search

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://hshrzd.wordpress.com/pe-sieve/
BSD 2-Clause "Simplified" License
3.06k stars 425 forks source link

Disk and memory PE headers comparision #119

Closed rabbitstack closed 1 year ago

rabbitstack commented 1 year ago

Discussed in https://github.com/hasherezade/pe-sieve/discussions/118

Originally posted by **rabbitstack** August 10, 2023 I apologize if this is a bit off-topic. I'm trying to port some of the pe-sieve implant detection techniques to [Fibratus](https://github.com/rabbitstack/fibratus). I'm already using a PE parser package that does all the heavy lifting of dissecting the PE structure from the on-disk image file. As usual, `ReadProcessMemory` is used to fetch the in-memory PE layout from the image base address. However, when it comes to comparing the PE headers, I'm hitting the wall. It turns out, only the few first fields of the DOS header are identical in both on-disk and memory PEs, while the rest of the headers differ. I know I'm missing something obvious. Could you please elaborate on how exactly pe-sieve "normalizes" the PE buffers to make possible headers comparison? Thanks
hasherezade commented 1 year ago

it's not really an issue with PE-sieve, just a topic for discussion, so let's continue this conversation in discussions.