-
Notifications
You must be signed in to change notification settings - Fork 440
3. Default features
Some features are available by default in every scan, and some others can be enabled by adding an option from commandline.
In order to perform a basic scan with default settings, you just need to supply the PID of the target process:
pe-sieve.exe /pid <target_pid>
By default, PE-sieve is able to detect and dump:
- implanted PE files (manually loaded, not corresponding to any legitimate module)
- modules with modified/unmatching PE header (possibly hollowed/replaced)
- modules with patches and/or inline hooks installed
PE-sieve tries to dump PE files intelligently, so that they will be a valuable material for a malware analyst. By default PE files are dumped in unmapped (raw) format, so that they can be easily loaded by other tools. Sometimes the original sample is damaged or in some way distorted, and more post-processing is required before it can be used for analysis. PE-sieve automatically detect such cases and responds to them, by:
- reconstructing the damaged PE header
- choosing the dump mode that is the most suitable for a particular packer.
More features can be enabled by selecting optional parameters. For example, imports reconstruction is not done by default, but can be enabled by additional parameter: /imp