4.11. Detect shellcode by custom patterns (pattern)

Option: /pattern

By default, PE-sieve comes with a set of hardcoded patterns that are used to detect if the scanned memory area contains shellcodes. We can enable using them in the scan by parameter /shellc (selecting /shellc P, or other dedicated options: more information in 4.1.-Detect-shellcodes-(shellc) ).

Since version 0.3.9 PE-sieve offers also detection by custom set of patterns, that can be defined by the user. The file with the patterns need to be supplied after the parameter /pattern. Format: pattern [patterns file]. Example:

pe-sieve.exe /pid 1243 /pattern my_patterns.txt

The file has to follow the SIG format, used by SigFinder. It needs to contain one or more definitions of patterns, defined in the following way:

<Signature name>
<Number of elements in the signature: N (decimal)>
<N byte definitions>

The byte definitions are expected values of bytes, in hexadecimal format. Each unknown nibble can be masked by ?.

Examples of valid byte definitions:

23 56 12 68

• matches: 23 56 12 68

55 0? 34 12

• matches: 55 01 34 12, 55 02 34 12, ... 55 0F 34 12

40 ?? 4? 8? e?

• matches i.e.: 40 89 43 85 e2, 40 AA 44 80 e6, etc.