### Example pattern tag file content Source: https://github.com/hasherezade/pe-sieve/wiki/4.11.-Detect-shellcode-by-custom-patterns-(pattern) An example showing the content of a .pattern.tag file. ```plaintext 16b0;Heavens_Gate1;c 1728;Heavens_Gate1;c 17b1;Heavens_Gate1;c ``` -------------------------------- ### Example TAG file content Source: https://github.com/hasherezade/pe-sieve/wiki/3.1.-Investigating-hooks-and-patches An example of a TAG file showing detected hooks for CreateWindowExW and CharUpperW. ```text ec7c;CreateWindowExW->402551[400000+2551:KeygenMe V7.exe:0];5 1e981;CharUpperW->4017be[400000+17be:KeygenMe V7.exe:0];5 ``` -------------------------------- ### Scan Report Example Source: https://github.com/hasherezade/pe-sieve/wiki/4.8.-Create-Process-Reflection-(refl) Example JSON snippet from a scan report indicating that reflection mode was used. ```json "used_reflection" : 1, ``` -------------------------------- ### Patterns file format - Example signature Source: https://github.com/hasherezade/pe-sieve/wiki/4.11.-Detect-shellcode-by-custom-patterns-(pattern) A complete example of a signature definition in the patterns file. ```plaintext Heavens_Gate1 12 6A 33 E8 00 00 00 00 83 ?? ?? 05 CB ``` -------------------------------- ### Testing Setup Source: https://github.com/hasherezade/pe-sieve/blob/master/CMakeLists.txt Enables testing and defines a basic test case to check if the application runs and outputs version information. ```cmake if (NOT PESIEVE_IS_STATIC) install(TARGETS ${PROJECT_NAME} DESTINATION ${CMAKE_INSTALL_PREFIX} COMPONENT ${PROJECT_NAME} ) # Setup testing if(PESIEVE_BUILD_TESTING) enable_testing() # 0) does the application run add_test (TestRuns ${CMAKE_INSTALL_PREFIX}/pe-sieve -?) set_tests_properties(TestRuns PROPERTIES PASS_REGULAR_EXPRESSION "Version:") endif() endif() ``` -------------------------------- ### Example of ignoring multiple modules Source: https://github.com/hasherezade/pe-sieve/wiki/4.6.-Ignore-modules-(mignore) An example demonstrating how to use the /mignore command to exclude multiple DLL files from the scan. ```shell /mignore clr.dll;ntdll.dll ``` -------------------------------- ### Patterns file format - Byte definition examples Source: https://github.com/hasherezade/pe-sieve/wiki/4.11.-Detect-shellcode-by-custom-patterns-(pattern) Examples of valid byte definitions within a pattern signature, including wildcard usage. ```plaintext 23 56 12 68 55 0? 34 12 40 ?? 4? 8? e? ``` -------------------------------- ### Example of a harmless hook detection Source: https://github.com/hasherezade/pe-sieve/wiki/1.-FAQ This example shows how PE-sieve might report a hook, and how to interpret it as harmless by checking the target module. ```text 17be0;BaseThreadInitThunk->5a622e30[5a620000+2e30:mozglue.dll:0];5 ``` -------------------------------- ### Basic Demo of PESieve_scan_ex Source: https://github.com/hasherezade/pe-sieve/wiki/5.-API A C++ example demonstrating how to load the PE-sieve.dll, retrieve the PESieve_scan_ex function, set up parameters, perform a scan, and process the JSON report. ```cpp #include #include #include int main() { // Load PE-sieve.dll, and retrieve the function: HMODULE dll = LoadLibraryA("pe-sieve.dll"); FARPROC proc = GetProcAddress(dll, "PESieve_scan_ex"); if (!proc) { std::cout << "Loading function failed!\n"; return -1; } auto _PESieve_scan_ex = reinterpret_cast(proc); // Set up the scan parameters PEsieve_params pp = { 0 }; pp.pid = GetCurrentProcessId(); // scan current process pp.threads = true; pp.shellcode = pesieve::SHELLC_PATTERNS; pp.quiet = true; pp.results_filter = pesieve::SHOW_SUSPICIOUS; const PEsieve_rtype rtype = pesieve::REPORT_ALL; // Prepare the buffer for the output report const size_t buf_size = 0x1000; char json_buf[buf_size] = { 0 }; size_t needed_size = 0; // Perform the scan: PEsieve_report report = _PESieve_scan_ex(pp, rtype, json_buf, buf_size, &needed_size); if (needed_size > buf_size) { // The supplied buffer was too small to fit in the whole JSON report std::cout << "Couldn't retrieve the full buffer. Needed size: " << std::hex << needed_size << std::endl; } // Print the obtained report: std::cout << json_buf << "\n"; return 0; } ``` -------------------------------- ### Scan report - General Summary Example Source: https://github.com/hasherezade/pe-sieve/wiki/3.3.-JSON-reports An example of the general summary section of the scan report, detailing process information and detected anomalies across various modules. ```json { "pid" : 684, // PID of the process that was scanned "is_64_bit" : 1, // Flag indicating if the process was 64 bit: 1 if true, 0 if false "is_managed" : 0, // Flag indicating if the process was managed (.NET) : 1 if true (.NET process) , 0 if false (native process) "main_image_path" : "", // The path of the main image (from PEB). If empty, it often indicates process Doppelgänging. "used_reflection" : 0, // Flag indicating if the scan was performed on the raw process, or on process reflection "scanned" : { "total" : 48, // total count of scanned modules "skipped" : 0, // count of modules excluded from the scan, for example: // excluded on demand by the parameter: /mignore "modified" : // list of all the modules in which any of the suspicious indicators were detected { "total" : 2, // total count of modules detected as suspicious "patched" : 0, // count of modules detected as patched (possible inline hooks or other code modifications) "iat_hooked" : 0, // count of modules where IAT hooks were detected "replaced" : 1, // count of hollowed/replaced modules "hdr_modified" : 0, //count of modules with PE headers modified (but without modifications typical for replaced modules) "implanted_pe" : 0, // count of manually mapped PEs (not associated with any PE file on the disk) "implanted_shc" : 0, // count of sections with code mapped outside of any PE (shellcodes, JITs) "unreachable_file" : 0, // count of modules that were associated with a PE file on the disk, but // this file was deleted or inaccessible "other" : 1 // any additional indicators - such as // inconsistency between the path of mapped module and corresponding path set in the PEB }, "errors" : 0 // count of inconclusive scans, interrupted by some errors }, [...] } ``` -------------------------------- ### Using custom patterns with PE-sieve Source: https://github.com/hasherezade/pe-sieve/wiki/4.11.-Detect-shellcode-by-custom-patterns-(pattern) Example of how to use the /pattern argument to specify a custom patterns file. ```bash pe-sieve.exe /pid 1243 /pattern my_patterns.txt ``` -------------------------------- ### Import Reconstruction Status JSON Example Source: https://github.com/hasherezade/pe-sieve/wiki/3.3.-JSON-reports An example of a JSON object detailing the status of import reconstruction, including file paths for reports and the result of the reconstruction process. ```json { "module" : "400000", "module_size" : "723000", "dump_file" : "400000.HxD.exe", "tags_file" : "400000.HxD.exe.tag", "imports_file" : "400000.HxD.exe.imports.txt", // The report of all the imports that were found by PE-sieve. "imp_rec_result" : "IMP_ALREADY_OK", // The import table was left as is - not overwritten. // This may happen depending on the mode in which the import reconstruction was requested. // If the autodetect mode was selected, PE-sieve will not overwrite the import table if a valid one was detected "imp_not_recovered_file" : "400000.HxD.exe.not_fixed_imports.txt", // There were some thunks that could not be resolved, and they have been stored in additional report. "dump_mode" : "UNMAPPED", "is_shellcode" : 0, "status" : 1 } ``` -------------------------------- ### Using custom patterns with hardcoded patterns Source: https://github.com/hasherezade/pe-sieve/wiki/4.11.-Detect-shellcode-by-custom-patterns-(pattern) Example of using both custom patterns and hardcoded patterns. ```bash pe-sieve.exe /pid 1243 /pattern my_patterns.txt /shellc P ``` -------------------------------- ### Example IAT Hook Report Entry Source: https://github.com/hasherezade/pe-sieve/wiki/4.7.-Scan-for-IAT-Hooks-(iat) An example of a PE-sieve report entry for a detected IAT hook, showing a patched MessageBoxW function. ```text 4068;[user32.MessageBoxW #533]->1000100c[10000000+100c:nagmenot.MBox #1:0] ``` -------------------------------- ### Scan report - Specific Scans Example Source: https://github.com/hasherezade/pe-sieve/wiki/3.3.-JSON-reports An example of the 'scans' array within the scan report, showing detailed findings from specific scan types like mapping_scan and headers_scan. ```json "scans" : [ // list of the reports from particular scans { "mapping_scan" : { "module" : "7ff6bc950000", "module_file" : "C:\\Windows\\notepad.exe", "mapped_file" : "", "status" : 1 } }, { "headers_scan" : { "module" : "7ff6bc950000", "module_file" : "C:\\Windows\\notepad.exe", "status" : 1, "is_pe_replaced" : 1, "dos_hdr_modified" : 1, "file_hdr_modified" : 1, "nt_hdr_modified" : 1, "ep_modified" : 1, "sec_hdr_modified" : 1 } } ] ``` -------------------------------- ### Dump report (with IAT hooks file) Source: https://github.com/hasherezade/pe-sieve/wiki/3.3.-JSON-reports Example of a dump report entry including an 'iat_hooks_file' field for IAT hook details. ```json { "module" : "400000", "module_size" : "6336", "dump_file" : "400000.hooked2.exe", "iat_hooks_file" : "400000.hooked2.exe.iat_hooks.txt", "dump_mode" : "UNMAPPED", "is_shellcode" : 0, "status" : 1 } ``` -------------------------------- ### Dump report (summary) Source: https://github.com/hasherezade/pe-sieve/wiki/3.3.-JSON-reports Example JSON structure for a general dump report, summarizing dumped modules. ```json { "pid" : 684, "output_dir" : "process_684", "dumped" : { "total" : 2, "dumped" : 2 }, "dumps" : [ { "module" : "7ff6bc950000", "module_size" : "e4000", "dump_file" : "7ff6bc950000.notepad.exe", "dump_mode" : "UNMAPPED", "is_shellcode" : 0, "status" : 1 }, [...] ] } ``` -------------------------------- ### Dump report (with tag file) Source: https://github.com/hasherezade/pe-sieve/wiki/3.3.-JSON-reports Example of a dump report entry including a 'tags_file' field for patched details. ```json "dumps" : [ { "module" : "75660000", "module_size" : "153000", "dump_file" : "75660000.user32.dll", "tags_file" : "75660000.user32.dll.tag", "dump_mode" : "UNMAPPED", "is_shellcode" : 0, "status" : 1 } ``` -------------------------------- ### Example of return addresses extracted during thread callstack scan Source: https://github.com/hasherezade/pe-sieve/wiki/4.9.-Scan-threads-callstack-(threads) This snippet shows a sample output from a thread callstack scan, highlighting consecutive return addresses and identifying a potential shellcode location. ```text > 7ffdbd76d3f4 : ntdll.dll > 7ffdbb22962e : KERNELBASE.dll > 7ff6f0661269 : ShellcodeFluctuation64.exe > 20fa9d1022d 20fa9d1022d <=== SHELLCODE ``` -------------------------------- ### Workingset scan report (PE detected) Source: https://github.com/hasherezade/pe-sieve/wiki/3.3.-JSON-reports Example JSON structure for a workingset scan report when a complete PE file is detected. ```json "workingset_scan" : { "module" : "6f66740000", "status" : 1, "has_pe" : 1, "has_shellcode" : 0, "is_listed_module" : 0, "protection" : "40", "mapping_type" : "MEM_PRIVATE", "pe_artefacts" : { "pe_base_offset" : "0", "nt_file_hdr" : "fc", "sections_hdrs" : "200", "sections_count" : 7, "is_dll" : 0, "is_64_bit" : 1 } } ``` -------------------------------- ### Workingset scan report (Shellcode detected) Source: https://github.com/hasherezade/pe-sieve/wiki/3.3.-JSON-reports Example JSON structure for a workingset scan report when only shellcode is detected. ```json "workingset_scan" : { "module" : "7ff7d9fe1000", "status" : 1, "has_pe" : 0, "has_shellcode" : 1, "is_listed_module" : 0, "protection" : "20", "mapping_type" : "MEM_PRIVATE" } ``` -------------------------------- ### Example of JSON output for thread scan anomalies Source: https://github.com/hasherezade/pe-sieve/wiki/4.9.-Scan-threads-callstack-(threads) This JSON snippet illustrates the structure of scan results when callstack anomalies are detected, including thread ID, state, callstack information, and suspicious indicators. ```json [ ...] "scans" : [ { "thread_scan" : { "status" : 1, "thread_id" : 8080, "thread_info" : { "state" : "Waiting", "wait_reason" : "UserRequest", "callstack" : { "stack_ptr" : "51ff8ffa50", "frames_count" : 1, "frames" : ["7ffaaf3826b1;ntdll.dll!RtlUserThreadStart+0x21"] }, "last_sysc" : "NtSignalAndWaitForSingleObject", "last_func" : "RtlUserThreadStart" }, "indicators" : ["SUS_RET", "SUS_CALLS_INTEGRITY", "SUS_CALLSTACK_CORRUPT"], "susp_return_addr" : "1c988087780" } } ] [...] ``` -------------------------------- ### Clone the repository Source: https://github.com/hasherezade/pe-sieve/wiki/2.-How-to-build Clones the PE-sieve repository including its submodules recursively. ```bash git clone --recursive https://github.com/hasherezade/pe-sieve.git ``` -------------------------------- ### Help for Obfuscation Option Source: https://github.com/hasherezade/pe-sieve/wiki/4.10.-Detect-obfuscated-areas-(obfusc) Command to display all possible arguments for the /obfusc option. ```shell pe-sieve /obfusc ? ``` -------------------------------- ### Enable Reflection Mode Source: https://github.com/hasherezade/pe-sieve/wiki/4.8.-Create-Process-Reflection-(refl) Command-line option to enable reflection mode in PE-sieve. ```bash /refl ``` -------------------------------- ### PE-sieve Help Output Source: https://github.com/hasherezade/pe-sieve/wiki/4.-Additional-features-(options) The main screen and detailed help output when running PE-sieve with the /help parameter. ```console .______ _______ _______. __ ___________ ____ _______ | _ \ | ____| / || | | ____\ \ / / | ____| | |_) | | |__ ______ | (----`| | | |__ \ \/ / | |__ | ___/ | __| |______| \ \ | | | __| \ / | __| | | | |____ .----) | | | | |____ \ / | |____ | _| |_______| |_______/ |__| |_______| \__/ |_______| _ _______ _______ __ _______ __ _______ ________________________________________________________________________ Version: 0.3.9 (x64) Built on: Feb 24 2024 ~ from hasherezade with love ~ Scans a given process, recognizes and dumps a variety of in-memory implants: replaced/injected PEs, shellcodes, inline hooks, patches etc. URL: https://github.com/hasherezade/pe-sieve --- Required: /pid : Set the PID of the target process. Optional: ---1. scanner settings--- /quiet : Print only the summary. Do not log on stdout during the scan. /refl : Make a process reflection before scan. ---2. scan exclusions--- /dnet <*dotnet_policy> : Set the policy for scanning managed processes (.NET). /mignore : Do not scan module/s with given name/s. ---3. scan options--- /data <*data_scan_mode> : Set if non-executable pages should be scanned. /iat <*iat_scan_mode> : Scan for IAT hooks. /obfusc <*obfusc_mode> : Detect encrypted content, and possible obfuscated shellcodes. /pattern : Set additional shellcode patterns (file in the SIG format). /shellc <*shellc_mode> : Detect shellcode implants (by patterns or statistics). /threads : Scan threads' callstack. Detect shellcodes, incl. 'sleeping beacons'. ---4. dump options--- /dmode <*dump_mode> : Set in which mode the detected PE files should be dumped. /imp <*imprec_mode> : Set in which mode the ImportTable should be recovered /minidmp : Create a minidump of the full suspicious process. ---5. output options--- /dir : Set a root directory for the output (default: current directory). /jlvl <*json_lvl> : Level of details of the JSON report. /json : Print the JSON report as the summary. /ofilter <*ofilter_id> : Filter the dumped output. Info: /help : Print complete help. /help : Print help about a given keyword. / ? : Print details of a given parameter. /version : Print version info. --- ``` -------------------------------- ### Module Definitions Source: https://github.com/hasherezade/pe-sieve/blob/master/CMakeLists.txt Defines variables for module paths and includes necessary headers. ```cmake # modules: set ( M_PARSER "libpeconv/libpeconv" ) set ( M_SIGFIND "sig_finder/sig_finder" ) # modules paths: set ( PECONV_DIR "${PROJECT_SOURCE_DIR}/${M_PARSER}" CACHE PATH "PEConv main path") set ( SIGFIND_DIR "${PROJECT_SOURCE_DIR}/${M_SIGFIND}" CACHE PATH "SigFinder main path") # modules headers: include_directories ( ${PECONV_DIR}/include ) include_directories ( ${SIGFIND_DIR}/include ) ``` -------------------------------- ### Project Libraries and Subdirectories Source: https://github.com/hasherezade/pe-sieve/blob/master/CMakeLists.txt Defines subdirectories for parsing, signature finding, and parameter kit, and sets cache variables for library paths. ```cmake add_subdirectory (${M_PARSER}) set ( PECONV_LIB $ CACHE PATH "PEConvLib library path" ) add_subdirectory(${M_SIGFIND}) set ( SIGFIND_LIB $ CACHE PATH "SigFinder library path" ) ``` -------------------------------- ### Build Mode Configuration Source: https://github.com/hasherezade/pe-sieve/blob/master/CMakeLists.txt Configures the build mode for PE-sieve (EXE, DLL, or STATIC) and validates the input. ```cmake set(PESIEVE_BUILD_MODE "EXE" CACHE STRING "Build PE-sieve as EXE, DLL, or static LIB") set_property(CACHE PESIEVE_BUILD_MODE PROPERTY STRINGS EXE DLL STATIC) if(NOT PESIEVE_BUILD_MODE STREQUAL "EXE" AND NOT PESIEVE_BUILD_MODE STREQUAL "DLL" AND NOT PESIEVE_BUILD_MODE STREQUAL "STATIC") message(FATAL_ERROR "Invalid PESIEVE_BUILD_MODE '${PESIEVE_BUILD_MODE}'. Choose: EXE DLL STATIC" ) endif() set(PESIEVE_IS_EXE OFF) set(PESIEVE_IS_DLL OFF) set(PESIEVE_IS_STATIC OFF) if(PESIEVE_BUILD_MODE STREQUAL "EXE") set(PESIEVE_IS_EXE ON) elseif(PESIEVE_BUILD_MODE STREQUAL "DLL") set(PESIEVE_IS_DLL ON) elseif(PESIEVE_BUILD_MODE STREQUAL "STATIC") set(PESIEVE_IS_STATIC ON) endif() ``` -------------------------------- ### Help for /shellc parameter Source: https://github.com/hasherezade/pe-sieve/wiki/4.1.-Detect-shellcodes-(shellc) Command to display all possible arguments for the /shellc parameter. ```shell pe-sieve /shellc ? ``` -------------------------------- ### LibPEConv Options Source: https://github.com/hasherezade/pe-sieve/blob/master/CMakeLists.txt Configures options for the LibPEConv library, specifically redirecting logs to Debug output. ```cmake # options for LibPEConv set(PECONV_LOG_USE_DEBUGOUT ON CACHE BOOL "" FORCE) # no logs from libPEconv on stdout, redirect all to Debug output mark_as_advanced(PECONV_LOG_USE_DEBUGOUT) # hide the option from menu ``` -------------------------------- ### GNU Compiler Options Source: https://github.com/hasherezade/pe-sieve/blob/master/CMakeLists.txt Sets specific compile and link options for the GNU compiler, including static linking. ```cmake if (CMAKE_CXX_COMPILER_ID STREQUAL "GNU") option(LINK_STATICALLY "Link PE-Sieve with static versions of linked libraries" ON) enable_language(RC) set(CMAKE_RC_COMPILE_OBJECT " -O coff -i -o ") add_compile_options( -fpermissive ) add_compile_definitions( _WIN32_WINNT=1536 # 0x600 aka Windows Vista required ) if(LINK_STATICALLY) add_link_options( -static -static-libgcc -static-libstdc++ ) endif() endif() ``` -------------------------------- ### Library or Executable Build Logic Source: https://github.com/hasherezade/pe-sieve/blob/master/CMakeLists.txt Conditional logic to build either a static library, a shared library (DLL), or an executable based on defined CMake variables. ```cmake if(PESIEVE_IS_STATIC OR PESIEVE_IS_DLL) set (lib_srcs pe_sieve_api.cpp ${srcs} ) if (PESIEVE_IS_DLL) set (lib_srcs dll_main.cpp main.def ${lib_srcs} ) endif() if(PESIEVE_IS_STATIC) add_library ( ${PROJECT_NAME} STATIC ${library_export_hdrs} ${hdrs} ${lib_srcs} ${rsrc} ) target_compile_definitions(${PROJECT_NAME} PUBLIC PESIEVE_STATIC_LIB) elseif(PESIEVE_IS_DLL) add_library ( ${PROJECT_NAME} SHARED ${library_export_hdrs} ${hdrs} ${lib_srcs} ${rsrc} ) target_compile_definitions(${PROJECT_NAME} PUBLIC PESIEVE_SHARED_LIB) set_source_files_properties(main.def PROPERTIES HEADER_FILE_ONLY TRUE) endif() INSTALL(FILES ${library_export_hdrs} DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}" ) set_source_files_properties(main.def PROPERTIES HEADER_FILE_ONLY TRUE) else() add_executable ( ${PROJECT_NAME} ${hdrs} ${srcs} ${rsrc} pe_sieve_res_icon.rc main.cpp params.h ) endif() ``` -------------------------------- ### Include PE-sieve as a static library Source: https://github.com/hasherezade/pe-sieve/wiki/2.1.-How-to-add-PE-sieve-to-your-Visual-Studio-project This code snippet demonstrates how to include the PE-sieve API when PE-sieve is linked as a static library. It requires the PESIEVE_STATIC_LIB macro definition. ```cpp #define PESIEVE_STATIC_LIB #include using namespace pesieve; ``` -------------------------------- ### TAG file format Source: https://github.com/hasherezade/pe-sieve/wiki/3.1.-Investigating-hooks-and-patches The basic format of a TAG file used by PE-sieve to annotate offsets in executable files. ```text {RVA};{comment} ``` -------------------------------- ### Conditional Parameter Kit Inclusion Source: https://github.com/hasherezade/pe-sieve/blob/master/CMakeLists.txt Includes the parameter kit library only if PESIEVE_IS_EXE is defined, setting up include directories and cache variables. ```cmake if(PESIEVE_IS_EXE) set ( M_PARAMKIT_LIB "paramkit" ) set (PARAMKIT_DIR "${CMAKE_SOURCE_DIR}/${M_PARAMKIT_LIB}/${M_PARAMKIT_LIB}" CACHE PATH "ParamKit main path" ) # modules headers: include_directories ( ${PARAMKIT_DIR}/include ) # libs add_subdirectory ( ${PARAMKIT_DIR} ) set ( PARAMKIT_LIB $ CACHE PATH "ParamKit library path" ) endif() ``` -------------------------------- ### TAG file details format Source: https://github.com/hasherezade/pe-sieve/wiki/3.1.-Investigating-hooks-and-patches The format for the '{details}' part within a TAG file entry, specifying module information. ```text {module base}+{hook RVA}:{module name}:{is the module identified as suspicious} ``` -------------------------------- ### TAG file format with details Source: https://github.com/hasherezade/pe-sieve/wiki/3.1.-Investigating-hooks-and-patches The detailed format of a TAG file entry, including information about function redirection and patch size. ```text {RVA};{hooked_function}->{VA where the hook leads to}[{details}];{size of the patch} ``` -------------------------------- ### Import Table Recovery Modes Source: https://github.com/hasherezade/pe-sieve/wiki/4.3.-Import-table-reconstruction-(imp) Command-line options for PE-sieve's Import Table recovery modes, detailing each mode's function and parameters. ```shell imp <*imprec_mode> : Set in which mode the ImportTable should be recovered *imprec_mode: 0 (N) - none: do not recover imports (default) 1 (A) - try to autodetect the most suitable mode 2 (U) - unerase the erased parts of the partialy damaged ImportTable 3 (R0) - build the ImportTable from scratch, basing on the found IATs: use only terminated blocks (restrictive mode) 4 (R1) - build the ImportTable from scratch, basing on the found IATs: use terminated blocks, or blocks with more than 1 thunk 5 (R2) - build the ImportTable from scratch, basing on the found IATs: use all found blocks (aggressive mode) ``` -------------------------------- ### Include PE-sieve as a DLL Source: https://github.com/hasherezade/pe-sieve/wiki/2.1.-How-to-add-PE-sieve-to-your-Visual-Studio-project This code snippet shows how to include the PE-sieve API when PE-sieve is linked as a DLL. ```cpp #include using namespace pesieve; ``` -------------------------------- ### Displaying available arguments for /data Source: https://github.com/hasherezade/pe-sieve/wiki/4.4.-Scan-non-executable-memory-(data) Command to display all possible arguments for the /data parameter. ```bash pe-sieve /data ? ``` -------------------------------- ### Pattern tag file format Source: https://github.com/hasherezade/pe-sieve/wiki/4.11.-Detect-shellcode-by-custom-patterns-(pattern) The format of the .pattern.tag file, which details the location of matched patterns. ```plaintext [offset:hex];[Pattern name];[pattern length:hex] ``` -------------------------------- ### IAT Scan Modes Source: https://github.com/hasherezade/pe-sieve/wiki/4.7.-Scan-for-IAT-Hooks-(iat) Command-line options for scanning IAT hooks with PE-sieve, including different scan modes and their explanations. ```bash /iat <*scan_mode> : Scan for IAT hooks. *scan_mode: 0 - none: do not scan for IAT Hooks (default) 1 - scan IAT, filter hooks that lead to unpatched system module 2 - scan IAT, filter hooks that lead to ANY system module 3 - unfiltered: scan for IAT Hooks, report all ``` -------------------------------- ### Source Files Definition Source: https://github.com/hasherezade/pe-sieve/blob/master/CMakeLists.txt Defines lists of source files for various components of the project, including scanners, postprocessors, import reconstruction, utilities, and statistics. ```cmake set (scanners_srcs scanners/mapping_scanner.cpp scanners/headers_scanner.cpp scanners/code_scanner.cpp scanners/workingset_scanner.cpp scanners/artefact_scanner.cpp scanners/iat_scanner.cpp scanners/scanner.cpp scanners/module_data.cpp scanners/module_cache.cpp scanners/mempage_data.cpp scanners/patch_list.cpp scanners/patch_analyzer.cpp scanners/scan_report.cpp scanners/scanned_modules.cpp scanners/hook_targets_resolver.cpp scanners/thread_scanner.cpp ) set (scanners_hdrs scanners/process_feature_scanner.h scanners/mapping_scanner.h scanners/headers_scanner.h scanners/code_scanner.h scanners/module_scanner.h scanners/workingset_scanner.h scanners/artefact_scanner.h scanners/iat_scanner.h scanners/scanner.h scanners/module_scan_report.h scanners/scan_report.h scanners/module_cache.h scanners/module_data.h scanners/mempage_data.h scanners/pe_section.h scanners/patch_list.h scanners/patch_analyzer.h scanners/scanned_modules.h scanners/hook_targets_resolver.h scanners/thread_scanner.h scanners/process_details.h ) set (imprec_hdrs postprocessors/imp_rec/imp_reconstructor.h postprocessors/imp_rec/iat_block.h postprocessors/imp_rec/iat_finder.h postprocessors/imp_rec/import_table_finder.h ) set (postprocessors_hdrs postprocessors/report_formatter.h postprocessors/results_dumper.h postprocessors/dump_report.h postprocessors/pe_buffer.h postprocessors/pe_reconstructor.h ) set (imprec_srcs postprocessors/imp_rec/imp_reconstructor.cpp postprocessors/imp_rec/iat_block.cpp postprocessors/imp_rec/import_table_finder.cpp ) set (postprocessors_srcs postprocessors/report_formatter.cpp postprocessors/results_dumper.cpp postprocessors/dump_report.cpp postprocessors/pe_buffer.cpp postprocessors/pe_reconstructor.cpp ) set (stats_srcs stats/stats_analyzer.cpp ) set (stats_hdrs stats/entropy.h stats/stats.h stats/entropy_stats.h stats/multi_stats.h stats/stats_util.h stats/stats_analyzer.h stats/std_dev_calc.h ) set (utils_srcs utils/format_util.cpp utils/process_util.cpp utils/threads_util.cpp utils/process_privilege.cpp utils/process_minidump.cpp utils/path_util.cpp utils/path_converter.cpp utils/workingset_enum.cpp utils/modules_enum.cpp utils/artefacts_util.cpp utils/process_reflection.cpp utils/console_color.cpp utils/strings_util.cpp utils/syscall_extractor.cpp ) set (utils_hdrs utils/format_util.h utils/path_util.h utils/path_converter.h utils/process_util.h utils/threads_util.h utils/process_privilege.h utils/process_minidump.h utils/workingset_enum.h utils/modules_enum.h utils/artefacts_util.h utils/process_reflection.h utils/console_color.h utils/strings_util.h utils/byte_buffer.h utils/code_patterns.h utils/custom_mutex.h utils/custom_buffer.h utils/process_symbols.h utils/syscall_extractor.h ) set (params_info_hdrs params_info/pe_sieve_params_info.h params_info/params_dump.h ) set (params_info_srcs params_info/pe_sieve_params_info.cpp params_info/params_dump.cpp ) set (srcs pe_sieve.cpp color_scheme.h ${params_info_srcs} ${scanners_srcs} ${postprocessors_srcs} ${imprec_srcs} ${utils_srcs} ${stats_srcs} ) set (hdrs pe_sieve.h pe_sieve_report.h include/pe_sieve_types.h ${params_info_hdrs} ${scanners_hdrs} ${postprocessors_hdrs} ${imprec_hdrs} ${utils_hdrs} ${stats_hdrs} ) set (rsrc resources.h pe_sieve_ver_short.h pe_sieve_res.rc pe-sieve.manifest ) ``` -------------------------------- ### Source Group Definitions Source: https://github.com/hasherezade/pe-sieve/blob/master/CMakeLists.txt Defines source groups for organizing files within the Visual Studio project structure. ```cmake SOURCE_GROUP("Source Files\\scanners" FILES ${scanners_srcs} ) SOURCE_GROUP("Header Files\\scanners" FILES ${scanners_hdrs} ) SOURCE_GROUP("Source Files\\utils" FILES ${utils_srcs} ) SOURCE_GROUP("Header Files\\utils" FILES ${utils_hdrs} ) SOURCE_GROUP("Source Files\\stats" FILES ${stats_srcs} ) SOURCE_GROUP("Header Files\\stats" FILES ${stats_hdrs} ) SOURCE_GROUP("Source Files\\params_info" FILES ${params_info_srcs} ) SOURCE_GROUP("Header Files\\params_info" FILES ${params_info_hdrs} ) SOURCE_GROUP("Source Files\\postprocessors" FILES ${postprocessors_srcs} ) SOURCE_GROUP("Header Files\\postprocessors" FILES ${postprocessors_hdrs} ) SOURCE_GROUP("Source Files\\postprocessors\\imp_rec" FILES ${imprec_srcs} ) SOURCE_GROUP("Header Files\\postprocessors\\imp_rec" FILES ${imprec_hdrs} ) ``` -------------------------------- ### Linking Libraries Source: https://github.com/hasherezade/pe-sieve/blob/master/CMakeLists.txt Defines the libraries to be linked against, with conditional inclusion of Paramkit when building as an executable. ```cmake set (used_libs ${PECONV_LIB} ${SIGFIND_LIB} psapi.lib ntdll.lib shlwapi imagehlp ) # dependencies add_dependencies( ${PROJECT_NAME} libpeconv sig_finder ) if(PESIEVE_IS_STATIC OR PESIEVE_IS_DLL) include(GNUInstallDirs) install(TARGETS ${PROJECT_NAME} ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR} LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR} RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} ) target_link_libraries ( ${PROJECT_NAME} ${used_libs} ) else() # add Paramkit only if build as an exe # dependencies add_dependencies(${PROJECT_NAME} paramkit ) target_link_libraries ( ${PROJECT_NAME} ${used_libs} ${PARAMKIT_LIB} ) endif() ``` -------------------------------- ### Define modules to exclude from scan Source: https://github.com/hasherezade/pe-sieve/wiki/4.6.-Ignore-modules-(mignore) This shows the basic syntax for the /mignore command to specify modules that should be ignored during a scan. ```shell /mignore ``` -------------------------------- ### dmode command and dump modes Source: https://github.com/hasherezade/pe-sieve/wiki/4.2.-Change-dump-mode-(dmode) This snippet shows the dmode command syntax and the different dump modes available with their corresponding integer and character codes. ```shell dmode <*dump_mode> : Set in which mode the detected PE files should be dumped. *dump_mode: 0 (A) - autodetect (default) 1 (V) - virtual (as is in the memory, no unmapping) 2 (U) - unmapped (converted to raw using sections' raw headers) 3 (R) - realigned raw (converted raw format to be the same as virtual) ``` -------------------------------- ### PE-sieve API Function Definitions Source: https://github.com/hasherezade/pe-sieve/wiki/5.-API Definitions of the core PE-sieve API functions: PESieve_version, PESieve_help, and PESieve_scan. ```cpp #define PESIEVE_API_FUNC __cdecl DWORD PESIEVE_API PESieve_version; void PESIEVE_API_FUNC PESieve_help(void); PEsieve_report PESIEVE_API_FUNC PESieve_scan(PEsieve_params args); ``` -------------------------------- ### MSVC Compiler Flags Source: https://github.com/hasherezade/pe-sieve/blob/master/CMakeLists.txt Sets the C++ release flags for the MSVC compiler to enable static runtime linking. ```cmake if (MSVC) set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /MT") endif() ``` -------------------------------- ### Obfuscation Modes Source: https://github.com/hasherezade/pe-sieve/wiki/4.10.-Detect-obfuscated-areas-(obfusc) This snippet shows the different modes available for the /obfusc option, detailing how each mode detects encrypted content and possible obfuscated shellcodes. ```shell obfusc <*obfusc_mode> : Detect encrypted content, and possible obfuscated shellcodes. *obfusc_mode: 0 (N) - none: do not detect obfuscated areas 1 (S) - detect areas possibly encrypted with strong encryption 2 (W) - detect areas possibly encrypted with weak encryption (lower entropy, possible XOR patterns) 3 (A) - detect any: possible strong or weak encryption ``` -------------------------------- ### Basic Scan Command Source: https://github.com/hasherezade/pe-sieve/wiki/3.-Default-features Command to perform a basic scan with default settings by supplying the PID of the target process. ```bash pe-sieve.exe /pid ``` -------------------------------- ### Patterns file format - Signature definition Source: https://github.com/hasherezade/pe-sieve/wiki/4.11.-Detect-shellcode-by-custom-patterns-(pattern) Defines the structure for a single pattern signature in the patterns file. ```plaintext ``` -------------------------------- ### MSVC Specific Link Options Source: https://github.com/hasherezade/pe-sieve/blob/master/CMakeLists.txt Applies a specific linker option for MSVC compiler to disable manifest generation. ```cmake if(CMAKE_CXX_COMPILER_ID MATCHES "MSVC") target_link_options( ${PROJECT_NAME} PRIVATE "/MANIFEST:NO") endif() ``` -------------------------------- ### IAT Hook Report Details Format Source: https://github.com/hasherezade/pe-sieve/wiki/4.7.-Scan-for-IAT-Hooks-(iat) The format for additional details within the IAT hook report, specifying module information and hook target. ```text {module base}+{function RVA}:{module name.target function name}:{is the module identified as suspicious} ``` -------------------------------- ### IAT Hook Report Format Source: https://github.com/hasherezade/pe-sieve/wiki/4.7.-Scan-for-IAT-Hooks-(iat) The format of the report generated by PE-sieve when IAT hooks are detected. ```text {thunk RVA};{original function name}->{VA where the hook leads to}[{details}] ``` -------------------------------- ### Mapping Scan Report Details Source: https://github.com/hasherezade/pe-sieve/wiki/3.3.-JSON-reports Detailed structure of a report entry from the mapping scan, explaining each field and its significance. ```json "mapping_scan" : { // report from the mapping scan "module" : "7ff6bc950000", // the base address at which the module was mapped in the memory "module_file" : "C:\\Windows\\notepad.exe", // The path set in the PEB "mapped_file" : "", // The path from which the module was mapped. If empty, it often indicates process Doppelgänging. "status" : 1 // status 1 - means positive result (suspicious) } ``` -------------------------------- ### PESieve_scan_ex Function Definition Source: https://github.com/hasherezade/pe-sieve/wiki/5.-API Definition for the enriched PESieve_scan_ex function, which allows retrieving JSON reports. ```cpp PEsieve_report PESIEVE_API_FUNC PESieve_scan_ex(IN const PEsieve_params args, IN const PEsieve_rtype rtype, OUT char* json_buf, IN size_t json_buf_size, OUT size_t *buf_needed_size); ``` -------------------------------- ### Data scan modes Source: https://github.com/hasherezade/pe-sieve/wiki/4.4.-Scan-non-executable-memory-(data) Enumeration of different modes for scanning non-executable memory using the /data parameter. ```text data <*data_scan_mode> : Set if non-executable pages should be scanned. *data_scan_mode: 0 - none: do not scan non-executable pages 1 - .NET: scan non-executable in .NET applications 2 - if no DEP: scan non-exec if DEP is disabled (or if is .NET) 3 - always: scan non-executable pages unconditionally 4 - include inaccessible: scan non-executable pages unconditionally; in reflection mode (/refl): scan also inaccessible pages 5 - scan inaccessible pages, but exclude other non-executable; works in reflection mode (/refl) only ``` -------------------------------- ### JSON output format when run with /json option Source: https://github.com/hasherezade/pe-sieve/wiki/3.3.-JSON-reports This shows the combined JSON output format when PE-sieve is executed with the /json flag, displaying both scan and dump reports on stdout. ```json { "scan_report" : { // scan report content }, "dump_report" : { // dump report content } } ```