search

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://hshrzd.wordpress.com/pe-sieve/
BSD 2-Clause "Simplified" License
3.06k stars 425 forks source link

Not scanning .NET data #93

Closed hasherezade closed 3 years ago

hasherezade commented 3 years ago

Sample:

This a .NET sample that unpacks the payload in the non-executable memory:

formbook_payload

PE-sieve with option /data 1 which is: .NET: scan non-executable in .NET applications should scan it. However, it scans it and detect the payload only in /data 3 mode (unconditional scan).

It suggests an error in the condition check. The sample is validly detected as .NET according to scan_report.json:

{
 "pid" : 6156,
 "is_64_bit" : 0,
 "is_managed" : 1,
 "main_image_path" : "C:\\Users\\IEUser\\Desktop\\3be8a41bb629cd3aec0ad28a8f7ab3d1645a538f233dceefc78332c4c48aebdd",
[...]