Skip to content

Commit

Permalink
update readme
Browse files Browse the repository at this point in the history
  • Loading branch information
buzzer-re committed Sep 17, 2023
1 parent 1befdb5 commit da2191c
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 5 deletions.
16 changes: 11 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ The tool has a couple of options:


```bash
Usage: Shinigami [--help] [--version] [--output VAR] [--stop-at-write] [--verbose] [--only-executables] program_name
Usage: Shinigami [--help] [--version] [--output VAR] [--stop-at-write] [--verbose] [--only-executables] [--exported VAR] program_name

Positional arguments:
program_name Name of the program to execute
Expand All @@ -55,7 +55,7 @@ Optional arguments:
--stop-at-write Unhollow: Stop the execution when the PE file is being to be written
--verbose Display a verbose output
-p, --only-executables Only extract PE artefacts

-e, --exported Exported Function: Choose a exported function to execute if the target is a DLL (rundll will be used)
```
Some important options are:
Expand All @@ -66,9 +66,6 @@ Some important options are:
***--verbose***: Displays a verbose output. This can be useful for debugging or understanding the inner workings of Shinigami.
## DLL Support

Currently, Shinigami does not load DLL executables within its context. However, this feature is under development. In the meantime, you can utilize this handy [tool](https://github.com/buzzer-re/dll2exe) that I have built to convert DLL to EXE files, allowing you to select the desired exported function as entrypoint (if needed). In a future release, this tool's functionality will be available natively within Shinigami.
### Example usage:
## Unhollow
Expand All @@ -94,6 +91,15 @@ The detected implant will be dumped following the format described at [detection
In the example above, Shinigami automatically detected the behavior of a generic loader and extracted all the executed shellcodes and images within it, without requiring any specific switches to enable or disable the unpacking routine. This was possible because Shinigami shares some functions with the unhollow module, using shared hooks provided by the [Gancho](https://github.com/buzzer-re/gancho) library.
## Emotet
|![](assets/screenshots/emotet.png)|
|:--:|
|Unpacking Emotet DLL|
Shinigami also has DLL support and the ability to rebuild injected binaries using detached DOS headers. Notably, malware samples like Emotet use this technique to evade in-memory PE scanners. Shinigami detects such missing parts (DOS header) and employs heuristics to reconstruct them.
## Installing
Grab your flavor at the [Release](https://github.com/buzzer-re/Shinigami/releases) page.
Expand Down
Binary file added assets/screenshots/emotet.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit da2191c

Please sign in to comment.