Bot releases are visible (Hide)
REFACT
FEATURE
/pattern <file>
allowing to supply custom signatures to be searched in memory. The format is defined by SigFinder and described in the relevant README. If pattern
file was defined, a .tag file for the found patterns will be generated, with the extension .pattern.tag
scan_report.json
:
scanner_version
)workingset_scan
section: added patterns
section with information about found patterns:
total_matched
(count of all patterns matched, including the hardcoded ones)custom_matched
(count of patterns matched from the set defined by the user in pattern
file)dump_report.json
:
pattern.tag
file was generated, the name of this file will be added in the pattern_tags_file
field of the relevant module.See also: HollowsHunter v0.3.9 & MalUnpack v0.9.9 with the latest PE-sieve
FEATURE
/shellc
):
/shellc P
/shellc S
/shellc B
(both) or /shellc A
(any)/obfusc
)See also: HollowsHunter v0.3.8 & MalUnpack v0.9.8 with the latest PE-sieve
FEATURE
stats
"is_shellcode" : 1
only if the code pattern was matched (to distinguish cases when i.e. the shellcode was encrypted and detected by thread scan)BUGFIX
REFACT
See also: HollowsHunter v0.3.6 & MalUnpack v0.9.7 with the latest PE-sieve
Published by hasherezade almost 2 years ago
FEATURE
PESieve_scan_ex
- allowing to retrieve scan and dump JSON reports directly into the supplied memory buffer ( Issue #105 )BUGFIX
See also: HollowsHunter v0.3.5 & MalUnpack v0.9.6 with the latest PE-sieve
FEATURE
/mignore
- removed buffer limit (Details: https://github.com/hasherezade/pe-sieve/pull/99). WARNING: API change)/threads
, enabling scan of the threads' callstack . This is another layer of shellcode detection, allowing to capture "sleeping beacons", and others, decrypted just before the execution. (Read more here)See also: HollowsHunter v0.3.4 with the latest PE-sieve
BUGFIX
FEATURE
/imp A
) : set R0
, R1
modes depending on the sizes of found IATs of particular typesSee also: HollowsHunter v0.3.3 & MalUnpack v0.9.1 with the latest PE-sieve
BUGFIX
FEATURE
/imp
) : R0
-R2
: from restrictive to aggressive ( more info here )/refl
mode if scan of inaccessible data requested ( /data 4
, /data 5
)See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.2
Published by hasherezade about 3 years ago
BUGFIX
/imp 1
): do not overwrite import table of .NET modules (it was destroying imports) (Issue #89)See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.1.3
FEATURE
BUGFIX
See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.1
FEATURE
PAGE_NOACCESS
) when running in the reflection mode (/refl
):
/data
mode)/data
)
/iat
), allowing to filter out hooks that lead to any system DLLBUGFIX
REFACT
See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.0
FEATURE
/mfilter
BUGFIX
FEATURE
jlvl
allowing to regulate the level of details included in the JSON report. Allow to list hooks/patches in the scan_report
.BUGFIX
FEATURE
__cdecl
calling convention (instead of __stdcall
)/data
parameter) scan for hooks also the sections that are marked as non-executable (if they contain code patterns)BUGFIX
REFACT
Published by hasherezade about 4 years ago
BUGFIX:
Published by hasherezade about 4 years ago
BUGFIX
FEATURE
REFACT
Published by hasherezade over 4 years ago
BUGFIX
/Device/
formatFEATURE
/dnet
parameter)detached
to unreachable_file
Published by hasherezade over 4 years ago
FEATURE
/<parameter> ?
/data
parameter/dnet
allowing to enable treating .NET modules differently than native onesPEsieve_version
implemented as a constantBUGFIX
/refl
chosen, the process reflection should be used for both scan and dump/mfilter
REFACT
FEATURE
/refl
allowing to make a process reflection before scanningBUGFIX
REFACT