4.2. Change dump mode (dmode)
/dmode <*dump_mode>
: Set in which mode the detected PE files should be dumped.
*dump_mode:
0 - autodetect (default)
1 - virtual (as it is in the memory, no unmapping)
2 - unmapped (converted to raw using sections' raw headers)
3 - realigned raw (converted raw format to be the same as virtual)
PE-sieve detects and dumps variety of implants installed in the process' memory. Before dumping, it tries to reconstruct the payload in the best possible way, so that it will be ready for further analysis.
Due to the fact that there are variety of packers/crypters, dumping different payloads requires different approaches.
PE-sieve offers 3 different dump modes, and autodetection of the mode that is the best fit to unpack a particular sample. In most of the cases the automatic mode will work, offering the best solution. However, if the user wants to manually switch the mode, it can be achieved using the option /dmode.
Example:
- 'Realigned raw (
/dmode 3):
In this mode, the Raw Alignment of the PE is changed to be the same as the Virtual Alignment. It is the most suitable for the PE with some packed sections, that are unpacked and expanded in memory. Thanks to the changes in the sections alignment, we are able to contain all the changes in the dump, and make the PE suitable for static analysis.
More information about the dump modes you can find in the video.