Pe Sieve Versions Save

REFACT

• Refactored to use a new pattern matching engine (SigFinder) for shellcode detection. Improved performance.

FEATURE

• Added new parameter /pattern <file> allowing to supply custom signatures to be searched in memory. The format is defined by SigFinder and described in the relevant README. If pattern file was defined, a .tag file for the found patterns will be generated, with the extension .pattern.tag
• New fields in the scan_report.json:
  • Save the PE-sieve version with which the scan was performed (scanner_version)
  • In workingset_scan section: added patterns section with information about found patterns:
    • total_matched (count of all patterns matched, including the hardcoded ones)
    • custom_matched (count of patterns matched from the set defined by the user in pattern file)
• New fields in the dump_report.json:
  • If pattern.tag file was generated, the name of this file will be added in the pattern_tags_file field of the relevant module.

See also: HollowsHunter v0.3.9 & MalUnpack v0.9.9 with the latest PE-sieve

FEATURE

• New options for shellcode detection ( /shellc ):
  • detect by patterns (previous mode): available with /shellc P
  • detect by stats (new mode): available with /shellc S
  • possibility to mix both modes: options /shellc B (both) or /shellc A (any)
• Detection of obfuscated memory regions ( /obfusc )
• Caching of detected shellcodes (guarantee that the dumped shellcode is the same as detected shellcode - no second read)

See also: HollowsHunter v0.3.8 & MalUnpack v0.9.8 with the latest PE-sieve

FEATURE

• improved integration with other languages (Python, Golang: https://github.com/hasherezade/pe-sieve/discussions/112), improvements in the API
• in ThreadScan: calculate the entropy of the detected area:
  • decreased number of false positives (filtering by entropy)
  • added a new section to the ThreadScanReport: stats
• in dump report: set "is_shellcode" : 1 only if the code pattern was matched (to distinguish cases when i.e. the shellcode was encrypted and detected by thread scan)

BUGFIX

• fixed a bug in libPEconv (buffer boundary check: https://github.com/hasherezade/pe-sieve/commit/cabdd4691b37b81889fc29f437e990b8e6cf47a8)
• fixed crash if the output filter was set ( https://github.com/hasherezade/pe-sieve/discussions/113 - missing check if the dump report was generated )
• fixed backward compatibility with Windows XP ( #42 )
• decreased number of false positives when searching for PE files in non-executable memory

REFACT

• faster search for code signatures: skip padding from the scan

See also: HollowsHunter v0.3.6 & MalUnpack v0.9.7 with the latest PE-sieve

📖 README.md

FEATURE

• Added API function: PESieve_scan_ex - allowing to retrieve scan and dump JSON reports directly into the supplied memory buffer ( Issue #105 )
• Allow to scan own workingset ( Issue #104 )
• Added one more shellcode pattern ( Issue #108 )
• Added version information to resources

BUGFIX

• Fixed getting stuck on scanning for PE artifacts (in some rare cases)
• Fixed checking mapped modules against the image on disk (fixed issue with the remote module not being copied)
• Fixed false positive - MUI files detected as implanted, when using 32bit scanner on 64bit system (FS redirection issue)
• Other small fixes

See also: HollowsHunter v0.3.5 & MalUnpack v0.9.6 with the latest PE-sieve

📖 README.md

FEATURE

• In /mignore - removed buffer limit (Details: https://github.com/hasherezade/pe-sieve/pull/99). WARNING: API change)
• New param: /threads, enabling scan of the threads' callstack . This is another layer of shellcode detection, allowing to capture "sleeping beacons", and others, decrypted just before the execution. (Read more here)

See also: HollowsHunter v0.3.4 with the latest PE-sieve

📖 README.md

BUGFIX

• Fully redesigned IAT scan, providing much better precision (Issues: #98, #92, #77)
• Fixed processing PEs with relocation table containing empty records (https://github.com/hasherezade/libpeconv/issues/30)
• Fixed false positives in some of the code scans

FEATURE

• Added optional caching (Issue #94)
• Improved auto-detection of import reconstruction mode (/imp A) : set R0, R1 modes depending on the sizes of found IATs of particular types
• Do not exclude .NET modules from code scan. Improved filtering of the changes typical for .NET.
• Changed reporting of IAT hooks to the format consistent with inline hooks reports ( more details here )

See also: HollowsHunter v0.3.3 & MalUnpack v0.9.1 with the latest PE-sieve

📖 README.md

BUGFIX

• Fixed memory leak ( Issue #95 )
• Trim invalid sections while reconstructing the payload ( Issue #96 )
• Fixed overeager imports reconstruction ( Issue #97 )
• Improved auto-detection of import reconstruction mode

FEATURE

• Added new modes of import reconstruction (/imp) : R0-R2 : from restrictive to aggressive ( more info here )
• Report if the process reflection was used in a scan
• Automatically turn on /refl mode if scan of inaccessible data requested ( /data 4, /data 5)

See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.2

📖 README.md

BUGFIX

• Fixed invalid condition check on scanning data (Issue #93)
• In imp rec auto mode (/imp 1): do not overwrite import table of .NET modules (it was destroying imports) (Issue #89)
• Improved detection if a PE is in a virtual or raw mode - fixed an issue in dumping of some PEs
• Improvements in code scan (Issue #15)
• Improved reporting of unreachable modules

See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.1.3

FEATURE

• Changes in presenting application parameters. Refactored to use ParamKit library
• Recognize Virtual Table hooks ( Issue #88 )

BUGFIX

• Improve recognizing when to rebuild import table from scratch ( Issue #89 )
• Improve detecting when to realign the payload ( Issue #90 )
• Do not include calls to own exports in the Import Table reconstruction ( Issue #91 )

See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.1

FEATURE

• supported force-read of inaccessible pages (PAGE_NOACCESS) when running in the reflection mode (/refl):
  • automatic if the inaccessible page is within the PE module
  • on-demand if the inaccessible page is somewhere else in the workingset (depending on the selected /data mode)
• added more options for scanning non-executable pages (/data)
• added one more mode of IAT hooks scan (/iat), allowing to filter out hooks that lead to any system DLL
• in hook resolving function: recognize and parse one more jump type
• in shellcode detection: added one more pattern

BUGFIX

• Fixed error in printing JSON reports of some of the scan types (missing headers)

REFACT

• refactoring and optimization of the function resolving hooks
• removed not needed flags for process reflection creation (optimization)

See also HollowsHunter: https://github.com/hasherezade/hollows_hunter/releases/tag/v0.3.0