PE-sieve is a light-weight tool that helps to detect malware running on the system, as well as to collect the potentially malicious material for further analysis.
Recognizes and dumps a variety of implants within the scanned process, such as:
- replaced/injected PEs
- hooks, and other in-memory patches.
Detects inline hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection, etc. It can be used for dynamic malware unpacking (see examples here). PE-sieve works on Windows, the lowest supported version is XP.
PE-sieve scans a given process, searching for the modules containing in-memory code modifications. When found, it dumps the modified PE. When found, it dumps the modified PE. Currently, it detects inline hooks, hollowed processes, Process Doppelgänging etc. The tool is under rapid development, so expect frequent updates.
Detects inline hooks, hollowed processes etc.