process.environ.DllBase }}</b>,
+                {% endif %}
                 {% if process.environ.MainExeBase %}
                     <br />Image Base: <b>{{ process.environ.MainExeBase }}</b>,
                 {% endif %}