Topic created on: December 12, 2014 14:35 CST by legola .
my question could seems stupid but please do not judge me :)
The question is:
If an attacker exploits a memory corruption vulnerability (or a browser one) to execute a shellcode, should i find this shellcode in the process memory through volatility after i have performed a memory dump of the system ? To better explain, if memory corruption vulnerability of iexplorer.exe is exploited and a shellcode encoded with "shigata_ga_nai" encoder is executed, should i find the pattern "D9 74 24 F4" (fnstenv GetEIP) instruction in memory dump of iexplorer.exe that i could analyze with volatility for example ? Thank you very much !!!!