PE-sieve, a command line tool for investigating inline hooks
PE-sieve is a small tool for investigating inline hooks and other in-memory code patches, developed by hasherezade.
The tool, based on libpeconv (also developed by hasherezade), scans a given process and searching for the modules containing in-memory code modifications. When found, it dumps the modified PE.
Currently PE-sieve can detect inline hooks, hollowed processes and Process Doppelgänging.
Installation
In order to compile PE-Sieve (using CMake), you need to clone git repository of both PE-sieve and libpeconv:
git clone https://github.com/hasherezade/pe-sieve.git cd pe-sieve git clone https://github.com/hasherezade/libpeconv.git
However, the author has also released compiled versions of the tool:
Usage
When run without parameters, it displays info about the version and required arguments:
.______ _______ _______. __ ___________ ____ _______ | _ \ | ____| / || | | ____\ \ / / | ____| | |_) | | |__ ______ | (----`| | | |__ \ \/ / | |__ | ___/ | __| |______| \ \ | | | __| \ / | __| | | | |____ .----) | | | | |____ \ / | |____ | _| |_______| |_______/ |__| |_______| \__/ |_______| version: 0.0.8.3 (x86) ~ from hasherezade with love ~ Detects inline hooks and other in-memory PE modifications --- Args: PID: (decimal) PID of the target application --- Press any key to continue . . .
Below some videos of use-cases:
Detecting hollowed processes
https://www.youtube.com/watch?v=lqWJaaofNf4
Detecting Process Doppelgänging
https://www.youtube.com/watch?v=T9pWqYGHqLM