Skip to content

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

License

Notifications You must be signed in to change notification settings

Jack-McDowell/pe-sieve

 
 

Repository files navigation

PE-sieve

Build status Codacy Badge License GitHub release Github All Releases Twitter URL

FAQ - Frequently Asked Questions

📖 Read Wiki

PE-sieve is a tool that helps to detect malware running on the system, as well as to collect the potentially malicious material for further analysis. Recognizes and dumps variety of implants within the scanned process: replaced/injected PEs, shellcodes, hooks, and other in-memory patches.
Detects inline hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection, etc.

PE-sieve is meant to be a light-weight engine dedicated to scan a single process at the time. It can be built as an EXE or as a DLL. The DLL version exposes a simple API and can be easily integrated with other applications.

If instead of scanning a particular process you want to scan your full system with PE-sieve, you can use HollowsHunter. It contains PE-sieve (a DLL version), but offers also some additional features and filters on the top of this base.

📦 Uses library: libPEConv

Clone

Use recursive clone to get the repo together with the submodule:

git clone --recursive https://github.com/hasherezade/pe-sieve.git

Builds

Download the latest release, or read more.


logo by Baran Pirinçal

About

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C++ 74.3%
  • C 24.1%
  • CMake 1.5%
  • Shell 0.1%