-
Notifications
You must be signed in to change notification settings - Fork 441
4.10. Detect obfuscated areas (obfusc)
Sometimes we are dealing with implants that reside in memory in obfuscated (possibly encrypted) form. They are revealed in their clear form for only a very short moment of time, when they are about to do some (possibly malicious) action. Upon completion, they encrypt themselves again. This is why, the conventional shellcode detection fails on them - there are no familiar patterns that can let us recognize the region as shellcode. Sometimes the memory (during the sleep time) is set as non-executable, or fully inaccessible.
Although we cannot really detect them with 100% accuracy, as decrypting them in a generic way may not be possible, we can still find the presence of suspicious, encrypted regions. PE-sieve is also able to force access to the inaccessible regions, and read from them (see option /data ).
Option /obfusc allows for searching obfuscated regions in process memory.
obfusc <*obfusc_mode>
: Detect encrypted content, and possible obfuscated shellcodes.
*obfusc_mode:
0 (N) - none: do not detect obfuscated areas
1 (S) - detect areas possibly encrypted with strong encryption
2 (W) - detect areas possibly encrypted with weak encryption (lower entropy, possible XOR patterns)
3 (A) - detect any: possible strong or weak encryption
You can display all the possible arguments by:
pe-sieve /obfusc ?
Using /obfusc option to search for a sleeping beacon: