Signature scanning

Last updated June 22, 2026

Aether supports signature scanning based on static dynamic JSON rules. The tool is capable of scanning memory region with byte pattern matching with first-byte index that provides 50-100x speedup over basic scanning. Aether signature scanning catches strings stored by the .NET CLR depending on ASCII + UTF-16LE due encoding. it detects reflective loaders traces in the PE header.

Scan a process with all available rules.

./Aether.exe --scan --pid 12345 --rules

./Aether.exe --scan --pid 12345 --rules

Scan a process with custom rule

./Aether.exe --scan --pid 12345 --config ./rules/Cobalt.json

./Aether.exe --scan --pid 12345 --config ./rules/Cobalt.json