PE-sieve

PE-sieve is my open source tool based on libpeconv . The tool is dedicated to Windows, all versions are supported, starting from XP.

It scans a given process, searching for manually loaded or modified modules. When found, it dumps the modified/suspicious PE along with a report in JSON format, detailing about the found indicators.

detected.png

Currently it detects inline hooks, hollowed processes, Process Doppelgänging, injected PE files, and more. In case if the PE file was patched in the memory, it gives a detailed report about where are the changed bytes (and few other properties).

PE-sieve is available in 2 flavors – as standalone executable, and as a DLL. The DLL version is a base of my other project: HollowsHunter – that makes an automated scan of all the running processes. More about it in the further part of the post.

The tool is under rapid development, so expect frequent updates.

Tweets about PE-sieve: news, updates, etc.

Where to get it?

The tool is open-source, available on my github:

  https://github.com/hasherezade/pe-sieve

It was tested and certified by softpedia.com.

Usage

It has a simple, commandline interface. When run without parameters, it displays info about the version and required arguments:

sieve

When you run it giving a PID of the running process, it scans all the PE modules in its memory (the main executable, but also all the loaded DLLs). At the end, you can see the summary of how many anomalies have been detected of which type.

scan_summary.png

In case if some modified modules has been detected, they are dumped into a folder of a given process, for example:

unpacked.png

JSON report specifies where the implants were found:

json_report

Detailed characteristics of the suspicious indicators are given in the JSON report, that is dumped into the same folder.

Short history & features

Detecting inline hooks and patches

I started creating it for the purpose of searching and examining inline hooks. You can see its initial version here:

With time its precision and abilities significantly improved, and hooking detection is only one of many features of this tool.

In case if the code of the original executable was patched in memory, additionally to the main JSON report, PE-sieve generates a TAG file.

tag_file

Its purpose is to describe at which offset a patch has been found, and of what type (either a patch, or a hook/redirection). We can easily see what function has been hooked and where the redirection leads to.

report_with_patches.png

The file that was patched is also dumped on the disk, so that we can examine it more closely under a dissembler. The TAG file can be loaded i.e. into PE-bear. Thanks to this, we can easily browse the found hooks and check the code that was overwritten.

pe_bear_loaded

For example – in the application presented above, two functions within User32.dll have been hooked and their execution was redirected to the main module, loaded at 0x400000.

The same TAG file can be also loaded into IDA, with the help of the IFL plugin.

1.

load_names

2.

tag

Sample use-case: PE-sieve helping to examine hooks installed by PBot adware.

 

hook_type2

hook_type2_disasm

Detecting hollowed processes

Later, I extended it to detect process hollowing etc – and it turned out to be pretty convenient unpacker:

Detecting Process Doppelgänging

In a similar manner, it can detects some other methods of impersonating a processes, for example Process Doppelgänging. The malicious payload is directly dumped and ready to be analyzed:

Manually loaded implants

PE-sieve scan is not limited to typically loaded modules. Full workingset of the process is scanned against the suspicious artefacts. Thanks to this, also PE files that are manually loaded are detected. Example: Kronos.

report_fragment.png

dumped_implant.png

Some real-life example: Gand Crab’s manually loaded DLL was easily dumped with PE-sieve.

Recovering erased imports

PE-sieve has an ability to recover erased imports. In order to enable it, deploy it with an  option /imp . Example – unpacking manually loaded payloads with imports erased (Emotet):

Recovering erased PE headers

Sometimes malware authors erase PE headers to evade tools that base their detection on the known patterns. PE-sieve still can detect the cases when the header was partially erased and reconstruct it:

Future development

The project is still not finished and I have many ideas how to make it better. I am planning to detect not only code modifications, but also other types of hooking, such as IAT and EAT patching.

Some in-memory patches are done by legitimate applications, so, in the future version I will provide capability of whitelisting defined patches.

I am also planning to extend its dumping capabilities against the malicious processes that are trying to defend themselves against dumpers etc.

PE-sieve as a DLL

During the development process I got an idea to make a DLL version of the PE-sieve, so that it can be incorporated in other projects.

Building PE-sieve from sources as a DLL is very easy – you just need to set one CMake option: PE_SIEVE_AS_DLL:

build_as_dll

The PE-sieve DLL exposes a minimalistic API. Two functions are exported:

pe-sieve_func

  1. PESieve_help – displays a short info and the version of the DLL.
  2. PESieve_scan – a typical scan with a given parameters, like in the PE-Sieve.exe

The necessary headers needs to be included from the folder “pe-sieve\include“:

https://github.com/hasherezade/pe-sieve/tree/master/include

I have plans to enrich the API in the future. For now, you can see the PE-sieve DLL in action in the HollowsHunter project.

Ideas? Bugs?

If you noticed bug or have an idea for a useful feature, don’t hesitate to mail me or create a Github issue – I check them regularly:

https://github.com/hasherezade/pe-sieve/issues

9 Responses to PE-sieve

  1. samohyes says:

    Hi, thanks for your paper! I actually have a problem here. Your tool seems can dump the payload of the process hollowing? But I tried that with a process hollowing malware here https://www.hybrid-analysis.com/sample/e30b76f9454a5fd3d11b5792ff93e56c52bf5dfba6ab375c3b96e17af562f5fc?environmentId=100. It seems I can’t dump the payload. I just stop before the “resumethread”. And I tried to use your tool to dump both the child process and the original one and failed. Can you give me some ideas?

  2. Mickey says:

    Hi,
    Can the tool be used on a memory dump file, as not all systems’ owners allow live forensics to be done on their live systems?
    Thanks!

  3. Pingback: PE-sieve, a command line tool for investigating inline hooks – So Long, and Thanks for All the Fish

  4. Pingback: Loki v0.28.2 – Simple IOC and Incident Response Scanner | SecTechno

  5. Pete Jacob says:

    Nice I wonder if this can detect meltdown?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s