Failed to detect injection(OpenThread-> QueueUserAPC-> ResumeThread) by MSBuildAPICaller

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

3.01k stars 421 forks source link

Failed to detect injection(OpenThread-> QueueUserAPC-> ResumeThread) by MSBuildAPICaller #50

Closed duzvik closed 1 year ago

duzvik commented 4 years ago

Hello, maybe I'm doing something wrong, but I'm sure pe-sieve can detect that standard injection by this tool - https://github.com/rvrsh3ll/MSBuildAPICaller

Here s screenshot: Знімок екрана 2020-01-27 о 23 45 15

hasherezade commented 4 years ago

Thank you for reporting, I will check it!

hasherezade commented 4 years ago

What was the shellcode injected? PE-sieve detects the payload, not the method of injection (it does a passive scan and no API hooking). If the shellcode was small and obfuscated, it would possibly not detect it.

duzvik commented 4 years ago

Shellcode was simple meterpreter reverse_tcp shell.

PE-sieve detects the payload, not the method of injection (it does a passive scan and no API hooking). If the shellcode was small and obfuscated, it would possibly not detect it.

Thanks, it makes sense.

hasherezade commented 4 years ago

@duzvik - please check if the recent commit solved the problem. You can get the latest builds from the build server: 64bit and 32bit

hasherezade commented 4 years ago

I think it should work fine in the latest release, but please check and let me know: https://github.com/hasherezade/pe-sieve/releases