Skip to content

4.1. Detect shellcodes (shellc)

hasherezade edited this page Nov 9, 2023 · 9 revisions

Option: /shellc

By default, PE-sieve detects only implanted PE files (they don't need to be 100% valid PE, but they must follow some of the patterns typical for PE file).

Sometimes it is not enough, and we want to detect also the shellcode. The option /shellc allows to enable it.

PE-sieve detects memory regions that are not a part of any module, but yet they contain executable code. They are dumped into files with an .shc extension.

The detected shellcodes may not necessarily be malicious. Some applications (especially .NET) uses JIT (just-in-time compiled code) that is also loaded in form of a code in additionally allocated memory.

Options for the /shellc parameter allow to select how the shellcode is going to be recognized:

shellc <*shellc_mode>
         : Detect shellcode implants (by patterns or statistics).
*shellc_mode:
        0 (N) - none: do not detect shellcodes
        1 (P) - detect shellcodes by patterns
        2 (S) - detect shellcodes by stats
        3 (A) - detect shellcodes by patterns or stats (any match)
        4 (B) - detect shellcodes by patterns and stats (both match)

You can display all the possible arguments by:

pe-sieve /shellc ?