search

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://hshrzd.wordpress.com/pe-sieve/
BSD 2-Clause "Simplified" License
3.06k stars 425 forks source link

using UPX are scanned that hdr_modified #82

Closed muse117 closed 3 years ago

muse117 commented 3 years ago

The programs are scanned, it have been compressed using UPX.

hasherezade commented 3 years ago

Do you mean UPX packed executables are detected with a marker hdr_modfied? It is not a bug, but intended behavior. UPX indeed modifies the headers, and fills up the packed sections, so it should trigger PE-sieve.

muse117 commented 3 years ago

yes, i see