pe-sieve 0.3.4 API doesn't detect "Implanted" and "Implanted PE" + feature request.

[terrybr]

Hi,

I'm using pe-sieve's API (pe-sieve.lib). It doesn't detect "Implanted" and "Implanted PE" while if I run the standalone pe-sieve executable, it detects the implanted malware.

I also have a feature request. It would be very useful if the scan results can be accessed through the API. Right now, my solution is to get the generated JSON and parse it.

Thank you!
Terry

[hasherezade]

Hi @terrybr! thank you for the report!
Regarding 1):

It doesn't detect "Implanted" and "Implanted PE" while if I run the standalone pe-sieve executable, it detects the implanted malware.

This may be a bug, I will check it. Can you share more details about your usage, so that it will be easier for me to reproduce it?

Regarding 2):

It would be very useful if the scan results can be accessed through the API. Right now, my solution is to get the generated JSON and parse it.

I was planning to do it at some point, but I will give it a higher priority since you requested. Feel free to make a separate issue for this, so that it will be easier to keep track on the progress in the work on this feature. Would it be ok for you if the scan results will be available just as a buffer with JSON report (passed in memory instead of dropped on the disk)?

[terrybr]

HI @hasherezade ,

You're welcome!

This may be a bug, I will check it. Can you share more details about your usage, so that it will be easier for me to reproduce it?

Sure. Here's my code (it's used in a software that checks itself to see if it's infected):

I was planning to do it at some point, but I will give it a higher priority since you requested. Feel free to make a separate issue for this, so that it will be easier to keep track on the progress in the work on this feature. Would it be ok for you if the scan results will be available just as a buffer with JSON report (passed in memory instead of dropped on the disk)?

Thank you, that will be very useful. Yes, a buffer with the JSON report will work since I already implemented a JSON parser in my project. I will create a separate issue for this.

Thank you so much, and keep up the fantastic work!

Terry

[hasherezade]

@terrybr - ah, I see it checks itself! it explains a lot. then it is not a bug, but a feature - process cannot scan its own workingset - you can only do it for external processes.

BTW - I am happy that you enjoy using PE-sieve! I put a lot of heart in this tool, and always want to make it better.

[terrybr]

ah, I see it checks itself! it explains a lot. then it is not a bug, but a feature - process cannot scan its own workingset - you can only do it for external processes.

@hasherezade It was working with version 0.3.3, so I was wondering if this could be due to something that has changed between the two versions.

BTW - I am happy that you enjoy using PE-sieve! I put a lot of heart in this tool, and always want to make it better.

You should be very proud of your work. I wish there was a donation button somewhere :)

[hasherezade]

It was working with version 0.3.3, so I was wondering if this could be due to something that has changed between the two versions.

@terrybr - hmm, are you sure? can you doublecheck?
because in 0.3.3 there was no thread scan at all - it was added in 0.3.4.
the commit that filters out scanning threads for the own processes is this:
a833231

and regarding the workingset scan (the scan responsible for finding the implanted PEs or shellcodes) - those are the lines responsible for filtering out own process:

pe-sieve/scanners/scanner.cpp

Lines 214 to 217 in 5037239

	//dont't scan your own working set
	if (peconv::get_process_id(this->processHandle) != GetCurrentProcessId()) {
	regionsScanned = scanWorkingSet(*pReport);
	}

and they were present from a long time, including v0.3.3...

[terrybr]

@hasherezade You're absolutely right that it's not working on itself even with 0.3.3. I apologize, I was confused with the standalone version of pe-sieve and I was assuming it would work the same way with the API. Is there any solution you could suggest for being able to scan "itself"? Would running the scan in another thread work?

Thank you!
Terry

[hasherezade]

@terrybr - no worries, I am glad that we clarified it regarding the versions.

There is a reason why it is not allowed to scan its own workingset: because it would be like a recursion - in order to scan it's own workingset, it will have to read pages from its own working set into... its own workinset. So that could generate anomalies. I will think if there is some workaround that I can make for this problem.

For now, the recommended solution is to run the executable that you want to scan in a new process, and then just scan this separate process.

[terrybr]

HI @hasherezade,

I found an old screenshot when I was testing pe-sieve back in December 2021 (not sure which version I was checking, but it was probably v0.3.1). Back then, pe-sieve's API was showing that it was detecting the implanted pe as seen in this screenshot:

I'm not sure what changes since the version I used back then that would be causing pe-sieve to not detect the implanted pe anymore with the API.

Also, it seems that pe-sieve's API can't be run in a separate thread. I'm getting this error (let me know if this is a bug and I'll create a new issue for it):

dwFirstChance: 1
ExceptionCode: C0000005 (EXCEPTION_ACCESS_VIOLATION)
ExceptionFlags: 00000000
ExceptionAddress: 300C4BAA
NumberParameters: 2
ExceptionInformation[00]: 00000000 Read
ExceptionInformation[01]: 2ED10000 Inaccessible Address
First chance exception on 300C4BAA (C0000005, EXCEPTION_ACCESS_VIOLATION)!

Thank you!
Terry

[hasherezade]

@terrybr - Can you explain me more what is your use-case that causes the need to scan your own process with PE-sieve?
I assume that first you manually loaded a PE into your process, and then run PE-sieve to scan it?
Would be great if you can share your complete code, it will help me testing it faster (you can send to my email: hasherezade-at-pm.me).
To be honest, I made it with a different usage scenario in mind - to make it scan external processes. That's why for the own process I enabled only minimal options.

When you are scanning your own process with a separate thread, it can be causing some race conditions. Here is it seems the address is inaccessible - so probably the other thread umapped the area before the reading from it completed:

ExceptionInformation[00]: 00000000 Read
ExceptionInformation[01]: 2ED10000 Inaccessible Address
First chance exception on 300C4BAA (C0000005, EXCEPTION_ACCESS_VIOLATION)!

Which options were enabled when it happened? Was you trying to scan threads (pp.theads = true)?
It is hard to mitigate some issues where the scanner and the scanned object are the same thing - they can be interfering with each other. When I will get some time, I will reproduce your scenario to test what exactly has happened.
But this is not a recommended scenario, and I am not sure if we can ever avoid all possible problems.

Regarding:

I found an old screenshot when I was testing pe-sieve back in December 2021 (not sure which version I was checking, but it was probably v0.3.1). Back then, pe-sieve's API was showing that it was detecting the implanted pe as seen in this screenshot

It is possible that it was enabled in the past, but at some point I disabled it because I noticed some problems. I will try to do some workarounds and see if it can be re-enabled in the future.

[hasherezade]

hi @terrybr ! sorry for the delay, I was pretty busy with other things.
I made some mild refactoring of workingset scanner, and tests to check how the scan of process own workingset & threads will behave. So far everything looks fine, so I re-enabled it.
Please have a look, and let me know if it works for you, and is useful in your project.
I will implement the other feature you requested soon.

[terrybr]

Hi @hasherezade,

No worries at all. Thank you so much for working on this. It's working perfectly in my project.

Thank you again!

Terry