finds.dev← search

// the find

hasherezade/pe-sieve

★ 3,796 · C++ · BSD-2-Clause · updated Jun 2026

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

PE-sieve is a Windows process scanner that detects memory-resident malware by comparing what's loaded in process memory against what's on disk. It catches process hollowing, reflective DLL injection, inline hooks, and shellcode blobs — the kind of thing that slips past signature scanners because it never touches disk. The target audience is malware analysts and incident responders who need to triage a live system or unpack samples.

The scan-a-single-process design is the right call — it keeps the tool focused and makes the DLL API genuinely usable for embedding in other tools; HollowsHunter wraps it for full-system sweeps if you need that. The detection coverage is unusually broad for one tool: inline hooks, IAT hooks, PE header stomping, reflective injection, process doppelgänging, and raw shellcode regions are all handled separately with dedicated scanner modules. The Python bindings and documented C API mean you can wire it into a triage pipeline without shelling out to a subprocess. Active maintenance with commits as recent as June 2026 and a real release cadence means the detection logic actually keeps pace with modern packer tricks.

Windows-only, full stop — the entire codebase assumes Win32 process memory layout and NT internals, so there's no cross-platform path even for analysis workflows that run on Linux. Building it yourself requires pulling three submodules (libpeconv, paramkit, sig_finder) and the build docs are thin; the README just says 'use recursive clone' and points you at releases. The JSON output format has evolved across versions without a versioned schema, which means tooling built against older output can silently misparse newer reports. No built-in YARA integration — if you want to correlate dumped blobs against rule sets, that step is entirely on you.

View on GitHub → Homepage ↗

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →