Bug: not detecting sections that are set executable during execution

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

3.01k stars 421 forks source link

Bug: not detecting sections that are set executable during execution #36

Closed hasherezade closed 5 years ago

hasherezade commented 5 years ago

Test case

c80ac369737d8215d45de0602b5de844d20795269a5751af00c29d8795edafa2 - Notepad.exe packed with AsPack 2.12 (from "Unpacking with Anthracene 02 - AsPack 2.12")

Problem

All sections of the file are set as NOT executable in the header: aspack_sections the protection is changed dynamically to executable. Mistakenly, PE-sieve do not scan them, because it treats them as non-executable. scan_report

hasherezade commented 5 years ago

After the bugfix modifications are detected: scan_report