PE-sieve is my open source tool based on libpeconv . The tool is dedicated to Windows, all versions are supported, starting from XP.

It scans a given process, searching for potentially malicious implants and patches within the process space. When found, it dumps the modified/suspicious PE along with a report in JSON format, detailing about the found indicators.

Currently it detects inline hooks, hollowed processes, Process Doppelgänging, injected PE files, and more. In case if the PE file was patched in the memory, it gives a detailed report about where are the changed bytes (and few other properties).

PE-sieve is available in 2 flavors – as standalone executable, and as a DLL. The DLL version is a base of my other project: HollowsHunter – that makes an automated scan of all the running processes. More about it in the further part of the post.

Complete documentation is available on project Wiki.

The tool is under rapid development, so expect frequent updates.