Skip to content

4.2. Change dump mode (dmode)

@hasherezade edited this page Jun 19, 2019 · 14 revisions
Option: /dmode
/dmode <*dump_mode>
	: Set in which mode the detected PE files should be dumped.
*dump_mode:
	0 - autodetect (default)
	1 - virtual (as it is in the memory, no unmapping)
	2 - unmapped (converted to raw using sections' raw headers)
	3 - realigned raw (converted raw format to be the same as virtual)

PE-sieve detects and dumps variety of implants installed in the process' memory. Before dumping, it tries to reconstruct the payload in the best possible way, so that it will be ready for further analysis.

Due to the fact that there are variety of packers/crypters, dumping different payloads requires different approaches.

PE-sieve offers 3 different dump modes, and autodetection of the mode that is the best fit to unpack a particular sample. In most of the cases the automatic mode will work, offering the best solution. However, if the user wants to manually switch the mode, it can be achieved using the option /dmode.


Example:
  • 'Virtual' (/dmode 1): The PE is dumped as is in the memory. No change in the sections table is made, as well as to the content of the sections. If the PE was loaded in the memory as executable, it will be in the Virtual format and cannot run.

  • 'Unmapped' (/dmode 2): The PE is converted to its raw format. No change in the sections table is made. However, the content of the sections is shifted to fit the raw alignment. This type of PE can be redeployed.

  • 'Realigned raw' (/dmode 3):

remapped_sections

In this mode, the Raw Alignment of the PE is changed to be the same as the Virtual Alignment. It is the most suitable for the PE with some packed sections, that are unpacked and expanded in memory. Thanks to the changes in the sections alignment, we are able to contain all the changes in the dump, and make the PE suitable for static analysis.


More information about the dump modes you can find in the video.