Pe Sieve

pe-sieve is a set of diagnostic tools for scanning Windows process memory to identify malicious implants, shellcode, and hooks. It functions as an in-memory implant detector, malware unpacker, and process callstack analyzer designed to locate and dump memory patches and injected code from running processes.

The project identifies advanced evasion techniques, such as process hollowing and reflective injection, by verifying portable executable structures in memory. It distinguishes itself by analyzing process callstacks to detect anomalies and redirections and by reconstructing executable headers and section alignments from raw memory dumps.

The toolset covers a broad range of forensic and analysis capabilities, including dynamic malware unpacking, signature-based implant identification, and the extraction of process artifacts for offline examination. These scanning and analysis functions are available through a programmatic interface for integration into other security applications.

Features

Injection Detection - Provides comprehensive scanning of process memory to identify unauthorized injected code, shellcode, and memory patches.

Malware Analysis - Scans running processes to detect injected shellcode, hooks, and malicious implants hidden in memory.

Implant Scanning - Implements scanning of running processes to report malicious implants via structured summary or JSON formats.

Process Memory Scanners - Detects injected code, shellcode, and hooks within running Windows processes by analyzing memory.

Callstack Anomaly Detection - Provides an engine to detect malicious activity by identifying anomalies and redirections within a process callstack.

In-Memory Implant Detectors - Locates and dumps malicious implants and memory patches from a target process.

Evasion Technique Detection - Identifies advanced evasion techniques including process hollowing and reflective injection by verifying PE structures in memory.

Forensic Artifact Extraction - Extracts raw segments of injected executables and shellcode from volatile memory for offline forensic examination.

Injection Heuristics - Identifies specific markers of process hollowing and reflective loading by comparing memory regions against disk images.

Process Callstack Analysis - Analyzes process callstacks to identify anomalies and detect potential malicious activity within a running process.

Process Callstack Analyzers - Detects malicious activity by identifying anomalies and redirections within a process callstack.

Windows PE Memory Analyzers - Identifies process hollowing and reflective injection by verifying Portable Executable structures in memory.

Injected Code Dumping - Extracts malicious implants, including injected executables and shellcodes, from a running process for further analysis.

Memory-Efficient Scanning - Directly maps target process memory to scan for injected code and shellcode patterns without relying on high-level APIs.

PE Header Reconstruction - Restores original executable headers and section alignments from raw memory dumps to create valid files for static analysis.

Binary Unpacking - Recovers the unpacked version of a malware sample by extracting original code from a running process.

Implant Signature Matching - Matches known malicious byte sequences and hook patterns against running process memory to detect implants.

Command Line Tools - Listed in the “Command Line Tools” section of the The Book Of Secret Knowledge awesome list.

Digital Forensics - Tool for detecting and dumping malicious code in memory.

hasherezadepe-sieve

Features

Star history