& free software developer (PE-bear, PE-sieve, and many others) •writer/solver of crackmes •wrote some ransomware decryptors •makes videos related to malware analysis •wrote a chapter to a book about RE HASHEREZADE.NET
tools for particular tasks (i.e. pe_unmapper, hook_finder) • Around Christmas 2017 I combined them, creating the first version of PE- sieve: a dynamic unpacker and patch finder Memory scanner Hook_finder Pe_unmapper
• Can be used as a standalone application, or as DLL • Became a base for my other projects: • Hollows Hunter (https://github.com/hasherezade/hollows_hunter) • MalUnpack (https://github.com/hasherezade/mal_unpack)
time from manual sample unpacking: • Almost all the dumped samples allow for a malware family identification • Majority of the dumped payloads are suitable for dynamic analysis of the next stage • (minority doesn’t run properly and still needs manual unpacking) ursnif
speed and simplicity of use • Passive scan, not hooking any APIs • Can be used post-infection • Generates material ready to be analyzed: not only detection, but precise details • Free & open source: https://github.com/hasherezade/pe-sieve https://github.com/hasherezade/hollows_hunter
self-modifying PE files • Replaced processes: i.e. Process Hollowing, Process Doppelgänging • Manually loaded PE-files (Reflective DLL Injection and others) • Shellcodes
• It collects raw material and some indicators • but does not do automated classification • it is conceptually similar to GMER • Not a tool for analyzing memory dumps and process post-mortem analysis (try Volatility+plugins instead)
under their cover • Examples of the techniques: • Process Hollowing (RunPE) • Manual PE loading (various variants, including Reflective DLL injection) • Process Doppelgänging • Combinations of multiple techniques (i.e. Transacted Hollowing)
researchers try to evade it by finding uncommon APIs that can be used to make injection. Some newer examples: • AtomBombing technique • Process Doppelgänging
some unknown API was used for injection? • What if we want to scan a system post-factum? • How to detect and implant without knowing how it was injected?
Load the PE from the disk that corresponds to the module within the process • Detect all the sections containing code • Transform both sections into the same format (relocate to the same base, remove IAT, etc.) • Compare
from the disk that corresponds to the module within the process • Are their headers matching? • When it works? • For all the techniques that rely on connecting the implanted PE to the PEB • Covers Process Hollowing, Process Doppelgänging...
executable memory pages that are not a part of any module • Suspicious mapping type? Other indicators? • Are they part of a PE file? Detection of PE headers /artefacts