explaingit

hasherezade/pe-sieve

Analysis updated 2026-05-18

3,656C++Audience · ops devopsComplexity · 4/5LicenseSetup · easy

TLDR

A Windows security tool that scans running processes for signs of malware injection and extracts the suspicious code for analysis.

Mindmap

mindmap
  root((PE-sieve))
    What it does
      Detect process tampering
      Extract malware code
    Tech stack
      C++
      Windows
    Use cases
      Malware analysis
      Security research
    Audience
      Security researchers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a suspicious running process for Process Hollowing or Reflective DLL Injection.

USE CASE 2

Dump hidden malicious code from an infected process to disk for offline analysis.

USE CASE 3

Use HollowsHunter to scan every running process on a system at once for tampering.

USE CASE 4

Embed PE-sieve as a library inside a larger security product via its API.

What is it built with?

C++Windows

How does it compare?

hasherezade/pe-sievezylann/godot_voxeloverv/vulkantutorial
Stars3,6563,6553,659
LanguageC++C++C++
Setup difficultyeasymoderatemoderate
Complexity4/53/54/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Windows-only, prebuilt binaries available via GitHub releases, Chocolatey, or Scoop.

Open source under the BSD 2-Clause license, which allows free use, modification, and redistribution.

In plain English

PE-sieve is a Windows security tool that scans a running process on your computer and looks for signs that it has been tampered with by malicious software. When malware infects a system it often does so by injecting hidden code into legitimate programs that are already running, or by swapping out part of a legitimate program's code in memory with its own. PE-sieve is designed to detect those modifications and extract the suspicious code so that a security researcher can examine it further. Specifically, the tool looks for several known attack techniques: Process Hollowing, where a legitimate program's code is replaced with malware, Reflective DLL Injection, where a malicious library loads itself into another process without going through normal Windows loading procedures, Process Doppelganging, a more advanced variation that abuses Windows file transaction features, and inline hooks, where short pieces of code are inserted into legitimate functions to redirect what they do. When PE-sieve finds any of these, it can dump the suspicious memory regions to disk as files for offline analysis. The tool is built to be lightweight and focused: it scans one process at a time. It can run as a standalone command-line program or be compiled as a library that other applications can call through a simple API, making it useful as an engine inside larger security products. Two companion tools extend what it can do: HollowsHunter wraps PE-sieve to scan all processes on a system at once, and MalUnpack uses it to unpack obfuscated malware samples. PE-sieve runs only on Windows and is written in C++. It is available as a prebuilt download from the releases page or through the Chocolatey and Scoop package managers. The project is open-source under the BSD 2-Clause license.

Copy-paste prompts

Prompt 1
Show me how to run PE-sieve from the command line to scan a specific process ID on Windows.
Prompt 2
Explain how PE-sieve detects Process Doppelganging and what output it produces.
Prompt 3
Walk me through using MalUnpack with PE-sieve to unpack an obfuscated malware sample.
Prompt 4
Show me how to embed PE-sieve as a library and call its scanning API from my own security tool.

Frequently asked questions

What is pe-sieve?

A Windows security tool that scans running processes for signs of malware injection and extracts the suspicious code for analysis.

What language is pe-sieve written in?

Mainly C++. The stack also includes C++, Windows.

What license does pe-sieve use?

Open source under the BSD 2-Clause license, which allows free use, modification, and redistribution.

How hard is pe-sieve to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is pe-sieve for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.