search

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://hshrzd.wordpress.com/pe-sieve/
BSD 2-Clause "Simplified" License
3.03k stars 423 forks source link

Provide backward compatibility with Windows XP #11

Closed hasherezade closed 6 years ago

hasherezade commented 6 years ago

This feature was requested by a user working in incident response. In some places of the world people still use Windows XP, so the PE-sieve should be able to scan their systems for anomalies as a part of collecting the material from the incident.

hasherezade commented 6 years ago

It will require refactoring the code and eliminating a function: EnumProcessModulesEx (in https://github.com/hasherezade/pe-sieve/blob/master/utils/modules_enum.cpp) that is not supported by Windows XP. Possible substituent is CreateToolhelp32Snapshot -> Module32First -> Module32Next. However, this solution was used before (https://github.com/hasherezade/pe-sieve/commit/19b54d5bf438187a2c0322a85ff3a021e8de6364). It was abandoned due to its problems with processing some of the entries with manipulated module names. The failing testcase was a mutation of Process Chameleon (https://github.com/hasherezade/process_chameleon) with a corrupt entry set as the module name. More tests are required for deeper understanding of the original problem and finding the eventual workaround.