4. Additional features (options)

Running PE-sieve without any parameters, you can see the main screen, listing all the options. Running it with the parameter /help you can see the details of each option:

.______    _______           _______. __   ___________    ____  _______ 
|   _  \  |   ____|         /       ||  | |   ____\   \  /   / |   ____|
|  |_)  | |  |__    ______ |   (----`|  | |  |__   \   \/   /  |  |__   
|   ___/  |   __|  |______| \   \    |  | |   __|   \      /   |   __|  
|  |      |  |____      .----)   |   |  | |  |____   \    /    |  |____ 
| _|      |_______|     |_______/    |__| |_______|   \__/     |_______|
  _        _______       _______      __   _______     __       _______ 
________________________________________________________________________

Version:  0.3.9 (x64)
Built on: Feb 24 2024

~ from hasherezade with love ~
Scans a given process, recognizes and dumps a variety of in-memory implants:
replaced/injected PEs, shellcodes, inline hooks, patches etc.
URL: https://github.com/hasherezade/pe-sieve
---

Required:
/pid <integer: decimal, or hexadecimal with '0x' prefix>
	 : Set the PID of the target process.

Optional:

---1. scanner settings---
/quiet
	 : Print only the summary. Do not log on stdout during the scan.
/refl
	 : Make a process reflection before scan.

---2. scan exclusions---
/dnet <*dotnet_policy>
	 : Set the policy for scanning managed processes (.NET).
/mignore <list: separated by ';'>
	 : Do not scan module/s with given name/s.

---3. scan options---
/data <*data_scan_mode>
	 : Set if non-executable pages should be scanned.
/iat <*iat_scan_mode>
	 : Scan for IAT hooks.
/obfusc <*obfusc_mode>
	 : Detect encrypted content, and possible obfuscated shellcodes.
/pattern <string>
	 : Set additional shellcode patterns (file in the SIG format).
/shellc <*shellc_mode>
	 : Detect shellcode implants (by patterns or statistics). 
/threads
	 : Scan threads' callstack. Detect shellcodes, incl. 'sleeping beacons'.

---4. dump options---
/dmode <*dump_mode>
	 : Set in which mode the detected PE files should be dumped.
/imp <*imprec_mode>
	 : Set in which mode the ImportTable should be recovered
/minidmp
	 : Create a minidump of the full suspicious process.

---5. output options---
/dir <string>
	 : Set a root directory for the output (default: current directory).
/jlvl <*json_lvl>
	 : Level of details of the JSON report.
/json
	 : Print the JSON report as the summary.
/ofilter <*ofilter_id>
	 : Filter the dumped output.

Info:
/help
	 : Print complete help.
/help <string>
	 : Print help about a given keyword.
/<param> ?
	 : Print details of a given parameter.
/version
	 : Print version info.
---

Options are divided into several groups, including:

• scanner settings: related with how the scan will be performed

  • /refl - create a process reflection before the scan

• scan exclusions: related with what content should be skipped during the scan

  • /mignore - ignore selected modules

• scan options: related to what will be scanned

  • /data - scan non-executable memory
  • /iat - scan for IAT hooks
  • /shellc - detect shellcode implants (by patterns)
  • /threads - scan theads' callstack, detect shellcode implants (including 'sleeping beacons')

• dump options: related to how the dumped material are made, post-processing etc

  • /imp - enable recovering imports
  • /dmode - select the dump mode
  • /minidmp - create a MiniDump of the suspicious process

• output options: where the output will be saved, in which form, what level of verbosity