Skip to content

@hasherezade hasherezade released this Sep 12, 2021

📖 README.md

BUGFIX

  • Fixed invalid condition check on scanning data (Issue #93)
  • In imp rec auto mode (/imp 1): do not overwrite import table of .NET modules (it was destroying imports) (Issue #89)
  • Improved detection if a PE is in a virtual or raw mode - fixed an issue in dumping of some PEs
  • Improvements in code scan (Issue #15)
  • Improved reporting of unreachable modules

See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.1.3

Assets 8

@hasherezade hasherezade released this Sep 7, 2021

FEATURE

  • Changes in presenting application parameters. Refactored to use ParamKit library
  • Recognize Virtual Table hooks ( Issue #88 )

BUGFIX

  • Improve recognizing when to rebuild import table from scratch ( Issue #89 )
  • Improve detecting when to realign the payload ( Issue #90 )
  • Do not include calls to own exports in the Import Table reconstruction ( Issue #91 )

See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.1

pesieve_031

Assets 8

@hasherezade hasherezade released this Aug 11, 2021

FEATURE

  • supported force-read of inaccessible pages (PAGE_NOACCESS) when running in the reflection mode (/refl):
    • automatic if the inaccessible page is within the PE module
    • on-demand if the inaccessible page is somewhere else in the workingset (depending on the selected /data mode)
  • added more options for scanning non-executable pages (/data)
  • added one more mode of IAT hooks scan (/iat), allowing to filter out hooks that lead to any system DLL
  • in hook resolving function: recognize and parse one more jump type
  • in shellcode detection: added one more pattern

BUGFIX

  • Fixed error in printing JSON reports of some of the scan types (missing headers)

REFACT

  • refactoring and optimization of the function resolving hooks
  • removed not needed flags for process reflection creation (optimization)

See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.0

Assets 8

@hasherezade hasherezade released this Jun 27, 2021

pesieve298

FEATURE

  • added a new pattern for detecting 64-bit shellcodes
  • added return codes informing about the result of the run
  • removed unused parameter : /mfilter
  • in JSON: added an indicator if the replaced module was linked to the PEB

BUGFIX

  • Fixed error in dumping some of the PEs (issue caused by the invalid ImageSize calculated: Issue #85)
Assets 8

@hasherezade hasherezade released this May 8, 2021

FEATURE

  • in JSON: report the size of the patch, status, as decimal (rather than hexadecimal)

BUGFIX

  • Fixed crash on processing a malformed export table (Issue #84)
Assets 8

@hasherezade hasherezade released this Apr 30, 2021

FEATURE

  • Improved parameters accessibility: grouped into more categories, sorted.
  • Display hints for misspelled parameters
  • Added parameter jlvl allowing to regulate the level of details included in the JSON report. Allow to list hooks/patches in the scan_report.
  • Improved hook parsing: identify hooks created by replacing the target of existing JMP/CALL

BUGFIX

  • Improved reading remote memory (fixed a bug that was causing PE-sieve to stuck in some cases of reading inaccessible memory)
  • Do not include initial protection in the check of memory access rights
Assets 8

@hasherezade hasherezade released this Oct 16, 2020

FEATURE

  • In DLL: use __cdecl calling convention (instead of __stdcall)
  • In case if scanning data is enabled (/data parameter) scan for hooks also the sections that are marked as non-executable (if they contain code patterns)
  • Added a count of sections scanned for patches to the report

BUGFIX

  • Fixed a bug in detecting a section with Entry Point (affecting unpacking of some packers, such as ASPack - Issue #73 )
  • Fixed bug in libPEconv: do not treat empty relocation blocks as invalid

REFACT

  • Some internal cleanup and refactoring
Assets 8

@hasherezade hasherezade released this Jul 28, 2020

BUGFIX:

  • Fixed error in scanning workingset of some applications (Issue #68)
Assets 8

@hasherezade hasherezade released this Jul 21, 2020

BUGFIX

  • Fixed broken detection of ASProtect ( Issue #66 )
  • Fixed broken parsing of a hexadecimal PID ( Issue #65 )
  • Fixed errors on code scan (caused by invalid relocation table check)
  • Do not assume that the section 0 is always executable
  • Fixed bug in scanning 64bit modules by a 32bit scanner

FEATURE

  • Added one more pattern to detect 64 bit code

REFACT

  • Refactored identifying executable sections
Assets 8

@hasherezade hasherezade released this Jul 16, 2020

BUGFIX

  • Fixed hanging during the IAT scan of some PEs
  • Fixed error in converting paths from the /Device/ format
  • Fixed not listing results of the mapping scan in the summary

FEATURE

  • added one more .NET policy (in /dnet parameter)
  • In the summary: changed detached to unreachable_file
Assets 8