Scan a suspicious running process for Process Hollowing or Reflective DLL Injection.
Dump hidden malicious code from an infected process to disk for offline analysis.
Use HollowsHunter to scan every running process on a system at once for tampering.
Embed PE-sieve as a library inside a larger security product via its API.
| hasherezade/pe-sieve | zylann/godot_voxel | overv/vulkantutorial | |
|---|---|---|---|
| Stars | 3,656 | 3,655 | 3,659 |
| Language | C++ | C++ | C++ |
| Setup difficulty | easy | moderate | moderate |
| Complexity | 4/5 | 3/5 | 4/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Windows-only, prebuilt binaries available via GitHub releases, Chocolatey, or Scoop.
PE-sieve is a Windows security tool that scans a running process on your computer and looks for signs that it has been tampered with by malicious software. When malware infects a system it often does so by injecting hidden code into legitimate programs that are already running, or by swapping out part of a legitimate program's code in memory with its own. PE-sieve is designed to detect those modifications and extract the suspicious code so that a security researcher can examine it further. Specifically, the tool looks for several known attack techniques: Process Hollowing, where a legitimate program's code is replaced with malware, Reflective DLL Injection, where a malicious library loads itself into another process without going through normal Windows loading procedures, Process Doppelganging, a more advanced variation that abuses Windows file transaction features, and inline hooks, where short pieces of code are inserted into legitimate functions to redirect what they do. When PE-sieve finds any of these, it can dump the suspicious memory regions to disk as files for offline analysis. The tool is built to be lightweight and focused: it scans one process at a time. It can run as a standalone command-line program or be compiled as a library that other applications can call through a simple API, making it useful as an engine inside larger security products. Two companion tools extend what it can do: HollowsHunter wraps PE-sieve to scan all processes on a system at once, and MalUnpack uses it to unpack obfuscated malware samples. PE-sieve runs only on Windows and is written in C++. It is available as a prebuilt download from the releases page or through the Chocolatey and Scoop package managers. The project is open-source under the BSD 2-Clause license.
A Windows security tool that scans running processes for signs of malware injection and extracts the suspicious code for analysis.
Mainly C++. The stack also includes C++, Windows.
Open source under the BSD 2-Clause license, which allows free use, modification, and redistribution.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.