hasherezade
commented
2 years ago Hi! Thank you for your interest in my tools! Yes, as I mentioned int the Process Overwriting readme, this method can be detected by PE-sieve:
- Can be detected by comparing of the module in memory with corresponding file (PE-sieve detects it) - just like every variant of Process Hollowing
It is mentioned under "Cons" of this method.
Dear @hasherezade, Thank you for the cool set of tools. Please check if the process overwriting can be detected: https://www.kitploit.com/2022/05/processoverwriting-yet-another-variant.html