Why do codechunks need at least 5 imports for dumping about process-dump HOT 1 OPEN

The purpose of this was to reduce noise as I recall. I think there are quite a few regions which have execute privileges, but are really just data regions. The assumption this dumping logic works on here is that if it's real shellcode/executable code then it will refer to at least 2 exports within the process (the comment as you pointed out is incorrect, I must have originally had it at 5 then adjusted it to be looser of just needing 2 at a later time without editing the comment). This is usually true but might not always be true if they've carefully obfuscated their shellcode to not refer to any APIs, but it seemed at the time to be a good way to deal with the noisy data regions with executable privileges.

RE: But my real question is why it needs this condition to dump codechunk, can i just ignore this condition?

If you're OK with the noise of dumping lots of data regions, it's OK to remove this condition.

One challenge with this is that the known-module clean hash computation for loose code-chunks is based on the reconstructed import structure of the code-codechunk as well as section size. If there are 0 imports for example, the clean hash will entirely be defined by the size of the region - which may cause it to still miss dumping a lot of these regions:

One way to fix this might be to also hash the first few distinct bytes of the section for example, or maybe it should be hashed with the process name. Maybe it'd add these two hashes into the algorithm if there are less than 2 imports referenced, that way it'd be backwards compatible?

If you'd like to make a pull request adding this as an option, I'd love to review and integrate into process dump!

from process-dump.