PE-sieve: An Open-Source Process Scanner for Hunting and Unpacking Malware presented at BlueHatIL 2019

by Hasherezade ,

Summary : Most malware performs code injection into other processes. Typical reasons behind it are process impersonation, or hooking and intercepting API calls within the attacked applications. The common defense method, used by anti-malware products, is monitoring and blocking APIs known to be used for injections. This is a constant cat-and-mouse game, since malware authors and offensive researchers try to diversify their methods to evade monitoring.PE-sieve is an anti-malware tool that approaches the problem of detecting implants from a different side, by searching suspicious artifacts in the process space, rather than detecting the event of injection. Thanks to this approach, it was able to detect a new method - Process Doppelgänging - immediately on the day of the release. PE-sieve is equally effective even if a malware was loaded in the memory in a fileless way, as it focuses on the payload, and not on the dropper that released it.However, the biggest strength of this tool is not just detection, but the ability to collect and classify the injected artifacts, supplying useful material for malware analysts. It precisely reports about the location and size of the added hooks or patches, and in case of implanted PE files it reconstructs and dumps the payloads. That’s why it is also used for automated malware unpacking. Since PE-sieve scans memory, it can help to collect the material even if we can't locate on the disk the sample that started the infection.PE-sieve is open-source, actively maintained by a malware analyst, so its precision and abilities are tested and improved on a daily basis. It has a flexible design, and became a part of other community toolkits, such as LOKI scanner, and tknk_scanner.The first part of this talk will be a walk-through of PE-sieve’s features, illustrated by real-life examples. The second part will be a dive in the technical details behind the functionality.