Your download link is at the very bottom of the page... always.

Processed through Paypal
No account required.

Donate Bitcoin to this wallet:
Donate Ethereum to this wallet:
Donate Litecoin to this wallet:

Buying our over-priced stuff helps us keep things running. Peruse here.

Join our Facebook groupFollow us on TwitterFollow us on InstagramOur RSS Feed

 Home » Freeware Downloads » Anti-Virus, Anti-Malware, Security Utilities » Malware Diagnostic Tools » PE-sieve v0.1.6 64bit   
File - Download PE-sieve v0.1.6 64bit

Always scroll to the bottom of the page for the download link.
We don't believe in fake/misleading download buttons and tricks. The link is always in the same place.

PE-sieve v0.1.6 64bit

PE-sieve is a light-weitht tool that helps to detect malware running on the system, as well as to collect the potentially malicious material for further analysis. Recognizes and dumps variety of implants within the scanned process: replaced/injected PEs, shellcodes, hooks, and other in-memory patches.
Detects inline hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection, etc.


It has a simple, commandline interface. When run without parameters, it displays info about the version and required arguments:

When you run it giving a PID of the running process, it scans all the PE modules in its memory (the main executable, but also all the loaded DLLs). At the end, you can see the summary of how many anomalies have been detected of which type.

In case if some modified modules has been detected, they are dumped into a folder of a given process, for example:

JSON report specifies where the implants were found:

Detailed characteristics of the suspicious indicators are given in the JSON report, that is dumped into the same folder.

Short history & features from the author

Detecting inline hooks and patches

I started creating it for the purpose of searching and examining inline hooks. You can see its initial version here:

With time its precision and abilities significantly improved, and hooking detection is only one of many features of this tool.

In case if the code of the original executable was patched in memory, additionally to the main JSON report, PE-sieve generates a TAG file.

Its purpose is to describe at which offset a patch has been found, and of what type (either a patch, or a hook/redirection). We can easily see what function has been hooked and where the redirection leads to.

The file that was patched is also dumped on the disk, so that we can examine it more closely under a dissembler. The TAG file can be loaded i.e. into PE-bear. Thanks to this, we can easily browse the found hooks and check the code that was overwritten.

For example – in the application presented above, two functions within User32.dll have been hooked and their execution was redirected to the main module, loaded at 0x400000.

The same TAG file can be also loaded into IDA, with the help of the IFL plugin.



Sample use-case: PE-sieve helping to examine hooks installed by PBot adware.

Detecting hollowed processes

Later, I extended it to detect process hollowing etc – and it turned out to be pretty convenient unpacker:

Detecting Process Doppelgänging

In a similar manner, it can detects some other methods of impersonating a processes, for example Process Doppelgänging. The malicious payload is directly dumped and ready to be analyzed:

Manually loaded implants

PE-sieve scan is not limited to typically loaded modules. Full workingset of the process is scanned against the suspicious artefacts. Thanks to this, also PE files that are manually loaded are detected. Example: Kronos.

Some real-life example: Gand Crab’s manually loaded DLL was easily dumped with PE-sieve.

Recovering erased imports

PE-sieve has an ability to recover erased imports. In order to enable it, deploy it with an option /imp . Example – unpacking manually loaded payloads with imports erased (Emotet):

Recovering erased PE headers

Sometimes malware authors erase PE headers to evade tools that base their detection on the known patterns. PE-sieve still can detect the cases when the header was partially erased and reconstruct it:

Future development

The project is still not finished and I have many ideas how to make it better. I am planning to detect not only code modifications, but also other types of hooking, such as IAT and EAT patching.

Some in-memory patches are done by legitimate applications, so, in the future version I will provide capability of whitelisting defined patches.

I am also planning to extend its dumping capabilities against the malicious processes that are trying to defend themselves against dumpers etc.


Identify the hook target: report what is the module where the hook leads to (#23)
Add a possibility to set the root directory of the dumps (option /dir)
Sections that are fully unpacked in memory are reported differently than patched (#22)
Inform if invalid parameter was supplied


fixed crashing on some malformed samples (#21, #24)
fixed inaccuracies in import recovery
fixed an error in detection of PE artefacts (#25)
fixed information displayed when the access to a process was denied (more relevant information)

Click here to visit the author's website.

Continue below to download this file.

Downloads Views Developer Last Update Version Size Type Rank
2,512 3,788 Hasherezade <img src=""border="0"> Nov 13, 2019 - 20:29 0.1.6 299.6KB ZIP 5/5, out of 16 Votes.
File Tags
v0.1.6  PE-sieve  64bit  
Whoa! Slow down there, Speedy.
Read this and then continue to the download.

Like seeing no ads? No misleading/fake download buttons?
We like it too! This site has been kept alive for 14 years
because of people just like you who download and donate.
No one is stopping you from downloading without donating
but the site runs on the "Honor System". If your momma
raised you to be honorable, make a donation and download
'til ya turn blue. Make your momma proud!

Thank you! -Randy & Deanna (The Older Geeks)

Monthly operating costs = $610
Donations for November = $1,975
Donations over our monthly goal
are set aside for future upgrades and
handed-over to Deanna for new shoes.

Processed securely through Paypal.
No PayPal account required.
Your bank statement will read: "Home Computer Repair LLC".
This is our computer store.


Just send a check to our computer store payable to Home Computer Repair LLC.
Our address: Home Computer Repair LLC, 208 E. Water St. Mount Vernon, MO 65712

Recent Super Donors ($50+)
Thanks, Warren
Thanks, Warren
Thanks, James
Thanks, Ron

Recent Donors
Thanks, Kanna Tech
Thanks, John
Thanks, Potter
Thanks, Carol
Thanks, Steven
Thanks, Graham
Thanks, Larry
Thanks, William
Thanks, Robert
Thanks, Lynn

   →→ Download Now ←← - Click to Rate File -
Like this download? Share it on Twitter →

Copyright (c) 2021