Closed hasherezade closed 4 years ago
The added method of detections works, but give false positives. Example:
[!] 4b70000: mapped filename: C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll; module_ name:
Must be improved/replaced.
Scan overloaded modules for hooks: https://github.com/hasherezade/pe-sieve/commit/d4651033049da3d091895bfed8a17ad2f6e586ea
Module Overloading is a new PE injection method that is currently not detected.