Updated pe-sieve: 0.3.8. Support new shellc options

hasherezade · hasherezade · commit b535667908b6 · 2023-11-10T12:25:34.000-08:00
diff --git a/mal_unpack_ver.h b/mal_unpack_ver.h
@@ -2,7 +2,7 @@
 
 #define MALUNP_MAJOR_VERSION 0
 #define MALUNP_MINOR_VERSION 9
-#define MALUNP_MICRO_VERSION 7
+#define MALUNP_MICRO_VERSION 8
 #define MALUNP_PATCH_VERSION 0
 
-#define MALUNP_VERSION_STR	"0.9.7"
+#define MALUNP_VERSION_STR	"0.9.8"
diff --git a/params.h b/params.h
@@ -155,8 +155,15 @@ class UnpackParams : public Params
         this->addParam(new BoolParam(PARAM_MINDUMP, false));
         this->setInfo(PARAM_MINDUMP, "Create a minidump of the detected process");
 
-        this->addParam(new BoolParam(PARAM_SHELLCODE, false));
-        this->setInfo(PARAM_SHELLCODE, "Detect shellcodes");
+        EnumParam* shellcParam = new EnumParam(PARAM_SHELLCODE, "shellc_mode", false);
+        if (shellcParam) {
+            this->addParam(shellcParam);
+            this->setInfo(PARAM_SHELLCODE, "Detect shellcode implants (by patterns or statistics). ");
+            shellcParam->addEnumValue(pesieve::t_shellc_mode::SHELLC_PATTERNS, "P", "detect shellcodes by patterns");
+            shellcParam->addEnumValue(pesieve::t_shellc_mode::SHELLC_STATS, "S", "detect shellcodes by stats");
+            shellcParam->addEnumValue(pesieve::t_shellc_mode::SHELLC_PATTERNS_OR_STATS, "A", "detect shellcodes by patterns or stats (any match)");
+            shellcParam->addEnumValue(pesieve::t_shellc_mode::SHELLC_PATTERNS_AND_STATS, "B", "detect shellcodes by patterns and stats (both match)");
+        }
 
         this->addParam(new BoolParam(PARAM_HOOKS, false));
         this->setInfo(PARAM_HOOKS, "Detect hooks and patches");
@@ -181,7 +188,6 @@ class UnpackParams : public Params
             impParam->addEnumValue(pesieve::t_imprec_mode::PE_IMPREC_REBUILD2, "R2", translate_imprec_mode(pesieve::t_imprec_mode::PE_IMPREC_REBUILD2));
         }
 
-
         EnumParam* norespParam = new EnumParam(PARAM_NORESPAWN, "respawn_protect", false);
         if (norespParam) {
 
@@ -303,7 +309,7 @@ class UnpackParams : public Params
 
         copyVal<BoolParam>(PARAM_REFLECTION, ps.make_reflection);
         copyVal<BoolParam>(PARAM_MINDUMP, ps.minidump);
-        copyVal<BoolParam>(PARAM_SHELLCODE, ps.shellcode);
+        copyVal<EnumParam>(PARAM_SHELLCODE, ps.shellcode);
         copyVal<EnumParam>(PARAM_IMP, ps.imprec_mode);
         copyVal<EnumParam>(PARAM_DATA, ps.data);
         copyVal<BoolParam>(PARAM_CACHE, ps.use_cache);
diff --git a/pe-sieve b/pe-sieve
@@ -1 +1 @@
-Subproject commit 5769040406b62832937924cd0d91f1c042b154c4
+Subproject commit cd91debf94564f9b060e17b996fc54aaef13d2b1
