diff --git a/modules/processing/behavior.py b/modules/processing/behavior.py
index 394a48f6842..ceb039bb5df 100644
--- a/modules/processing/behavior.py
+++ b/modules/processing/behavior.py
@@ -352,6 +352,16 @@ def _parse(self, row):
if call["thread_id"] not in self.threads:
self.threads.append(call["thread_id"])
+ if (
+ api_name == "DllLoadNotification"
+ and len(arguments) == 3
+ and arguments[0].get("value", "") == "load"
+ and arguments[-1].get("name", "") == "DllBase"
+ and "DllBase" not in self.environdict
+ and _clean_path(arguments[1]["value"], self.options.replace_patterns) in self.environdict.get("CommandLine", "")
+ ):
+ self.environdict.setdefault("DllBase", arguments[-1]["value"])
+
return call
diff --git a/web/templates/analysis/behavior/_processes.html b/web/templates/analysis/behavior/_processes.html
index 9a2f5668626..4230d983a2d 100644
--- a/web/templates/analysis/behavior/_processes.html
+++ b/web/templates/analysis/behavior/_processes.html
@@ -84,9 +84,9 @@
}
function load_filtered_chunk(pid, category, caller, tid) {
// Trim leading and trailing spaces
- var inputValue = $("#apifilter_" + pid).val().trim();
+ var inputValue = $("#apifilter_" + pid).val().trim();
// Split input by commas, trim spaces, and join back with commas
- var apis = inputValue.split(',').map(api => api.trim()).join(',');
+ var apis = inputValue.split(',').map(api => api.trim()).join(',');
var encodedlist = (apis === "") ? encodeURI("!null") : encodeURI(apis);
$("#process_" + pid + " div.calltable").load("/analysis/filtered/{{id}}/" + pid + "/" + category + "/" + encodedlist + "/" + caller + "/" + tid + "/", function (data, status, xhr) {
@@ -135,6 +135,9 @@
{% if process.environ.CommandLine %}
Command Line: {{ process.environ.CommandLine }}
{% endif %}
+ {% if process.environ.DllBase %}
+
Dll Image Base: {{ process.environ.DllBase }},
+ {% endif %}
{% if process.environ.MainExeBase %}
Image Base: {{ process.environ.MainExeBase }},
{% endif %}