Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
include [FEATURE] Allow to define output directory Nov 30, 2018
libpeconv @ 5181da0 Updated libpeconv Dec 14, 2018
logo [FEATURE] Improved multiple resolution icon (Issue #9) Apr 9, 2018
postprocessors [FEATURE] Create output directory recursively Dec 11, 2018
scanners [BUGFIX] Fixed invalid returned type Dec 17, 2018
utils [BUGFIX] In WorkingSet scan: break scanning the memory region if Access Dec 14, 2018
.appveyor.yml Update .appveyor.yml Nov 2, 2018
.gitmodules [NOBIN] Added libpeconv as a submodule Dec 29, 2017
CMakeLists.txt [REFACT] Moved resolving hook targets to: HookTargetResolver Dec 16, 2018
LICENSE [NOBIN] License: year up Jan 11, 2018 Update Nov 24, 2018
color_scheme.h [FEATURE] Inform about unknown parameter Dec 1, 2018
dll_main.cpp [REFACT] Grouped classes related to output processing as Dec 4, 2018
main.cpp [REFACT] On invalid parameter: in case if no param switch was used, Dec 14, 2018
main.def [BUGFIX] Added PESieve_version to exports definition Nov 24, 2018
pe_sieve.cpp [REFACT] Grouped classes related to output processing as Dec 4, 2018
pe_sieve.h [FEATURE] Report the name of the hook's target module Dec 16, 2018
pe_sieve_params_info.cpp [REFACT] Moved params info to separate files Nov 5, 2018
pe_sieve_params_info.h [REFACT] Moved params info to separate files Nov 5, 2018
resources.h [FEATURE] Added icon Apr 9, 2018
resources.rc [FEATURE] Added icon Apr 9, 2018


Build status License GitHub release Github All Releases Twitter URL

PE-sieve is a light-weight tool that helps to detect malware running on the system, as well as to collect the potentially malicious material for further analysis. Recognizes and dumps variety of implants within the scanned process: replaced/injected PEs, shellcodes, hooks, and other in-memory patches.
Detects inline hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection, etc.

uses library:


Use recursive clone to get the repo together with the submodule:

git clone --recursive

Latest builds*:

*those builds are available for testing and they may be ahead of the official release:

Read more:


logo by Baran Pirinçal