-
Notifications
You must be signed in to change notification settings - Fork 440
4.4. Scan non executable memory (data)
hasherezade edited this page Jul 17, 2020
·
8 revisions
By default, PE-sieve scans only the memory that is marked as executable.
However, you can alter this default functionality with the help of /data parameter. You can display all the possible arguments by:
pe-sieve /data ?
/data <*data_scan_mode>
: Set if non-executable pages should be scanned.
*data_scan_mode:
0 - none: do not scan non-executable pages
1 - .NET: scan non-executable in .NET applications
2 - if no DEP: scan non-exec if DEP is disabled (or if is .NET)
3 - always: scan non-executable pages unconditionally
You can enable scanning of non-executable memory in some predefined cases:
- In case of .NET applications, code hosted on non-executable pages can also be run. So, this scan will be enabled in case if the scanned process contains .NET modules.
- If the applications that have DEP disabled, the non-executable memory can be executed as well. So, this scan will be enabled if case if the scanned process has DEP disabled.
- Unconditionally - just scan it every time. WARNING: this will produce a lot of noise/false positives, so use it only when you really need it!