4.1. Detect shellcodes (shellc)

Option: `/shellc`

By default, PE-sieve detects only implanted PE files (they don't need to be 100% valid PE, but they must follow some of the patterns typical for PE file).

Sometimes it is not enough, and we want to detect also the shellcode. The option /shellc allows to enable it.

PE-sieve detects memory regions that are not a part of any module, but yet they contain executable code. They are dumped into files with an .shc extension.

The detected shellcodes may not necessarily be malicious. Some applications (especially .NET) uses JIT (just-in-time compiled code) that is also loaded in form of a code in additionally allocated memory.

PE-sieve Wiki, by hasherezade

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

4.1. Detect shellcodes (shellc)

Option: `/shellc`

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally

4.1. Detect shellcodes (shellc)

Option: /shellc

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally

Option: `/shellc`