What's new in PE-sieve 0.3.9
Feb 24, 2024
- REFACT:
- Refactored to use a new pattern matching engine (SigFinder) for shellcode detection. Improved performance.
- FEATURE:
- Added new parameter /pattern <file> allowing to supply custom signatures to be searched in memory. The format is defined by SigFinder and described in the relevant README. If pattern file was defined, a .tag file for the found patterns will be generated, with the extension .pattern.tag
- New fields in the scan_report.json:
- Save the PE-sieve version with which the scan was performed (scanner_version)
- In workingset_scan section: added patterns section with information about found patterns:
- total_matched (count of all patterns matched, including the hardcoded ones)
- custom_matched (count of patterns matched from the set defined by the user in pattern file)
- New fields in the dump_report.json:
- If pattern.tag file was generated, the name of this file will be added in the pattern_tags_file field of the relevant module.
New in PE-sieve 0.3.8 (Nov 10, 2023)
- FEATURE:
- New options for shellcode detection ( /shellc ):
- detect by patterns (previous mode): available with /shellc P
- detect by stats (new mode): available with /shellc S
- possibility to mix both modes: options /shellc B (both) or /shellc A (any)
- Detection of obfuscated memory regions ( /obfusc )
- Caching of detected shellcodes (guarantee that the dumped shellcode is the same as detected shellcode - no second read)
New in PE-sieve 0.3.6 (May 15, 2023)
- FEATURE:
- improved integration with other languages (Python, Golang: #112), improvements in the API
- in ThreadScan: calculate the entropy of the detected area:
- decreased number of false positives (filtering by entropy)
- added a new section to the ThreadScanReport: stats
- BUGFIX:
- fixed a bug in libPEconv (buffer boundary check: cabdd46)
- fixed crash if the output filter was set ( #113 - missing check if the dump report was generated )
- fixed backward compatibility with Windows XP ( #42 )
- decreased number of false positives when searching for PE files in non-executable memory
- REFACT:
- faster search for code signatures: skip padding from the scan
New in PE-sieve 0.3.4 (Feb 11, 2022)
- In /mignore - removed buffer limit (Details: #99). WARNING: API change)
- New param: /threads, enabling scan of the threads' callstack . This is another layer of shellcode detection, allowing to capture "sleeping beacons", and others, decrypted just before the execution.
New in PE-sieve 0.3.2 (Dec 28, 2021)
- BUGFIX:
- Fixed memory leak ( Issue #95 )
- Trim invalid sections while reconstructing the payload ( Issue #96 )
- Fixed overeager imports reconstruction ( Issue #97 )
- Improved auto-detection of import reconstruction mode
- FEATURE:
- Added new modes of import reconstruction (/imp) : R0-R2 : from restrictive to aggressive ( more info here )
- Report if the process reflection was used in a scan
- Automatically turn on /refl mode if scan of inaccessible data requested ( /data 4, /data 5)
New in PE-sieve 0.3.1.3 (Sep 12, 2021)
- Fixed invalid condition check on scanning data (Issue #93)
- In imp rec auto mode (/imp 1): do not overwrite import table of .NET modules (it was destroying imports) (Issue #89)
- Improved detection if a PE is in a virtual or raw mode - fixed an issue in dumping of some PEs
- Improvements in code scan (Issue #15)
- Improved reporting of unreachable modules
New in PE-sieve 0.3.1 (Sep 7, 2021)
- FEATURE:
- Changes in presenting application parameters. Refactored to use ParamKit library
- Recognize Virtual Table hooks ( Issue #88 )
- BUGFIX:
- Improve recognizing when to rebuild import table from scratch ( Issue #89 )
- Improve detecting when to realign the payload ( Issue #90 )
- Do not include calls to own exports in the Import Table reconstruction ( Issue #91 )
New in PE-sieve 0.3.0 (Aug 11, 2021)
- FEATURE:
- Supported force-read of inaccessible pages (PAGE_NOACCESS) when running in the reflection mode (/refl):
- Automatic if the inaccessible page is within the PE module
- On-demand if the inaccessible page is somewhere else in the workingset (depending on the selected /data mode)
- Added more options for scanning non-executable pages (/data)
- Added one more mode of IAT hooks scan (/iat), allowing to filter out hooks that lead to any system DLL
- In hook resolving function: recognize and parse one more jump type
- In shellcode detection: added one more pattern
- BUGFIX:
- Fixed error in printing JSON reports of some of the scan types (missing headers)
- REFACT:
- Refactoring and optimization of the function resolving hooks
- Removed not needed flags for process reflection creation (optimization)
New in PE-sieve 0.2.9.8 (Jun 27, 2021)
- FEATURE:
- Added a new pattern for detecting 64-bit shellcodes
- Added return codes informing about the result of the run
- Removed unused parameter : /mfilter
- In JSON: added an indicator if the replaced module was linked to the PEB
- BUGFIX:
- Fixed error in dumping some of the PEs (issue caused by the invalid ImageSize calculated: Issue #85)
New in PE-sieve 0.2.9.6 (May 9, 2021)
- FEATURE:
- in JSON: report the size of the patch, status, as decimal (rather than hexadecimal)
- BUGFIX:
- Fixed crash on processing a malformed export table (Issue #84)
New in PE-sieve 0.2.9.5 (May 1, 2021)
- FEATURE:
- Improved parameters accessibility: grouped into more categories, sorted.
- Display hints for misspelled parameters
- Added parameter jlvl allowing to regulate the level of details included in the JSON report. Allow to list hooks/patches in the scan_report.
- Improved hook parsing: identify hooks created by replacing the target of existing JMP/CALL
- BUGFIX:
- Improved reading remote memory (fixed a bug that was causing PE-sieve to stuck in some cases of reading inaccessible memory)
- Do not include initial protection in the check of memory access rights
New in PE-sieve 0.2.9 (Oct 16, 2020)
- FEATURE:
- In DLL: use __cdecl calling convention (instead of __stdcall)
- In case if scanning data is enabled (/data parameter) scan for hooks also the sections that are marked as non-executable (if they contain code patterns)
- Added a count of sections scanned for patches to the report
- BUGFIX:
- Fixed a bug in detecting a section with Entry Point (affecting unpacking of some packers, such as ASPack - Issue #73 )
- Fixed bug in libPEconv: do not treat empty relocation blocks as invalid
- REFACT:
- Some internal cleanup and refactoring
New in PE-sieve 0.2.8.6 (Jul 28, 2020)
- Fixed error in scanning workingset of some applications (Issue #68).
New in PE-sieve 0.2.8.5 (Jul 21, 2020)
- BUGFIX:
- Fixed broken detection of ASPack ( Issue #66 )
- Fixed broken parsing of a hexadecimal PID ( Issue #65 )
- Fixed errors on code scan (caused by invalid relocation table check)
- Do not assume that the section 0 is always executable
- Fixed bug in scanning 64bit modules by a 32bit scanner
- FEATURE:
- Added one more pattern to detect 64 bit code
- REFACT:
- Refactored identifying executable sections
New in PE-sieve 0.2.8.3 (Jul 20, 2020)
- BUGFIX:
- Fixed hanging during the IAT scan of some PEs
- Fixed error in converting paths from the /Device/ format
- Fixed not listing results of the mapping scan in the summary
- FEATURE:
- added one more .NET policy (in /dnet parameter)
- In the summary: changed detached to unreachable_file
New in PE-sieve 0.2.8 (Jul 16, 2020)
- FEATURE:
- Detailed info about a single parameter can be requested by: /<parameter> ?
- New modes in the /data parameter
- New parameter /dnet allowing to enable treating .NET modules differently than native ones
- Report about PE implants and shellcode implants separately
- Added information in the report: process bitness, is process managed (vs native)
- Minor changes in the API: PEsieve_version implemented as a constant
- Allow for partial scanning of 64 bit processes by a 32 bit scanner
- BUGFIX:
- If the parameter /refl chosen, the process reflection should be used for both scan and dump
- Fixed switching back to the original console color after printing in color (improved look on Powershell console)
- Fixed recognizing if the PE in the memory is in raw or virtual mode (it was giving invalid results for some payloads)
- Fixed broken parameter /mfilter
- REFACT:
- Refactored parsing of the parameters
- Internal refactoring and cleanup of the scanner
New in PE-sieve 0.2.7.1 (Jun 17, 2020)
- FEATURE:
- Scan virtual caves
- BUGFIX:
- Fixed /mginore option (filtering out selected modules from the scan)
- Fixed wrong calculation of a patch size
New in PE-sieve 0.2.7 (Jun 15, 2020)
- FEATURE:
- New parameter: /refl allowing to make a process reflection before scanning
- Support scanning PEs with no sections (i.e. packed with Crinkler) (Issue #46)
- Allow to build as static library
- Dump report about hooks even if dumping the modules failed
- Show the time of scanning workingset
- BUGFIX:
- Fixed JSON in code scan report (in case of reporting errors)
- Fixed problems with dumping PEs with bogus Image Size (prevent crashes, try to autodetect the correct size)
- REFACT:
- Internal refactoring (i.e. in scanning workingset)
- Set debug privilege unconditionally
New in PE-sieve 0.2.6.1 (May 18, 2020)
- BUGFIX:
- Fixed crashes on printing json report (when run with /json parameter )
- Fixed bug in coping input arguments
New in PE-sieve 0.2.6 (Apr 14, 2020)
- FEATURE:
- New parameter: /iat allowing to scan for IAT Hooking (Issue #57)
- Report about functions that could not be recovered (in case of import fixing)
- BUGFIX:
- Silence out (more) logs in the quiet mode
- Updated libPeConv with bugfixes
- Do not start scanning if info requested (params: /version or /help)
- Fixed JSON format in dump_report.json (removed redundant comma)
New in PE-sieve 0.2.5 (Mar 9, 2020)
- FEATURE:
- Added dump reports (dump_report.json)
- Renamed scan report (from report.json to scan_report.json)
- Added parameter: /mignore <modules> - to exclude defined list of modules form the scan
- BUGFIX:
- Fixed bug in libPeConv causing incomplete import recovery
- Added more patterns to recognize shellcodes
- Fixed false positive in path comparison (expand relative paths before comparing)
- Silence out logs in the quiet mode
New in PE-sieve 0.2.4 (Dec 30, 2019)
- FEATURE:
- Detect Module Overloading (Issue #47 )
- Allow for supplying PID in a hexadecimal form (Issue #49)
- In a report: present the allocation type in form of a string (i.e. "MEM_IMAGE") instead of number
- BUGFIX:
- Added fixing Entry Points of .NET modules (Issue #48 )
- Fixed a bug causing false positives during patches detection (invalid identification of non-executable sections as executable)
- Fixed a bug causing not dumping of some of the detected modules (invalid offset calculation during dump: Issue #45)
- Improved detection of PEs embedded in a shellcode (Issue #44 )
- More precise validation of found PE artefacts
New in PE-sieve 0.2.3 (Oct 19, 2019)
- FEATURE:
- Create a MiniDump for a process detected as suspicious (option /minidmp) (Issue #43)
- Support Linux-style parameter switch ( i.e. -shellc as an equivalent of /shellc) (Issue #40)
- BUGFIX:
- Restored broken backward compatibility with Windows XP (Issue #42)
New in PE-sieve 0.2.2 (Aug 16, 2019)
- FEATURE:
- Report about PEs with modified headers separately (do not treat them as replaced). Show details about what part of the PE header was modified.
- BUGFIX:
- Fixed: imports for remapped modules were not rebuilded.
- Fixed: imports for 64bit shellcodes were not recognized. (The shellcode bitness should be recognized before searching its imports.)
- Improved accuracy of searching beginning of the implanted module
- Fixed: invalid limits for workingset scan (causing the highest pages remaining unscanned)
- Fixed: unneccessery changes in the alignments of the implanted PE (Issue #39)
New in PE-sieve 0.2.1 (Jun 17, 2019)
- BUGFIX:
- Fixed a bug in libpeconv causing crashes during import recovery
- Added missing boundary check during searching PE artefacts
- Detect sections that are non-executable in the header, but set executable during execution (Issue #36)
- Do not try to recover Import Table, if the detected PE is in a raw format
- FEATURE:
- Improved accuracy in rebuilding Import Table (split IAT series that cannot be covered as a whole)
- Scan non-executable memory pages if DEP for the process is disabled. The feature is enabled by paramerer /data. (Issue #37)
New in PE-sieve 0.2 (Jun 16, 2019)
- FEATURE:
- More flexibility in reconstruction of Import Table (added new options to the /imp parameter)
- Including: reconstructing Import Table from the scratch (Issue #34)
- Import reconstruction can be applied on all the detected PEs (not only on the implanted ones)
- Reconstructing partially overwritten sections characteristics in the implanted PE
- Dumping PE implants that could not be reconstructed with an extension .corrupt_dll/corrupt_exe
- Added build date to the banner
- REFACTORING:
- Refactored PE dumping and import recovery
New in PE-sieve 0.1.8 (May 24, 2019)
- FEATURE:
- Path of each suspicious module added to the JSON report
- BUGFIX:
- Fixed error in searching partially erased Import Table (#35)
- Reduced false positives in searching patches (filtered out the patch at GuardCFCheckFunctionPointer: #27)
- Fixed bug causing some of the implants not to dump (error in calculating size of the implanted PE)
New in PE-sieve 0.1.7 (Mar 15, 2019)
- FEATURE:
- Search IAT and import table by artefacts (save RVAs in the Data Directory) (Issue #31)
- Improved payload recovery: shift the headers of implanted payload if needed (Issue #32)
- Improved payload recovery: improved validating and fixing corrupt PE header (Issue #33)
- BUGFIX:
- Fixed crashing during scan of payloads with malformed headers (#29, #28)
- Fixed reading memory areas with inaccessible pages in between
- Validate every implanted payload before dump
- End with an error only if scanning of modules and of workingset both failed (#30)
New in PE-sieve 0.1.4.3 (Nov 5, 2018)
- FEATURE:
- Various modes of payload dumping (virtual, raw, remapped)
- Automatic detection of a dump mode most suitable for the payload/packer type
- BUGFIX:
- Fixed JSON report (sections number should be displayed as decimal)
- Fixed not working output mode 'report only' - it was not creating the dump directory and not saving the reports
New in PE-sieve 0.1.4.3 (Sep 9, 2018)
- Fixed missing detection of some of the manually loaded implants
New in PE-sieve 0.1.4 (Aug 19, 2018)
- REFACTORING & OPTIMIZATION:
- refactored workingset scan to improve performance
- refactored code scan to improve accuracy of detecting hooks & patches
- FEATURE:
- reconstructing payloads with partially corrupt headers
- recognizing the payload's extension (dll or exe)
- improved JSON formatting
- scan all the sections that are executable in memory (even if they are not marked executable in headers) - improved detection and dumping of the packed sections
- improved reporting of Process Doppelgänging
New in PE-sieve 0.1.2 (Jul 29, 2018)
- BUGFIX:
- Fixed NT paths conversion
- Improved imports recovering
- FEATURE:
- Added info if the suspicious module is a .NET
- Cleaned report (hidden unused fields)
New in PE-sieve 0.1 (May 7, 2018)
- BUGFIX:
- fixed JSON report (unescaped backslashes - Issue #13 )
- fixed false positives in mapping scan (when the name of the mapped file does not match the image file)
- fixed duplicated reporting (code section mistakenly detected as shellcode - Issue #12 )
- FEATURE:
- improved hook detection: parsing short jumps
New in PE-sieve 0.0.9.9.9 (Apr 13, 2018)
- BUGFIX:
- Fixed bug in parsing paths in format \?[...]
- FEATURES:
- More detailed detection of Process Doppelganging: checking if the mapped image matches the module image
- More detailed info about hooks: reporting the name of the hooked function
- Added shellcode detection and dumping (can be enabled by a parameter)
- Added icon and changed theme
- Added backward compatibility with older versions of Windows (including Windows XP 32bit)
New in PE-sieve 0.0.9.9.8 (Mar 27, 2018)
- BUGFIX:
- fixed application crashing on the attempt to recover imports of files with corrupt import table
- fixed inaccurate parsing of some of the hooks
- fixed false positives on the scan of mapped memory regions
- OPTIMIZATION:
- redesigned the workingset scan in order to boost performance and accuracy: now it works about 5-6 times faster than before
- FEATURE:
- print the path of the main module in the scan report (JSON)
- more accurate imports recovery, i.e. supported recovering imports also in the cases when the DLL name was completely erased
New in PE-sieve 0.0.9.9.7 (Mar 12, 2018)
- BUGFIX:
- fixed false positives:
- headers scan: filtered out .NET modules
- working set scan: treat as suspicious only manually mapped modules that can be executed
- FEATURES:
- improved precision of working set scan, including:
- detection of implanted PE files not aligned to the beginning of the memory page
- recognizing basic hooks and fetching their targets (information included in the .tag file)
New in PE-sieve 0.0.9.9 (Feb 26, 2018)
- BUGFIX:
- Fixed memory leak
- FEATURES:
- Extended and refactored scanning of the working set
- Extended reporting (more details about suspicious indicators)
New in PE-sieve 0.0.9.7.5 (Feb 26, 2018)
- Scans modules within a given process against:
- In-memory replacement (hollowing, doppleganging)
- Code hooking/in-memory patching
- Very basic working set scan (checks -WX pages for manually mapped modules).
- Suspicious PE modules are dumped along with a JSON report about the indicators.