PE-sieve


PE-sieve is my open source tool based on libpeconv . The tool is dedicated to Windows, all versions are supported, starting from XP.

It scans a given process, searching for potentially malicious implants and patches within the process space. When found, it dumps the modified/suspicious PE along with a report in JSON format, detailing about the found indicators.

detected.png

Currently it detects inline hooks, hollowed processes, Process Doppelgänging, injected PE files, and more. In case if the PE file was patched in the memory, it gives a detailed report about where are the changed bytes (and few other properties).

PE-sieve is available in 2 flavors – as standalone executable, and as a DLL. The DLL version is a base of my other project: HollowsHunter – that makes an automated scan of all the running processes. More about it in the further part of the post.

Complete documentation is available on project Wiki.

The tool is under rapid development, so expect frequent updates.

sp100free.png

Tested and certified by softpedia.com.

 

 

9 Responses to PE-sieve

  1. samohyes says:

    Hi, thanks for your paper! I actually have a problem here. Your tool seems can dump the payload of the process hollowing? But I tried that with a process hollowing malware here https://www.hybrid-analysis.com/sample/e30b76f9454a5fd3d11b5792ff93e56c52bf5dfba6ab375c3b96e17af562f5fc?environmentId=100. It seems I can’t dump the payload. I just stop before the “resumethread”. And I tried to use your tool to dump both the child process and the original one and failed. Can you give me some ideas?

  2. Mickey says:

    Hi,
    Can the tool be used on a memory dump file, as not all systems’ owners allow live forensics to be done on their live systems?
    Thanks!

  3. Pingback: PE-sieve, a command line tool for investigating inline hooks – So Long, and Thanks for All the Fish

  4. Pingback: Loki v0.28.2 – Simple IOC and Incident Response Scanner | SecTechno

  5. Pete Jacob says:

    Nice I wonder if this can detect meltdown?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s