Skip to content

Releases: hasherezade/pe-sieve

v0.3.9

24 Feb 21:25
Compare
Choose a tag to compare

REFACT

  • Refactored to use a new pattern matching engine (SigFinder) for shellcode detection. Improved performance.

FEATURE

  • Added new parameter /pattern <file> allowing to supply custom signatures to be searched in memory. The format is defined by SigFinder and described in the relevant README. If pattern file was defined, a .tag file for the found patterns will be generated, with the extension .pattern.tag
  • New fields in the scan_report.json:
    • Save the PE-sieve version with which the scan was performed (scanner_version)
    • In workingset_scan section: added patterns section with information about found patterns:
      • total_matched (count of all patterns matched, including the hardcoded ones)
      • custom_matched (count of patterns matched from the set defined by the user in pattern file)
  • New fields in the dump_report.json:
    • If pattern.tag file was generated, the name of this file will be added in the pattern_tags_file field of the relevant module.

See also: HollowsHunter v0.3.9 & MalUnpack v0.9.9 with the latest PE-sieve

ps039

v0.3.8

09 Nov 18:10
Compare
Choose a tag to compare

FEATURE

  • New options for shellcode detection ( /shellc ):
    • detect by patterns (previous mode): available with /shellc P
    • detect by stats (new mode): available with /shellc S
    • possibility to mix both modes: options /shellc B (both) or /shellc A (any)
  • Detection of obfuscated memory regions ( /obfusc )
  • Caching of detected shellcodes (guarantee that the dumped shellcode is the same as detected shellcode - no second read)

See also: HollowsHunter v0.3.8 & MalUnpack v0.9.8 with the latest PE-sieve

038

v0.3.6

14 May 22:45
Compare
Choose a tag to compare

FEATURE

  • improved integration with other languages (Python, Golang: #112), improvements in the API
  • in ThreadScan: calculate the entropy of the detected area:
    • decreased number of false positives (filtering by entropy)
    • added a new section to the ThreadScanReport: stats
  • in dump report: set "is_shellcode" : 1 only if the code pattern was matched (to distinguish cases when i.e. the shellcode was encrypted and detected by thread scan)

BUGFIX

  • fixed a bug in libPEconv (buffer boundary check: cabdd46)
  • fixed crash if the output filter was set ( #113 - missing check if the dump report was generated )
  • fixed backward compatibility with Windows XP ( #42 )
  • decreased number of false positives when searching for PE files in non-executable memory

REFACT

  • faster search for code signatures: skip padding from the scan

See also: HollowsHunter v0.3.6 & MalUnpack v0.9.7 with the latest PE-sieve

pesieve_036

v0.3.5

06 Nov 14:43
Compare
Choose a tag to compare

📖 README.md

FEATURE

  • Added API function: PESieve_scan_ex - allowing to retrieve scan and dump JSON reports directly into the supplied memory buffer ( Issue #105 )
  • Allow to scan own workingset ( Issue #104 )
  • Added one more shellcode pattern ( Issue #108 )
  • Added version information to resources

BUGFIX

  • Fixed getting stuck on scanning for PE artifacts (in some rare cases)
  • Fixed checking mapped modules against the image on disk (fixed issue with the remote module not being copied)
  • Fixed false positive - MUI files detected as implanted, when using 32bit scanner on 64bit system (FS redirection issue)
  • Other small fixes

See also: HollowsHunter v0.3.5 & MalUnpack v0.9.6 with the latest PE-sieve

pesieve_035

v0.3.4

10 Feb 22:46
Compare
Choose a tag to compare

📖 README.md

FEATURE

  • In /mignore - removed buffer limit (Details: #99). WARNING: API change)
  • New param: /threads, enabling scan of the threads' callstack . This is another layer of shellcode detection, allowing to capture "sleeping beacons", and others, decrypted just before the execution. (Read more here)

034

See also: HollowsHunter v0.3.4 with the latest PE-sieve

v0.3.3

24 Jan 00:03
Compare
Choose a tag to compare

📖 README.md

BUGFIX

  • Fully redesigned IAT scan, providing much better precision (Issues: #98, #92, #77)
  • Fixed processing PEs with relocation table containing empty records (hasherezade/libpeconv#30)
  • Fixed false positives in some of the code scans

FEATURE

  • Added optional caching (Issue #94)
  • Improved auto-detection of import reconstruction mode (/imp A) : set R0, R1 modes depending on the sizes of found IATs of particular types
  • Do not exclude .NET modules from code scan. Improved filtering of the changes typical for .NET.
  • Changed reporting of IAT hooks to the format consistent with inline hooks reports ( more details here )

See also: HollowsHunter v0.3.3 & MalUnpack v0.9.1 with the latest PE-sieve

pesieve_033

v0.3.2

28 Dec 19:06
Compare
Choose a tag to compare

📖 README.md

BUGFIX

  • Fixed memory leak ( Issue #95 )
  • Trim invalid sections while reconstructing the payload ( Issue #96 )
  • Fixed overeager imports reconstruction ( Issue #97 )
  • Improved auto-detection of import reconstruction mode

FEATURE

  • Added new modes of import reconstruction (/imp) : R0-R2 : from restrictive to aggressive ( more info here )
  • Report if the process reflection was used in a scan
  • Automatically turn on /refl mode if scan of inaccessible data requested ( /data 4, /data 5)

See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.2

pesieve_screen

v0.3.1.3

12 Sep 08:22
Compare
Choose a tag to compare

📖 README.md

BUGFIX

  • Fixed invalid condition check on scanning data (Issue #93)
  • In imp rec auto mode (/imp 1): do not overwrite import table of .NET modules (it was destroying imports) (Issue #89)
  • Improved detection if a PE is in a virtual or raw mode - fixed an issue in dumping of some PEs
  • Improvements in code scan (Issue #15)
  • Improved reporting of unreachable modules

See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.1.3

v0.3.1

07 Sep 12:27
Compare
Choose a tag to compare

FEATURE

  • Changes in presenting application parameters. Refactored to use ParamKit library
  • Recognize Virtual Table hooks ( Issue #88 )

BUGFIX

  • Improve recognizing when to rebuild import table from scratch ( Issue #89 )
  • Improve detecting when to realign the payload ( Issue #90 )
  • Do not include calls to own exports in the Import Table reconstruction ( Issue #91 )

See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.1

pesieve_031

v0.3.0

11 Aug 16:45
Compare
Choose a tag to compare

FEATURE

  • supported force-read of inaccessible pages (PAGE_NOACCESS) when running in the reflection mode (/refl):
    • automatic if the inaccessible page is within the PE module
    • on-demand if the inaccessible page is somewhere else in the workingset (depending on the selected /data mode)
  • added more options for scanning non-executable pages (/data)
  • added one more mode of IAT hooks scan (/iat), allowing to filter out hooks that lead to any system DLL
  • in hook resolving function: recognize and parse one more jump type
  • in shellcode detection: added one more pattern

BUGFIX

  • Fixed error in printing JSON reports of some of the scan types (missing headers)

REFACT

  • refactoring and optimization of the function resolving hooks
  • removed not needed flags for process reflection creation (optimization)

See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.0