PE-sieve is my open source tool based on libpeconv . The tool is dedicated to Windows, all versions are supported, starting from XP.

It scans a given process, searching for potentially malicious implants and patches within the process space. When found, it dumps the modified/suspicious PE along with a report in JSON format, detailing about the found indicators.


Currently it detects inline hooks, hollowed processes, Process Doppelgänging, injected PE files, and more. In case if the PE file was patched in the memory, it gives a detailed report about where are the changed bytes (and few other properties).

PE-sieve is available in 2 flavors – as standalone executable, and as a DLL. The DLL version is a base of my other project: HollowsHunter – that makes an automated scan of all the running processes. More about it in the further part of the post.

Complete documentation is available on project Wiki.

The tool is under rapid development, so expect frequent updates.


Tested and certified by

13 Responses to PE-sieve

  1. samohyes says:

    Hi, thanks for your paper! I actually have a problem here. Your tool seems can dump the payload of the process hollowing? But I tried that with a process hollowing malware here It seems I can’t dump the payload. I just stop before the “resumethread”. And I tried to use your tool to dump both the child process and the original one and failed. Can you give me some ideas?

  2. Mickey says:

    Can the tool be used on a memory dump file, as not all systems’ owners allow live forensics to be done on their live systems?

  3. Pingback: PE-sieve, a command line tool for investigating inline hooks – So Long, and Thanks for All the Fish

  4. Pingback: Loki v0.28.2 – Simple IOC and Incident Response Scanner | SecTechno

  5. Pete Jacob says:

    Nice I wonder if this can detect meltdown?

  6. Pingback: Extracting Malware from Memory with Hollows_Hunter –

  7. Pingback: The Use – and Abuse – of DotNet Files, and the Value of FortiResponder Automation in the Threat Analysis Process – Computer Security Articles

  8. Pingback: ▷ Loki: Simple IOC and Incident Response Scanner » GeekScripts

  9. Ahmed says:

    Nice work !!keep up . I would like to follow you , why not do some projects with you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s