Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
FEATURE
/mfilter
BUGFIX
FEATURE
BUGFIX
FEATURE
jlvl
allowing to regulate the level of details included in the JSON report. Allow to list hooks/patches in the scan_report
.BUGFIX
FEATURE
__cdecl
calling convention (instead of __stdcall
)/data
parameter) scan for hooks also the sections that are marked as non-executable (if they contain code patterns)BUGFIX
REFACT
BUGFIX:
BUGFIX
FEATURE
REFACT
BUGFIX
/Device/
formatFEATURE
/dnet
parameter)detached
to unreachable_file
FEATURE
/<parameter> ?
/data
parameter/dnet
allowing to enable treating .NET modules differently than native onesPEsieve_version
implemented as a constantBUGFIX
/refl
chosen, the process reflection should be used for both scan and dump/mfilter
REFACT
FEATURE
BUGFIX
/mginore
option (filtering out selected modules from the scan)FEATURE
/refl
allowing to make a process reflection before scanningBUGFIX
REFACT