Bot releases are hidden (Show)
FEATURE
- New parameter:
/iatallowing to scan for IAT Hooking (Issue #57) - Report about functions that could not be recovered (in case of import fixing)
BUGFIX
- Silence out (more) logs in the
quietmode - Updated libPeConv with bugfixes
- Do not start scanning if info requested (params:
/versionor/help) - Fixed JSON format in
dump_report.json(removed redundant comma)
FEATURE
- Added dump reports (
dump_report.json) - Renamed scan report (from
report.jsontoscan_report.json) - Added parameter:
/mignore <modules>- to exclude defined list of modules form the scan
BUGFIX
- Fixed bug in libPeConv causing incomplete import recovery
- Added more patterns to recognize shellcodes
- Fixed false positive in path comparison (expand relative paths before comparing)
- Silence out logs in the
quietmode
Internal refactoring.
FEATURE
- Detect Module Overloading (Issue #47 )
- Allow for supplying PID in a hexadecimal form (Issue #49)
- In a report: present the allocation type in form of a string (i.e. "MEM_IMAGE") instead of number
BUGFIX
- Added fixing Entry Points of .NET modules (Issue #48 )
- Fixed a bug causing false positives during patches detection (invalid identification of non-executable sections as executable)
- Fixed a bug causing not dumping of some of the detected modules (invalid offset calculation during dump: Issue #45)
- Improved detection of PEs embedded in a shellcode (Issue #44 )
- More precise validation of found PE artefacts
FEATURE
- Create a MiniDump for a process detected as suspicious (option
/minidmp) (Issue #43) - Support Linux-style parameter switch ( i.e.
-shellcas an equivalent of/shellc) (Issue #40)
BUGFIX
- Restored broken backward compatibility with Windows XP (Issue #42)
FEATURE
- Report about PEs with modified headers separately (do not treat them as replaced). Show details about what part of the PE header was modified.
BUGFIX
- Fixed: imports for remapped modules were not rebuilded.
- Fixed: imports for 64bit shellcodes were not recognized. (The shellcode bitness should be recognized before searching its imports.)
- Improved accuracy of searching beginning of the implanted module
- Fixed: invalid limits for workingset scan (causing the highest pages remaining unscanned)
- Fixed: unneccessery changes in the alignments of the implanted PE (Issue #39)
pe-sieve
- v0.2.1
Published by hasherezade over 5 years ago
BUGFIX
- Fixed a bug in libpeconv causing crashes during import recovery
- Added missing boundary check during searching PE artefacts
- Detect sections that are non-executable in the header, but set executable during execution (Issue #36)
- Do not try to recover Import Table, if the detected PE is in a raw format
FEATURE
- Improved accuracy in rebuilding Import Table (split IAT series that cannot be covered as a whole)
- Scan non-executable memory pages if DEP for the process is disabled. The feature is enabled by paramerer
/data. (Issue #37)
FEATURE
- More flexibility in reconstruction of Import Table (added new options to the
/impparameter)- Including: reconstructing Import Table from the scratch (Issue #34)
- Import reconstruction can be applied on all the detected PEs (not only on the implanted ones)
- Reconstructing partially overwritten sections characteristics in the implanted PE
- Dumping PE implants that could not be reconstructed with an extension
.corrupt_dll/corrupt_exe - Added build date to the banner
REFACTORING
- Refactored PE dumping and import recovery
FEATURE
- Path of each suspicious module added to the JSON report
BUGFIX
- Fixed error in searching partially erased Import Table (#35)
- Reduced false positives in searching patches (filtered out the patch at GuardCFCheckFunctionPointer: #27)
- Fixed bug causing some of the implants not to dump (error in calculating size of the implanted PE)
pe-sieve
- v0.1.7
Published by hasherezade over 5 years ago
FEATURE
- Search IAT and import table by artefacts (save RVAs in the Data Directory) (Issue #31)
- Improved payload recovery: shift the headers of implanted payload if needed (Issue #32)
- Improved payload recovery: improved validating and fixing corrupt PE header (Issue #33)
BUGFIX
- Fixed crashing during scan of payloads with malformed headers (#29, #28)
- Fixed reading memory areas with inaccessible pages in between
- Validate every implanted payload before dump
- End with an error only if scanning of modules and of workingset both failed (https://github.com/hasherezade/pe-sieve/pull/30)
FEATURE
- Identify the hook target: report what is the module where the hook leads to (#23)
- Add a possibility to set the root directory of the dumps (option
/dir) - Sections that are fully unpacked in memory are reported differently than patched (#22)
- Inform if invalid parameter was supplied
BUGFIX
- fixed crashing on some malformed samples (#21, #24)
- fixed inaccuracies in import recovery
- fixed an error in detection of PE artefacts (#25)
- fixed information displayed when the access to a process was denied (more relevant information)
FEATURE
- various modes of payload dumping (virtual, raw, remapped)
- automatic detection of a dump mode that is the most suitable for the payload/packer type, enabling more accurate reconstruction of payloads
- cleaner interface: grouped displayed parameters
BUGFIX
- fixed JSON report (sections number should be displayed as decimal)
- fixed not working output mode 'report only' - it was not creating the dump directory and not saving the reports
- fixed inaccurate in detection of sections' headers (in artefacts scan)
pe-sieve
- v0.1.4
Published by hasherezade about 6 years ago
Faster & more accurate
REFACTORING & OPTIMIZATION
- refactored workingset scan to improve performance
- refactored code scan to improve accuracy of detecting hooks & patches
FEATURE
- reconstructing payloads with partially corrupt headers
- recognizing the payload's extension (dll or exe)
- improved JSON formatting
- scan all the sections that are executable in memory (even if they are not marked executable in headers) - improved detection and dumping of the packed sections
- improved reporting of Process Doppelgänging
BUGFIX
- fixed JSON report (unescaped backslashes - Issue #13 )
- fixed false positives in mapping scan (when the name of the mapped file does not match the image file)
- fixed duplicated reporting (code section mistakenly detected as shellcode - Issue #12 )
FEATURE
- improved hook detection: parsing short jumps
BUGFIX
- fixed bug in parsing paths in format
\\?\[...]
FEATURES
- more detailed detection of Process Doppelganging: checking if the mapped image matches the module image
- more detailed info about hooks: reporting the name of the hooked function
- added shellcode detection and dumping (can be enabled by a parameter)
- added icon and changed theme
- added backward compatibility with older versions of Windows (including Windows XP 32bit)
pe-sieve
- v0.0.9.9.8
Published by hasherezade over 6 years ago
BUGFIX:
- fixed application crashing on the attempt to recover imports of files with corrupt import table
- fixed inaccurate parsing of some of the hooks
- fixed false positives on the scan of mapped memory regions
OPTIMIZATION
- redesigned the workingset scan in order to boost performance and accuracy: now it works about 5-6 times faster than before
FEATURE
- print the path of the main module in the scan report (JSON)
- more accurate imports recovery, i.e. supported recovering imports also in the cases when the DLL name was completely erased
BUGFIX:
- fixed false positives:
- headers scan: filtered out .NET modules
- working set scan: treat as suspicious only manually mapped modules that can be executed
FEATURES:
- improved precision of working set scan, including:
- detection of implanted PE files not aligned to the beginning of the memory page
- recognizing basic hooks and fetching their targets (information included in the .tag file)
Package Rankings
Top 4.53% on Proxy.golang.org
Badges
Extracted from project README
