suzakri / pe-sieve Public

forked from hasherezade/pe-sieve

Notifications You must be signed in to change notification settings
Fork 0
Star 0

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

hshrzd.wordpress.com/pe-sieve/

BSD-2-Clause license

0 stars 441 forks Branches Tags Activity

Star

Notifications

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 80 Commits
.appveyor.yml		.appveyor.yml
.gitignore		.gitignore
CMakeLists.txt		CMakeLists.txt
LICENSE		LICENSE
README.md		README.md
hollowing_scanner.cpp		hollowing_scanner.cpp
hollowing_scanner.h		hollowing_scanner.h
hook_scanner.cpp		hook_scanner.cpp
hook_scanner.h		hook_scanner.h
main.cpp		main.cpp
process_privilege.cpp		process_privilege.cpp
process_privilege.h		process_privilege.h
scanner.cpp		scanner.cpp
scanner.h		scanner.h
util.cpp		util.cpp
util.h		util.h

Repository files navigation

PE-sieve

PE-sieve scans a given process, searching for the modules containing in-memory code modifications. When found, it dumps the modified PE.
Detects inline hooks, hollowed processes etc.

uses library: https://github.com/hasherezade/libpeconv.git

Clone:

git clone https://github.com/hasherezade/pe-sieve.git
cd pe-sieve
git clone https://github.com/hasherezade/libpeconv.git

Compiled versions:

32bit: https://drive.google.com/uc?export=download&id=1TWRF1BtTEHMdd42CPZXpSmOxO9DFlovL
64bit: https://drive.google.com/uc?export=download&id=1-LvYrTMJpp4LVo_2fBN5urz2DTezEJvi

About

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

hshrzd.wordpress.com/pe-sieve/

Readme

BSD-2-Clause license

Activity

0 stars

0 watching

0 forks

Report repository