pe-sieve
Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
Top Related Projects
A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc. @ http://www.windows-internals.com
Program for determining types of files for Windows, Linux and MacOS.
Python module for viewing Portable Executable (PE) files in a tree-view using pefile and PyQt5. Can also be used with IDA Pro and Rekall to dump in-memory PE files and reconstruct imports.
FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Quick Overview
PE-sieve is an open-source tool designed to scan running Windows processes for various types of modifications and potentially malicious implants. It can detect and dump modified PE files, inline hooks, and other suspicious changes in the memory of running processes, making it valuable for malware analysis and system integrity checking.
Pros
- Highly effective at detecting various types of process modifications and implants
- Lightweight and easy to use with both command-line and GUI interfaces
- Regularly updated and maintained, with active community support
- Can be integrated into other security tools and workflows
Cons
- Primarily focused on Windows systems, limiting its use on other platforms
- May produce false positives in some cases, requiring further analysis
- Advanced features may require deeper understanding of PE file structure and Windows internals
- Limited documentation for some of the more complex functionalities
Getting Started
To use PE-sieve, follow these steps:
- Download the latest release from the GitHub releases page.
- Extract the ZIP file to a directory of your choice.
- Open a command prompt and navigate to the directory containing pe-sieve.exe.
- Run PE-sieve with desired options. For example, to scan all processes:
pe-sieve.exe
To scan a specific process by its PID:
pe-sieve.exe /pid <PID>
For more advanced usage and options, refer to the PE-sieve Wiki on GitHub.
Competitor Comparisons
A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc. @ http://www.windows-internals.com
Pros of System Informer
- More comprehensive system monitoring and analysis capabilities
- User-friendly GUI for easier interaction and visualization
- Broader range of features beyond just process and memory analysis
Cons of System Informer
- Larger codebase and more complex, potentially harder to maintain
- May have higher system resource usage due to its extensive features
- Less focused on specific PE (Portable Executable) analysis compared to pe-sieve
Code Comparison
System Informer (C):
BOOLEAN PhInitializeWindowsSubsystem(
VOID
)
{
HWND hwnd;
hwnd = CreateWindowEx(0, L"Static", L"", WS_POPUP, 0, 0, 0, 0, NULL, NULL, NULL, NULL);
if (!hwnd) return FALSE;
DestroyWindow(hwnd);
return TRUE;
}
pe-sieve (C++):
bool is_target_managed(IN HANDLE processHandle, IN ULONGLONG modBaseAddr)
{
BYTE hdr_buffer[peconv::MAX_HEADER_SIZE] = { 0 };
if (!peconv::read_remote_pe_header(processHandle, (PBYTE)modBaseAddr, hdr_buffer, peconv::MAX_HEADER_SIZE)) {
return false;
}
return peconv::is_dot_net(hdr_buffer);
}
Program for determining types of files for Windows, Linux and MacOS.
Pros of Detect-It-Easy
- More comprehensive file analysis capabilities, including support for various file formats beyond PE files
- User-friendly graphical interface, making it accessible to a wider range of users
- Extensible through scripting, allowing users to add custom detection rules
Cons of Detect-It-Easy
- Less focused on specific PE file analysis and malware detection compared to pe-sieve
- May have a steeper learning curve for users primarily interested in PE file analysis
- Potentially slower for large-scale automated scanning of PE files
Code Comparison
pe-sieve (C++):
bool is_target_managed(IN HANDLE processHandle, IN ULONGLONG modBaseAddr)
{
BYTE hdr_buf[peconv::MAX_HEADER_SIZE] = { 0 };
if (!peconv::read_remote_pe_header(processHandle, (PBYTE)modBaseAddr, hdr_buf, peconv::MAX_HEADER_SIZE)) {
return false;
}
// ... (additional code for managed code detection)
}
Detect-It-Easy (JavaScript):
function detect(bShowType,bShowVersion,bShowOptions)
{
if(PE.isNET())
{
sName="MS.NET";
bDetected=1;
}
// ... (additional code for .NET detection)
}
Both projects offer valuable tools for analyzing executable files, with pe-sieve focusing more on in-depth PE file analysis and malware detection, while Detect-It-Easy provides a broader range of file analysis capabilities with a user-friendly interface.
Python module for viewing Portable Executable (PE) files in a tree-view using pefile and PyQt5. Can also be used with IDA Pro and Rekall to dump in-memory PE files and reconstruct imports.
Pros of pe_tree
- Provides a graphical user interface for visualizing PE file structures
- Supports integration with IDA Pro and Volatility for enhanced analysis
- Offers both standalone and plugin versions for flexibility
Cons of pe_tree
- Less focused on memory scanning compared to pe-sieve
- May have a steeper learning curve due to its GUI and integration features
- Not specifically designed for detecting in-memory malware
Code Comparison
pe_tree example:
tree = PETree()
tree.parse_pe(pe_file_path)
tree.display()
pe-sieve example:
PESieve::scan_options options = { 0 };
options.pid = pid_to_scan;
PESieve::scan(options);
Key Differences
- pe_tree focuses on visualization and analysis of PE files, while pe-sieve specializes in detecting and dumping malicious implants
- pe-sieve is primarily a command-line tool, whereas pe_tree offers a graphical interface
- pe_tree integrates with popular reverse engineering tools, while pe-sieve is more standalone and focused on memory scanning
Both tools serve different purposes in the realm of PE file analysis, with pe_tree excelling in visualization and integration, and pe-sieve specializing in memory scanning and malware detection.
FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Pros of FLARE-FLOSS
- More comprehensive string extraction capabilities, including obfuscated strings
- Supports a wider range of file formats beyond PE files
- Includes additional analysis features like stack strings and tight loops
Cons of FLARE-FLOSS
- Slower performance compared to PE-sieve, especially for large files
- May produce more false positives due to its aggressive string extraction
Code Comparison
PE-sieve (C++):
bool PeSection::isExecutable()
{
return (this->rawHeader.Characteristics & IMAGE_SCN_MEM_EXECUTE);
}
FLARE-FLOSS (Python):
def is_executable(self):
return bool(self.characteristics & lief.PE.SECTION_CHARACTERISTICS.MEM_EXECUTE)
Both projects provide similar functionality for checking if a PE section is executable, but PE-sieve uses C++ while FLARE-FLOSS uses Python with the LIEF library.
PE-sieve focuses on detecting and dumping modified PE files, while FLARE-FLOSS specializes in extracting obfuscated strings from various file formats. PE-sieve is generally faster and more targeted, while FLARE-FLOSS offers broader analysis capabilities at the cost of performance.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Intro
PE-sieve is a tool that helps to detect malware running on the system, as well as to collect the potentially malicious material for further analysis. Recognizes and dumps variety of implants within the scanned process: replaced/injected PEs, shellcodes, hooks, and other in-memory patches.
Detects inline hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection, etc.
PE-sieve is meant to be a light-weight engine dedicated to scan a single process at the time. It can be built as an EXE or as a DLL. The DLL version exposes a simple API and can be easily integrated with other applications.
ð¦ Uses library: libPEConv
Help
â FAQ - Frequently Asked Questions
ð Read Wiki
ð¤ Do you have any question that was not included in the FAQ? Join Discussions!
PE-sieve tools family
There are few other tools that use PE-sieve as an engine, but focus on some specific usecases. They offer additional features and filters on the top of its base.
ð HollowsHunter - if instead of scanning a single process you want to scan multiple processes at once, or even the full system with PE-sieve, this is the tool for you
ð MalUnpack - offers quick unpacking of supplied malware sample
Clone
Use recursive clone to get the repo together with the submodule:
git clone --recursive https://github.com/hasherezade/pe-sieve.git
Builds
Download the latest release, or read more.
Available also via Chocolatey
logo by Baran Pirinçal
Top Related Projects
A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc. @ http://www.windows-internals.com
Program for determining types of files for Windows, Linux and MacOS.
Python module for viewing Portable Executable (PE) files in a tree-view using pefile and PyQt5. Can also be used with IDA Pro and Rekall to dump in-memory PE files and reconstruct imports.
FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot