Skip to content

4.11. Detect shellcode by custom patterns (pattern)

Jump to bottom
hasherezade edited this page Feb 24, 2024 · 18 revisions

Option: /pattern

By default, PE-sieve comes with a set of hardcoded patterns that are used to detect if the scanned memory area contains shellcodes. We can enable using them in the scan by parameter /shellc (selecting /shellc P, or other dedicated options: more information in 4.1.-Detect-shellcodes-(shellc) ).

Since version 0.3.9 PE-sieve offers also detection by custom set of patterns, that can be defined by the user. The file with the patterns need to be supplied after the parameter /pattern. Format: pattern [patterns file]. Example:

pe-sieve.exe /pid 1243 /pattern my_patterns.txt

Patterns file format

The file has to follow the SIG format, used by SigFinder. It needs to contain one or more definitions of patterns. Each pattern is defined in the following way:

<Signature name>
<Number of elements in the signature: N (decimal)>
<N byte definitions>

The byte definitions are expected values of bytes, in hexadecimal format. Each unknown nibble can be masked by ?.

Examples of valid byte definitions:

23 56 12 68

  • matches: 23 56 12 68

55 0? 34 12

  • matches: 55 01 34 12, 55 02 34 12, ... 55 0F 34 12

40 ?? 4? 8? e?

  • matches i.e.: 40 89 43 85 e2, 40 AA 44 80 e6, etc.

Example of a valid signature:

Heavens_Gate1
12
6A 33 
E8 00 00 00 00
83 ?? ?? 05
CB

PE-sieve Wiki, by hasherezade

Clone this wiki locally