PE-sieve / Hollows Hunter — Detecting and dumping of potentially malicious implants

guest · Jun 16, 2019

PE-sieve is a light-weight tool that helps to detect malware running on the system, as well as to collect the potentially malicious material for further analysis.
Recognizes and dumps variety of implants within the scanned process, such as:
• replaced/injected PEs
• shellcodes
• hooks, and other in-memory patches.

Detects inline hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection, etc.
It can be used for dynamic malware unpacking.
PE-sieve works on Windows, the lowest supported version is XP.
Click to expand...

PE-sieve
Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches)
Website
Releases

Hollows Hunter
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches
Website
Releases

FAQ

PE-sieve vs HollowsHunter - what is the difference?
PE-sieve is meant to be a light-weight engine dedicated to scan a single process.

If instead of scanning a particular process you want to scan your full system with PE-sieve, you can use HollowsHunter. It contains PE-sieve (a DLL version), but offers also some other features and filters on the top of this base. Hollows Hunter is a command-line application with an interface similar to PE-sieve

How it works?
See the following slides for the detailed explanation
Click to expand...

EASTER · Jun 17, 2019

Interesting command line tools there. Thanks @mood

guest · Jun 18, 2019

There might be false positives. Reason:

https://github.com/hasherezade/pe-sieve/wiki/1.-FAQ#pe-sieve-gives-me-a-lot-of-false-positives-why
PE-sieve gives me a lot of false positives! Why?
I need to emphasize it again: PE-sieve is a tool to detect code implants, not to make a judgment about them. It will detect all sort of hooks, hot-patching, and modifications in a process. There are multiple reasons why such modifications can be installed, and they may not necessarily be malicious.

PE-sieve may be especially noisy in a presence of some antivirus software - just because they do monitor applications by hooking them. Lots of AV products actually use similar techniques as malware do.
[...]
In the future I am planning to implement whitelists, so that users will be able to regulate the level of details that they want to see, and reduce the noise.
Click to expand...

Log in or Sign up

PE-sieve / Hollows Hunter — Detecting and dumping of potentially malicious implants

guest Guest

EASTER Registered Member

guest Guest

Log in or Sign up

PE-sieve / Hollows Hunter — Detecting and dumping of potentially malicious implants

guest Guest

EASTER Registered Member

guest Guest

Useful Searches