Bug: a PE embedded in a shellcode was not detected (KrugBot)

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

3.01k stars 421 forks source link

Bug: a PE embedded in a shellcode was not detected (KrugBot) #44

Closed hasherezade closed 4 years ago

hasherezade commented 4 years ago

Test case

85a6aa581ffa0514149f3267c41681d27600adbe6ca7b35ee328ec3b3d9f749c - a KrugBot sample

Problem

The packer loads a shellcode containing a PE in the memory. PE-sieve run with the option /shellc detects the loaded shellcode. However, it misses to detect and extract the PE file that is embedded there. A view from Process Hacker: mem_view PE-sieve run without any parameters does not detect the payload at all.

hasherezade commented 4 years ago

Result: the PE is not found and correctly dumped (even when PE-sieve is run without the /shellc parameter). detected