Skip to content

pesieve_pic

FEATURE

  • Path of each suspicious module added to the JSON report

BUGFIX

  • Fixed error in searching partially erased Import Table (#35)
  • Reduced false positives in searching patches (filtered out the patch at GuardCFCheckFunctionPointer: #27)
  • Fixed bug causing some of the implants not to dump (error in calculating size of the implanted PE)
Assets 8

@hasherezade hasherezade released this Mar 15, 2019 · 12 commits to master since this release

pesieve32

FEATURE

  • Search IAT and import table by artefacts (save RVAs in the Data Directory) (Issue #31)
  • Improved payload recovery: shift the headers of implanted payload if needed (Issue #32)
  • Improved payload recovery: improved validating and fixing corrupt PE header (Issue #33)

BUGFIX

  • Fixed crashing during scan of payloads with malformed headers (#29, #28)
  • Fixed reading memory areas with inaccessible pages in between
  • Validate every implanted payload before dump
  • End with an error only if scanning of modules and of workingset both failed (#30)
Assets 8

@hasherezade hasherezade released this Dec 18, 2018 · 58 commits to master since this release

PE-sieve 0.1.6

FEATURE

  • Identify the hook target: report what is the module where the hook leads to (#23)
  • Add a possibility to set the root directory of the dumps (option /dir)
  • Sections that are fully unpacked in memory are reported differently than patched (#22)
  • Inform if invalid parameter was supplied

BUGFIX

  • fixed crashing on some malformed samples (#21, #24)
  • fixed inaccuracies in import recovery
  • fixed an error in detection of PE artefacts (#25)
  • fixed information displayed when the access to a process was denied (more relevant information)
Assets 8

@hasherezade hasherezade released this Nov 5, 2018 · 119 commits to master since this release

FEATURE

  • various modes of payload dumping (virtual, raw, remapped)
  • automatic detection of a dump mode that is the most suitable for the payload/packer type, enabling more accurate reconstruction of payloads
  • cleaner interface: grouped displayed parameters

BUGFIX

  • fixed JSON report (sections number should be displayed as decimal)
  • fixed not working output mode 'report only' - it was not creating the dump directory and not saving the reports
  • fixed inaccurate in detection of sections' headers (in artefacts scan)

pe_sieve

Assets 6

@hasherezade hasherezade released this Sep 8, 2018 · 160 commits to master since this release

BUGFIX

  • fixed missing detection of some of the manually loaded implants
Assets 6

@hasherezade hasherezade released this Aug 18, 2018 · 167 commits to master since this release

Faster & more accurate

REFACTORING & OPTIMIZATION

  • refactored workingset scan to improve performance
  • refactored code scan to improve accuracy of detecting hooks & patches

FEATURE

  • reconstructing payloads with partially corrupt headers
  • recognizing the payload's extension (dll or exe)
  • improved JSON formatting
  • scan all the sections that are executable in memory (even if they are not marked executable in headers) - improved detection and dumping of the packed sections
  • improved reporting of Process Doppelgänging
Assets 4

@hasherezade hasherezade released this Jul 29, 2018 · 260 commits to master since this release

BUGFIX

  • Fixed NT paths conversion
  • Improved imports recovering

FEATURE

  • Added info if the suspicious module is a .NET
  • Cleaned report (hidden unused fields)
Assets 4

@hasherezade hasherezade released this May 3, 2018 · 279 commits to master since this release

BUGFIX

  • fixed JSON report (unescaped backslashes - Issue #13 )
  • fixed false positives in mapping scan (when the name of the mapped file does not match the image file)
  • fixed duplicated reporting (code section mistakenly detected as shellcode - Issue #12 )

FEATURE

  • improved hook detection: parsing short jumps
Assets 4
Pre-release

@hasherezade hasherezade released this Apr 12, 2018 · 307 commits to master since this release

BUGFIX

  • fixed bug in parsing paths in format \\?\[...]

FEATURES

  • more detailed detection of Process Doppelganging: checking if the mapped image matches the module image
  • more detailed info about hooks: reporting the name of the hooked function
  • added shellcode detection and dumping (can be enabled by a parameter)
  • added icon and changed theme
  • added backward compatibility with older versions of Windows (including Windows XP 32bit)
Assets 4
Pre-release

@hasherezade hasherezade released this Mar 25, 2018 · 371 commits to master since this release

BUGFIX:

  • fixed application crashing on the attempt to recover imports of files with corrupt import table
  • fixed inaccurate parsing of some of the hooks
  • fixed false positives on the scan of mapped memory regions

OPTIMIZATION

  • redesigned the workingset scan in order to boost performance and accuracy: now it works about 5-6 times faster than before

FEATURE

  • print the path of the main module in the scan report (JSON)
  • more accurate imports recovery, i.e. supported recovering imports also in the cases when the DLL name was completely erased
Assets 4
You can’t perform that action at this time.