-
Hello,
I analyzed a .NET malware. It creates a suspended process, injects a .NET PE into it and resumes execution.
SHA256:
[e31fef0296b867dbce44c50bf2517d7d28df97698c85c0d2f51043eea7846924](https:…
-
[Module Overloading](https://github.com/hasherezade/module_overloading) is a new PE injection method that is currently not detected.
-
#### Test case
[ 85a6aa581ffa0514149f3267c41681d27600adbe6ca7b35ee328ec3b3d9f749c](https://www.virustotal.com/gui/file/85a6aa581ffa0514149f3267c41681d27600adbe6ca7b35ee328ec3b3d9f749c/details) - a Kr…
-
I used a brand new Ubuntu 16.04 VM from [osboxes](https://www.osboxes.org/ubuntu/) and hosted it in VirtualBox. I cloned the whole repo and installed all dependencies (including built-in python 2.7 in…
-
I tried install `bat` on my Windows 10 system. But I got the following error. I also saw the similar issue on https://github.com/lukesampson/scoop/issues/1885.
```
PS C:\Users\Liu.D.H> scoop install…
-
The title says all
https://github.com/hasherezade/pe-sieve/blob/master/scanners/scanner.cpp#L68
-
If the DEP is disabled for the process, shellcode can be also executed from a non-executable page.
PE-sieve should be able to detect what DEP policy applies on the particular process, and if needed…
-
Possible enhancement: add pe-sieve and hollows_hunter
https://github.com/hasherezade/pe-sieve/releases
https://github.com/hasherezade/hollows_hunter/releases
-
#### Test case
[ c80ac369737d8215d45de0602b5de844d20795269a5751af00c29d8795edafa2](https://malshare.com/sample.php?action=detail&hash=cf2d2758e255ca5d60ff61de3e911f86) - Notepad.exe packed with AsPac…
-
#### Test case
[633521d921ddad8671293319f0fd9daab9a0a606887ada3ab3709027cbb1e591](https://www.virustotal.com/#/file/633521d921ddad8671293319f0fd9daab9a0a606887ada3ab3709027cbb1e591/detection)
####…