SliverPicker is a Sliver C2 implant forensics tool that can extract session key and other useful context from implant process memory.
It currently supports 32-bit/64-bit windows/linux implants and http/https/dns transport mode.
minidumpfor analyzing windows process minidumps.pyelftoolsfor analyzing ET_CORE ELF coredumps.
Provide SliverPicker with a process memory dump file of implant and a piece of information that can be easily retrived from network traffic analysis:
- HTTP C2 - One of following:
- Session ID (may be visible in http Cookie header).
- URL of origin C2 server or HTTP proxy server connected by the implant, in the format
http(s)://hostname:port. Note that the exact hostname used by implant is needed, instead of ip address.
- DNS C2:
- Parent domain name of C2 DNS queries (full FQDN format
.example.com.).
- Parent domain name of C2 DNS queries (full FQDN format
python3 -m SliverPicker --mem pid.dmp --origin http://c2.example.com:80
python3 -m SliverPicker --mem pid.dmp --proxyurl http://proxy.example.com:3128
python3 -m SliverPicker --mem pid.dmp --sessionid ac2d75d0662ef7254ec67e5d9dd23ebc
python3 -m SliverPicker --mem pid.dmp --dns .example.com.SliverPicker is licensed under the GNU General Public License v3.0.
SliverPicker
Copyright (C) 2026 Rui Xi "Cycloctane"
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.