PE-sieve (previously known as Hook Finder) is my open source tool based on libpeconv.
It scans a given process, searching for the modules containing in-memory code modifications. When found, it dumps the modified PE.
Currently it detects inline hooks, hollowed processes, Process Doppelgänging etc. The tool is under rapid development, so expect frequent updates.
PE-sieve is available in 2 versions – as standalone executable, and as a DLL. The DLL version became a base of my other project: HollowsHunter – that makes an automated scan of all the running processes. More about it in the further part of the post.
Where to get it?
The tool is open-source, available on my github:
It has a simple, commandline interface. When run without parameters, it displays info about the version and required arguments:
When you run it giving a PID of the running process, it scans all the PE modules in its memory (the main executable, but also all the loaded DLLs). At the end, you can see the summary of how many anomalies have been detected of which type.
In case if some modified modules has been detected, they are dumped to a folder of a given process, for example:
Short history & features
Detecting inline hooks and patches
I started creating it for the purpose of searching and examining inline hooks. You can see it in action here (old version):
It not only detects that there IS an anomaly/patch, but also WHERE exactly it is. For each dumped PE where the patches were found, it creates a file with tags, that can be loaded by PE-bear.
Thanks to this, we can easily browse the found hooks and check the code that was overwritten.
For example – in the application presented above, the Entry Point was patched and the execution was redirected to the added, malicious section:
Detecting hollowed processes
Later, I extended it to detect process hollowing etc – and it turned out to be pretty convenient unpacker: