search

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://hshrzd.wordpress.com/pe-sieve/
BSD 2-Clause "Simplified" License
3.06k stars 425 forks source link

help #124

Open wzmooo opened 7 months ago

wzmooo commented 7 months ago

Can you provide library files for easy integration?Or could you provide a Visual Studio project for compilation? Thank you.

hasherezade commented 7 months ago

ok, I will add the library files to the release.

wzmooo commented 7 months ago

0.3.9 releases no pe-sieve32.lib pe-sieve64.lib

hasherezade commented 7 months ago

@wzmooo - check this out: pe-sieve_0.3.9_dll_lib.zip Integration similar to here: https://github.com/hasherezade/pe-sieve/wiki/2.1.-How-to-add-PE-sieve-to-your-Visual-Studio-project * Check: Adding PE-sieve: DLL version.

Demo:

#include <windows.h>
#include <iostream>

#include <pe_sieve_api.h>

int main()
{
    // Set up the scan parameters
    PEsieve_params pp = { 0 };
    pp.pid = GetCurrentProcessId(); // scan current process
    pp.threads = true;
    pp.shellcode = pesieve::SHELLC_PATTERNS;
    pp.quiet = true;

    const PEsieve_rtype rtype = pesieve::REPORT_ALL;

    // Prepare the buffer for the output report
    const size_t buf_size = 0x1000;
    char json_buf[buf_size] = { 0 };
    size_t needed_size = 0;

    // Perform the scan:
    PEsieve_report report = PESieve_scan_ex(pp, rtype, json_buf, buf_size, &needed_size);
    if (needed_size > buf_size) {
        // The supplied buffer was too small to fit in the whole JSON report
        std::cout << "Couldn't retrieve the full buffer. Needed size: " << std::hex << needed_size << std::endl;
    }

    // Print the obtained report:
    std::cout << json_buf << "\n";
    return 0;
}