pe-sieve icon indicating copy to clipboard operation
pe-sieve copied to clipboard

Published 20 hours ago verified publisher icon hasherezade

Failed to detect injection(OpenThread-> QueueUserAPC-> ResumeThread) by MSBuildAPICaller

Open duzvik opened this issue 5 years ago • 5 comments

Hello, maybe I'm doing something wrong, but I'm sure pe-sieve can detect that standard injection by this tool - https://github.com/rvrsh3ll/MSBuildAPICaller

Here s screenshot: Знімок екрана 2020-01-27 о 23 45 15

duzvik avatar Jan 27 '20 21:01 duzvik

Thank you for reporting, I will check it!

hasherezade avatar Jan 27 '20 22:01 hasherezade

What was the shellcode injected? PE-sieve detects the payload, not the method of injection (it does a passive scan and no API hooking). If the shellcode was small and obfuscated, it would possibly not detect it.

hasherezade avatar Jan 27 '20 22:01 hasherezade

Shellcode was simple meterpreter reverse_tcp shell.

PE-sieve detects the payload, not the method of injection (it does a passive scan and no API hooking). If the shellcode was small and obfuscated, it would possibly not detect it.

Thanks, it makes sense.

duzvik avatar Jan 28 '20 10:01 duzvik

@duzvik - please check if the recent commit solved the problem. You can get the latest builds from the build server: 64bit and 32bit

hasherezade avatar Feb 26 '20 20:02 hasherezade

I think it should work fine in the latest release, but please check and let me know: https://github.com/hasherezade/pe-sieve/releases

hasherezade avatar Mar 09 '20 01:03 hasherezade