-
Notifications
You must be signed in to change notification settings - Fork 439
4.2. Change dump mode (dmode)
dmode <*dump_mode>
: Set in which mode the detected PE files should be dumped.
*dump_mode:
0 (A) - autodetect (default)
1 (V) - virtual (as is in the memory, no unmapping)
2 (U) - unmapped (converted to raw using sections' raw headers)
3 (R) - realigned raw (converted raw format to be the same as virtual)
PE-sieve detects and dumps variety of implants installed in the process' memory. Before dumping, it tries to reconstruct the payload in the best possible way, so that it will be ready for further analysis.
Due to the fact that there are variety of packers/crypters, dumping different payloads requires different approaches.
PE-sieve offers 3 different dump modes, and the autodetection of the mode that is the best fit to unpack a particular sample. In most of the cases the automatic mode will work, offering the best solution. However, if the user wants to manually switch the mode, it can be achieved using the option /dmode
.
- 'Virtual' (
/dmode 1
): The PE is dumped as is in the memory. No change in the sections table is made, as well as to the content of the sections. If the PE was loaded in the memory as executable, it will be in the Virtual format, and it cannot run. This mode is useful when you want to see the original layout that was in the memory, with no modifications applied by PE-sieve.
This mode is auto-selected in cases when the PE in the memory was in the raw format, in order to get the original, uncorrupt binary. It is also used to dump shellcodes.
- 'Unmapped' (
/dmode 2
): The PE is converted to its raw format. No change in the sections table is made. However, the content of the sections is shifted to fit the raw alignment. This type of PE can be loaded by typical tools (i.e. IDA) and eventually redeployed.
This mode is auto-selected in most of the cases - when the PE was in memory in the Virtual format.
- 'Realigned raw' (
/dmode 3
):
In this mode, the Raw Alignment of the PE is changed to be the same as the Virtual Alignment. It is the most suitable for the PE with some packed sections, that are unpacked and expanded in memory. Thanks to the changes in the sections alignment, we are able to contain all the changes in the dump, and make the PE suitable for static analysis.
This mode is auto-selected in cases when some sections has been unpacked in the memory, and they cannot be unmapped without the loss of data. For example, in case if a packer/compressor was applied on the EXE.
More information about the dump modes you can find in the video.