hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://hshrzd.wordpress.com/pe-sieve/
BSD 2-Clause "Simplified" License
3.12k stars 434 forks source link

Whitelisting known hooks #4

Open hasherezade opened 6 years ago

hasherezade commented 6 years ago

Allow to exclude known hooks from the detection. Hooks should be defined in an external configuration file, easily readable and editable for humans.

asekhar commented 4 years ago

Can pe-sieve calculate hashes (sha256, imphash) and signatures for each of the detected modules so we can filter on them rather than just the name?

hasherezade commented 4 years ago

@asekhar - unfortunately, calculating hashes and signatures makes sense only when we compare files, and not in case of modules in memory. Once the module is relocated, its imports filled etc the original hash will change. So, hashes of modules in memory will be changing and we cannot rely on them. Few examples:

The only thing that hashing of loaded modules can do, is, to compare if the hashes of modules in a particular process has changed across different runs of PE-sieve. I believe Process Dump does it, but I don't see much benefit from implementing it in PE-sieve, as PE-sieve uses different approaches.

Jack-McDowell commented 4 years ago

Could you define a hash function for a native image in memory that only includes the headers and RX sections, treating any address specified by the relocation table as just 0?

Also - for DLL and static library versions, could this be exposed via an API so software using PE sieve can specify hooks without having to write information to a file