"Shellcode-Compiled" PE detector in scan report #110
nicholasmckinney
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi,
I had an idea to try to detect "shellcode-compiled" PE files. There aren't that many open-source tools that do the conversion from PE -> Shellcode, much less so managed code like .NET and scripts. These are tools like your own pe_to_shellcode as well as the sRDI toolkit by NetSPI and Donut.
I figured that people could modify the generated shellcode to help avoid detection, but this could help detect unmodified usage of those tools. Other projects like the Sliver C2 and the PEZor packer use Donut with little if any differences in what gets generated. Some of those tools also leave IoCs upon execution.
I'd like to try to contribute by adding some new fields to the JSON scan report that could detect such tools. You already have the /shellc flag, so I figured that such detections could be implemented in the related code.
Would this be an acceptable feature?
Beta Was this translation helpful? Give feedback.
All reactions