Scan non-executable pages for shellcode if DEP disabled

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

3.01k stars 421 forks source link

Scan non-executable pages for shellcode if DEP disabled #37

Closed hasherezade closed 5 years ago

hasherezade commented 5 years ago

If the DEP is disabled for the process, shellcode can be also executed from a non-executable page.

PE-sieve should be able to detect what DEP policy applies on the particular process, and if needed, scan non-executable pages.

hasherezade commented 5 years ago

Scanning data is prone to produce false-positives. It should be enabled only on demand.