Two types of implants are currently detected: PE files and shellcodes (if the scan was deployed in the shellcode detection mode - option: /shellc).
Shellcode should be reported only when there is a detached memory area containing code. However, currently, the code section within a manually loaded PE file is reported twice: as a part of the implanted PE file, and second time as a standalone shellcode.
This bug occurs when the sections of the manually loaded PE file are not in a single allocation area, and are processed as different units.
Test case:
Two types of implants are currently detected: PE files and shellcodes (if the scan was deployed in the shellcode detection mode - option:
This bug occurs when the sections of the manually loaded PE file are not in a single allocation area, and are processed as different units.
Test case:
/shellc). Shellcode should be reported only when there is a detached memory area containing code. However, currently, the code section within a manually loaded PE file is reported twice: as a part of the implanted PE file, and second time as a standalone shellcode.