Open as0ni opened 1 month ago
Hi @as0ni ! Thank you for your kind words, and for the report! Sure this will be useful to include in the built-in signatures. I will take a look, and update you soon.
Thank you, @hasherezade! Also, if possible, could you point me to the code that contains the current built-in signatures? Thanks again.
@as0ni - the default ones are here: https://github.com/hasherezade/pe-sieve/blob/3f696a8610512db20a3854c988f9823c98b7edaa/utils/code_patterns.h
Hi,
First off, thank you for your fantastic contributions to the community! Your research, write-ups, and tools are incredibly inspiring.
I'm reaching out regarding an issue I encountered with mal_unpack while testing it against some Cobalt Strike stagers. Specifically, it appears that mal_unpack does not successfully extract shellcode in cases where the shellcode begins with the
CLD
(opcodeFC
) instruction.For example, in this sample (VT link), the shellcode is deobfuscated following a VirtualAlloc call and starts with
FC E8 89 00 00 00
. In a similar loader, I found that the shellcode began with the opcodesFC 48 83 E4
. I also attempted using the/shellc
option, but it did not identify the shellcode in these cases.The recent addition of the
/pattern
option is helpful, and I was able to extract the shellcode by providing a custom sig file. However, I wanted to bring this to your attention as these shellcode patterns, starting withFC
, are common in Cobalt Strike samples and might be worth considering as built-in signatures for improved detection.Please note that I haven't tested this with the companion driver yet. If you think it might help in this case, I can give it a try and report back.
Thank you again for all your hard work on this project!