search

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://hshrzd.wordpress.com/pe-sieve/
BSD 2-Clause "Simplified" License
3.06k stars 425 forks source link

leak? #95

Closed core-c closed 2 years ago

core-c commented 2 years ago

Hi there, Ron here. Jak sie masz? Great work hasherezade.. girl power.

scan own working set

When your pe-sieve (static lib) is used to scan the process it is embedded in (current process), then there is that line in scanRemote() that excludes the own working set from being scanned. Can there be an easier way to also include the own working set in the scan? (than to comment out some code).

memory leak?

When a scan is done at regular intervals (some seconds), there is an increase in memory consumption. In collectExecutableSections(), iterating all the found sections, at some point a new PeSection class is instantiated: remoteSec = new PeSection. But there are cases where remoteSec is discarded (the for-loop continued, or sections[i] = remoteSec not executed). Also the check if (sec_count == 0) has the possibility to discard remoteSec. The allocated PeSection memory of the discarded remoteSec instances is never freed. i think.. If i free_unaligned(remoteSec->loadedSection) for any discarded remoteSec, the memory consumption is stable.

Documentation completeness

On the webpage How to add PE sieve to your Visual Studio project you could mention to also add other needed libs, like: Library Directories (to the directory where the libpeconv.lib is)

Thank you..

hasherezade commented 2 years ago

hi! thank you very much for your remarks! I will investigate the possible leak, and fix it soon!

hasherezade commented 2 years ago

my last commit should fix the problem. please check it out and let me know.

core-c commented 2 years ago

Thanks,

Have you ever tried to use OpenMP for a project like pe-sieve? I bet you can speed up program-execution quite a bit.

I am helping out someone who wants to create an anticheat for a game. To help him, i needed to dive into this code. It was someone else who pointed me at your github. You have already coded much more than i did for our project. But the code i made so far works, and i had played some with OpenMP. With just a single line addition, in my MSVS project, i was able to scan the modules of a process on all the cores. That resulted in a big performance boost. If they want speed?.. It’s worth a try

Greetings, Ron.

From: hasherezade Sent: maandag 20 december 2021 18:43 To: hasherezade/pe-sieve Cc: Ron Driessen; Author Subject: Re: [hasherezade/pe-sieve] leak? (Issue #95)

hi! thank you very much for your remarks! I will investigate the possible leak, and fix it soon! — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you authored the thread.Message ID: @.***>

core-c commented 2 years ago

Quote: " Yep, and it works very well!”

That was quick! Na zdrowie

Thanks again.

From: hasherezade Sent: maandag 20 december 2021 19:52 To: hasherezade/pe-sieve Cc: Ron Driessen; Author Subject: Re: [hasherezade/pe-sieve] leak? (Issue #95)

my last commit should fix the problem. please check it out and let me know. — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you authored the thread.Message ID: @.***>

hasherezade commented 2 years ago

I am glad it is fixed now! Regarding the documentation - I added a separate section about adding PE-sieve static library to a Visual Studio project - in which case you need to add additional libraries. please check it out and let me know your thoughts!

core-c commented 2 years ago

Yes, it’s fixed. Woohoo. Your code is pretty organized, and there are just a few locations where memory is allocated, so it was easy to find the cause of the problem.. just a few clicks away. Also, your functions are all short, and that makes it much easier to read the code.

The documentation seems complete. This should now make things clear for any novice.

Thanks for your quick replies and actions. Where is the ‘donate’ button?

From: hasherezade Sent: maandag 20 december 2021 22:18 To: hasherezade/pe-sieve Cc: Ron Driessen; Author Subject: Re: [hasherezade/pe-sieve] leak? (Issue #95)

I am glad it is fixed now! Regarding the documentation - I added a separate section about adding PE-sieve static library to a Visual Studio project - in which case you need to add additional libraries. please check it out and let me know your thoughts! — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you authored the thread.Message ID: @.***>

hasherezade commented 2 years ago

I appreciate your contribution! The release with the fix is out: https://github.com/hasherezade/pe-sieve/releases/tag/v0.3.2

hasherezade commented 2 years ago

Since the leak is resolved, I guess we can close this issue. Other ideas for improvements can be discussed here: https://github.com/hasherezade/pe-sieve/discussions - or in separate issues.