search

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://hshrzd.wordpress.com/pe-sieve/
BSD 2-Clause "Simplified" License
3.01k stars 421 forks source link

Broken XP compatibility #42

Open hasherezade opened 5 years ago

hasherezade commented 5 years ago

Since v0.2.1 PE-sieve no longer works on XP. The reason is, the function GetProcessDEPPolicy is not available on XP, and should be retrieved dynamically. Since the unsupported function is in the Import Table of the application, it won't run on XP:

get_dep

hasherezade commented 4 years ago

The patch fixed the problem. fixed

Bixilon commented 1 year ago

Its broken because of GetTickCount64 again, can you fix this please (since 3.3)?

hasherezade commented 1 year ago

hi @Bixilon ! Thanks for reporting! I will check it and fix soon.

hasherezade commented 1 year ago

@Bixilon - please check out the new builds and let me know if everything is ok now

Bixilon commented 1 year ago

@hasherezade It is crashing because ot can't find Wow64GetThreadContext

hasherezade commented 1 year ago

ok, thanks for the info. I will fix it soon. I currently don't have an access to the machine with Windows XP, so I am not able to test it.

hasherezade commented 1 year ago

@Bixilon - BTW, Wow64GetThreadContext is only enabled in the 64 bit version. Did you try the 32-bit build? does it work?

Bixilon commented 1 year ago

Yes, the 32bit version seems to work! Thank you!

hasherezade commented 1 year ago

@Bixilon - please check the new release: https://github.com/hasherezade/pe-sieve/releases/tag/v0.3.6 - and let me know if everything is fine now. Now the 64 bit version should work as well.