-
Notifications
You must be signed in to change notification settings - Fork 439
4.1. Detect shellcodes (shellc)
By default, PE-sieve detects only implanted PE files (they don't need to be 100% valid PE, but they must follow some of the patterns typical for PE file).
Sometimes it is not enough, and we want to detect also the shellcode. The option /shellc
allows to enable it.
PE-sieve detects memory regions that are not a part of any module, but yet they contain executable code.
They are dumped into files with an .shc
extension.
The detected shellcodes may not necessarily be malicious. Some applications (especially .NET) uses JIT (just-in-time compiled code) that is also loaded in form of a code in additionally allocated memory.
Options for the /shellc
parameter allow to select how the shellcode is going to be recognized:
shellc <*shellc_mode>
: Detect shellcode implants (by patterns or statistics).
*shellc_mode:
0 (N) - none: do not detect shellcodes
1 (P) - detect shellcodes by patterns
2 (S) - detect shellcodes by stats
3 (A) - detect shellcodes by patterns or stats (any match)
4 (B) - detect shellcodes by patterns and stats (both match)
You can display all the possible arguments by:
pe-sieve /shellc ?