PE-sieve – Tool to Detect Malware Running on System

PE-sieve is a light-weight tool that helps to detect malware running on the system, as well as to collect the potentially malicious material for further analysis. This tool is intended to help malware analysts, malware hunters, and incident responders in their daily work.

Having a new sample to be analyzed, unpack it with PE-sieve very fast, extracting the payload that can be then easily identified and used for further analysis.

PE-sieve - Tool to Detect Malware Running on System
PE-sieve – Tool to Detect Malware Running on System

The tool allow to recognizes and dumps variety of implants within the scanned process , such as:

  • replaced/injected PEs
  • shellcodes
  • hooks, and other in-memory patches.

This beside Detecting inline hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection, etc. It can be used for dynamic malware unpacking. PE-sieve works on Windows, the lowest supported version is XP.

This utility is meant to be a light-weight engine dedicated to scan a single process at the time. It can be built as an EXE or as a DLL. The DLL version exposes a simple API and can be easily integrated with other applications.

If instead of scanning a particular process you want to scan your full system with This tool, you can use HollowsHunter. It contains PE-sieve (a DLL version), but offers also some additional features and filters on the top of this base.

Latest release version v0.2.3 include several bug fixes and the following features:

  • Create a MiniDump for a process detected as suspicious (option /minidmp)
  • Support Linux-style parameter switch ( i.e. -shellc as an equivalent of /shellc)

You can read more and download this tool over here: https://github.com/hasherezade/pe-sieve

Share