// the find
hasherezade/pe-sieve
Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
PE-sieve is a Windows process scanner that detects memory-resident malware by comparing what's loaded in process memory against what's on disk. It catches process hollowing, reflective DLL injection, inline hooks, and shellcode blobs — the kind of thing that slips past signature scanners because it never touches disk. The target audience is malware analysts and incident responders who need to triage a live system or unpack samples.
The scan-a-single-process design is the right call — it keeps the tool focused and makes the DLL API genuinely usable for embedding in other tools; HollowsHunter wraps it for full-system sweeps if you need that. The detection coverage is unusually broad for one tool: inline hooks, IAT hooks, PE header stomping, reflective injection, process doppelgänging, and raw shellcode regions are all handled separately with dedicated scanner modules. The Python bindings and documented C API mean you can wire it into a triage pipeline without shelling out to a subprocess. Active maintenance with commits as recent as June 2026 and a real release cadence means the detection logic actually keeps pace with modern packer tricks.
Windows-only, full stop — the entire codebase assumes Win32 process memory layout and NT internals, so there's no cross-platform path even for analysis workflows that run on Linux. Building it yourself requires pulling three submodules (libpeconv, paramkit, sig_finder) and the build docs are thin; the README just says 'use recursive clone' and points you at releases. The JSON output format has evolved across versions without a versioned schema, which means tooling built against older output can silently misparse newer reports. No built-in YARA integration — if you want to correlate dumped blobs against rule sets, that step is entirely on you.