Overview
PE-sieve is an open-source tool developed by hasherezade that scans running processes on Windows to detect and dump malicious code implants. It examines process memory to identify process hollowing, code injection (DLL injection, shellcode injection), module overwriting, and other in-memory threats by comparing loaded modules against their on-disk counterparts. PE-sieve can detect modifications to PE headers, code sections, import tables, and relocations that indicate tampering or replacement by malware.
The tool works by scanning a target process’s virtual memory, identifying loaded modules, and comparing them byte-by-byte against the original files on disk. Any discrepancies are flagged as potential implants and can be automatically dumped to disk for further analysis. PE-sieve supports scanning individual processes or all running processes (via HollowsHunter, its companion tool), making it valuable for incident response, malware analysis, and threat hunting. It detects a wide range of techniques including process doppelganging, transacted hollowing, module stomping, and reflective DLL loading.
Installation
Pre-built Binary
# Download latest release from GitHub
# https://github.com/hasherezade/pe-sieve/releases
# Extract and add to PATH
# pe-sieve is a single portable executable — no installation required
From Source (Visual Studio)
# Clone repository
git clone --recursive https://github.com/hasherezade/pe-sieve.git
cd pe-sieve
# Build with CMake
mkdir build
cd build
cmake .. -A x64
cmake --build . --config Release
# Or open pe-sieve.sln in Visual Studio and build
HollowsHunter (Multi-Process Scanner)
# Download HollowsHunter (uses PE-sieve as engine)
# https://github.com/hasherezade/hollows_hunter/releases
# HollowsHunter scans ALL running processes
hollows_hunter.exe
Core Commands
| Command | Description |
|---|
pe-sieve.exe /pid <PID> | Scan a specific process |
pe-sieve.exe /pid <PID> /imp | Reconstruct import table |
pe-sieve.exe /pid <PID> /hooks | Detect inline hooks |
pe-sieve.exe /pid <PID> /shellc | Detect shellcode |
pe-sieve.exe /pid <PID> /dump | Dump detected implants |
pe-sieve.exe /pid <PID> /dir <path> | Set output directory |
# Basic process scan
pe-sieve.exe /pid 1234
# Scan with full output
pe-sieve.exe /pid 1234 /imp /hooks /shellc /dump
# Scan and dump to specific directory
pe-sieve.exe /pid 1234 /dir C:\output\dumps /dump
# Scan with JSON output
pe-sieve.exe /pid 1234 /json
# Scan specific module in process
pe-sieve.exe /pid 1234 /mname kernel32.dll
# Quiet mode (minimal output)
pe-sieve.exe /pid 1234 /quiet
# Scan with dot output format (for automation)
pe-sieve.exe /pid 1234 /dotnet
Scan Options
# Detect all implant types
pe-sieve.exe /pid 1234 /imp /hooks /shellc /iat /data
# Import reconstruction modes
pe-sieve.exe /pid 1234 /imp 0 # Don't reconstruct imports
pe-sieve.exe /pid 1234 /imp 1 # Reconstruct imports (auto-detect)
pe-sieve.exe /pid 1234 /imp 2 # Reconstruct imports (use PE headers)
pe-sieve.exe /pid 1234 /imp 3 # Reconstruct imports (aggressive)
# Hook detection modes
pe-sieve.exe /pid 1234 /hooks 1 # Detect hooks in code sections
pe-sieve.exe /pid 1234 /hooks 2 # Detect hooks in all sections
# Shellcode detection
pe-sieve.exe /pid 1234 /shellc # Detect shellcode in memory regions
# Scan data sections
pe-sieve.exe /pid 1234 /data 0 # Don't scan data sections
pe-sieve.exe /pid 1234 /data 1 # Scan for PE headers in data
pe-sieve.exe /pid 1234 /data 2 # Full data section scanning
pe-sieve.exe /pid 1234 /data 3 # Scan for any patterns in data
# Set scanning threshold
pe-sieve.exe /pid 1234 /mignore 10 # Ignore first 10 bytes of modules
Output Interpretation
Scan Results
PID: 1234
---
SUMMARY:
Total scanned: 45
Skipped: 2
-
Hooked: 1
Replaced: 1
Hdr Modified: 0
IAT Hooked: 0
Implanted (PE): 2
Implanted (Shc): 1
Unreachable: 0
Other: 0
-
Total suspicious: 5
Result Categories
| Category | Description |
|---|
| Hooked | Functions with inline hooks (JMP/CALL patches) |
| Replaced | Entire module replaced in memory (process hollowing) |
| Hdr Modified | PE header modified but code intact |
| IAT Hooked | Import Address Table entries redirected |
| Implanted (PE) | New PE modules injected into process |
| Implanted (Shc) | Shellcode detected in memory regions |
| Unreachable | Modules that couldn’t be accessed for scanning |
Dump Output Files
# Output directory structure
# <PID>/
# scan_report.json # Full JSON report
# <module_base>.dll # Dumped suspicious module
# <module_base>.dll.tag # Detection tags
# <region_base>.shc # Dumped shellcode
# <region_base>.bin # Raw memory dump
Configuration
JSON Report Analysis
# Parse scan report with PowerShell
$report = Get-Content "1234\scan_report.json" | ConvertFrom-Json
# List all suspicious modules
$report.scans | Where-Object { $_.status -ne 0 } | Select-Object module, status
# Get details on replaced modules
$report.scans | Where-Object { $_.status -eq 2 } | Format-List
# Count by detection type
$report.scans | Group-Object status | Select-Object Count, Name
Automation Script
# Scan all running processes
$processes = Get-Process
foreach ($proc in $processes) {
try {
$result = & pe-sieve.exe /pid $proc.Id /json /quiet 2>$null
$json = $result | ConvertFrom-Json
if ($json.total_suspicious -gt 0) {
Write-Host "SUSPICIOUS: $($proc.Name) (PID: $($proc.Id)) - $($json.total_suspicious) findings"
}
} catch {
# Skip inaccessible processes
}
}
Advanced Usage
HollowsHunter (System-Wide Scanning)
# Scan all processes
hollows_hunter.exe
# Scan with specific options
hollows_hunter.exe /hooks /shellc /imp /dir C:\output
# Scan specific process name
hollows_hunter.exe /pname explorer.exe
# Scan with loop mode (continuous monitoring)
hollows_hunter.exe /loop /dir C:\monitoring
# Kill suspicious processes
hollows_hunter.exe /kill
# Suspend suspicious processes
hollows_hunter.exe /suspend
# JSON output for all processes
hollows_hunter.exe /json /dir C:\scans\output
Integration with YARA
# Dump suspicious modules, then scan with YARA
pe-sieve.exe /pid 1234 /dump /dir C:\dumps
# Scan dumped files with YARA
yara64.exe -r malware_rules.yar C:\dumps\1234\
Incident Response Workflow
# Step 1: Quick triage scan of all processes
hollows_hunter.exe /json /dir C:\IR\triage
# Step 2: Identify suspicious processes from report
Get-Content C:\IR\triage\summary.json | ConvertFrom-Json |
Where-Object { $_.total_suspicious -gt 0 }
# Step 3: Deep scan suspicious processes
pe-sieve.exe /pid <suspicious_pid> /imp 3 /hooks 2 /shellc /data 3 /dump /dir C:\IR\deep
# Step 4: Analyze dumped artifacts
# - Submit hashes to VirusTotal
# - Analyze with capa/FLOSS
# - Extract IOCs from strings
Memory Dump Analysis
# Dump all modules from a process
pe-sieve.exe /pid 1234 /dump /dir C:\analysis
# Reconstruct imports for static analysis
pe-sieve.exe /pid 1234 /imp 3 /dump /dir C:\analysis
# The reconstructed PE can be loaded in IDA Pro / Ghidra
# for static analysis with resolved imports
Troubleshooting
| Issue | Solution |
|---|
| Access denied scanning process | Run PE-sieve as Administrator or SYSTEM |
| Process not found | Verify PID exists with tasklist /fi "PID eq <pid>" |
| Cannot dump modules | Ensure output directory exists and is writable |
| False positives on system DLLs | Some AV/EDR hooks are expected; filter known hooking products |
| Scan takes too long | Use /quiet and skip data sections: /data 0 |
| Corrupted dumps | Try different import reconstruction modes: /imp 1, /imp 2, /imp 3 |
| Missing dependencies | Ensure Visual C++ Redistributable is installed |
| 32/64-bit mismatch | Use matching architecture: pe-sieve32 for 32-bit processes |
