hasherezade
hasherezade
I make checks for the cases which are **the most** casual. So, it is gonna be a common error to supply a bad path to the PE file - that's...
hmm, I will think how to rephrase it to make is less misleading. this is quite nuanced - macros are still representation of some block of instruction in *pure assembly*,...
I redone the slides about PE, and included information about caves there: https://github.com/hasherezade/malware_training_vol1/blob/main/slides/module1/Module1_2_pe.pdf - please let me know if it clarifies this concept.
I wanted to show the most typical scenario for the simplicity, but ok, I will add the info about TLS callbacks here.
> AFAIU WoW64 is an emulator not a subsystem. > > Microsoft itself defines WoW64 as an emulator : > https://docs.microsoft.com/en-us/windows/win32/winprog64/wow64-implementation-details Yes, and this emulator is also known as **subsystem**....
Hi! Thanks for your interest in my tools :) The scenario that you described is covered in the FAQ: https://github.com/hasherezade/pe-sieve/wiki/1.-FAQ#pe-sieve-gives-me-a-lot-of-false-positives-why - I hope it answers your question!
@VirtualAlllocEx - I added FAQ to the readme, I hope it will make all this information easier to find
Hi! sure, I will add it soon!
@terrybr I added a new API function: [PESieve_scan_ex](https://hasherezade.github.io/pe-sieve/pe__sieve__api_8h.html#a8e7c91bed131f09cd092769786290707) - please check it out and let me know if this is what you expected. For now it is just the scan...
Thank you for reporting, I will check it!