4.4. Scan non executable memory (data)

Option: /data

By default, PE-sieve scans only the memory that is marked as executable. However, you can alter this default functionality with the help of /data parameter. You can display all the possible arguments by:

pe-sieve /data ?

data <*data_scan_mode>
	 : Set if non-executable pages should be scanned.
*data_scan_mode:
	0 - none: do not scan non-executable pages
	1 - .NET: scan non-executable in .NET applications
	2 - if no DEP: scan non-exec if DEP is disabled (or if is .NET)
	3 - always: scan non-executable pages unconditionally
	4 - include inaccessible: scan non-executable pages unconditionally;
	    in reflection mode (/refl): scan also inaccessible pages
	5 - scan inaccessible pages, but exclude other non-executable;
	    works in reflection mode (/refl) only

You can enable scanning of non-executable memory in some predefined cases:

1. In case of .NET applications, code hosted on non-executable pages can also be run. So, this scan will be enabled in case if the scanned process contains .NET modules.
2. If the applications that have DEP disabled, the non-executable memory can be executed as well. So, this scan will be enabled in case if the scanned process has DEP disabled.
3. Unconditionally - just scan it every time. WARNING: this will produce a lot of noise/false positives, so use it only when you really need it!
4. Like 3, but in addition to read-only/read-write pages, it also includes pages set as inaccessible (PAGE_NOACCESS). Requires the reflection mode (/refl) to be enabled.
5. Scans only pages set as inaccessible (PAGE_NOACCESS). Requires the reflection mode (/refl) to be enabled.