PE-sieve is a small tool for investigating inline hooks and other in-memory code patches, developed by hasherezade.

The tool, based on libpeconv (also developed by hasherezade), scans a given process and searching for the modules containing in-memory code modifications. When found, it dumps the modified PE.

Currently PE-sieve can detect inline hooks, hollowed processes and Process Doppelgänging.

Installation

In order to compile PE-Sieve (using CMake), you need to clone git repository of both PE-sieve and libpeconv:

git clone https://github.com/hasherezade/pe-sieve.git
cd pe-sieve
git clone https://github.com/hasherezade/libpeconv.git

However, the author has also released compiled versions of the tool:

Usage

When run without parameters, it displays info about the version and required arguments:

.______    _______           _______. __   ___________    ____  _______
|   _  \  |   ____|         /       ||  | |   ____\   \  /   / |   ____|
|  |_)  | |  |__    ______ |   (----`|  | |  |__   \   \/   /  |  |__
|   ___/  |   __|  |______| \   \    |  | |   __|   \      /   |   __|
|  |      |  |____      .----)   |   |  | |  |____   \    /    |  |____
| _|      |_______|     |_______/    |__| |_______|   \__/     |_______|

version: 0.0.8.3 (x86)

~ from hasherezade with love ~
Detects inline hooks and other in-memory PE modifications
---
Args: 
PID: (decimal) PID of the target application
---
Press any key to continue . . .

Below some videos of use-cases:

Detecting hollowed processes

https://www.youtube.com/watch?v=lqWJaaofNf4

Detecting Process Doppelgänging

https://www.youtube.com/watch?v=T9pWqYGHqLM


More information and downloads