Open hasherezade opened 6 years ago
Can pe-sieve calculate hashes (sha256, imphash) and signatures for each of the detected modules so we can filter on them rather than just the name?
@asekhar - unfortunately, calculating hashes and signatures makes sense only when we compare files, and not in case of modules in memory. Once the module is relocated, its imports filled etc the original hash will change. So, hashes of modules in memory will be changing and we cannot rely on them. Few examples:
.data
section can be filled with different dataThe only thing that hashing of loaded modules can do, is, to compare if the hashes of modules in a particular process has changed across different runs of PE-sieve. I believe Process Dump does it, but I don't see much benefit from implementing it in PE-sieve, as PE-sieve uses different approaches.
Could you define a hash function for a native image in memory that only includes the headers and RX sections, treating any address specified by the relocation table as just 0?
Also - for DLL and static library versions, could this be exposed via an API so software using PE sieve can specify hooks without having to write information to a file
Allow to exclude known hooks from the detection. Hooks should be defined in an external configuration file, easily readable and editable for humans.