Need help with PeSieve

[WiltedDeath]

Hi, so I am doing a project with CapeV2 sandbox and I have a task to add PeSieve as an auxiliary module to join the analysis process on a PID.
Currently, I am able to make PeSieve execute on the PID, now all that is left is uploading the results.

My question is: after a scan, it generates a folder (process_{pid}) with the results. I am trying in my code after the scan to locate the folder in the Windows guest and basically upload every file in it to Cape Host but currently I have no luck. Am i missing something?

import time
import os
import logging
import subprocess
from threading import Thread
from lib.common.abstracts import Auxiliary
from lib.common.results import upload_to_host

log = logging.getLogger(__name__)

class PESieve(Auxiliary, Thread):
    def __init__(self, options, config):
        Auxiliary.__init__(self, options, config)
        Thread.__init__(self)
        self.pesieve_path = "C:\\Users\\CapeUser\\Desktop\\pesieve\\pe-sieve64.exe"
        self.pids = []  # List to track PIDs

    def add_pid(self, pid):
        """Add a PID to the tracking list."""
        if pid not in self.pids:
            self.pids.append(pid)
            log.info("Added PID: %s to PESieve", pid)

    def del_pid(self, pid):
        """Remove a PID from the tracking list."""
        if pid in self.pids:
            self.pids.remove(pid)
            log.info("Removed PID from PESieve")

    def run(self):
        log.info("Running PE-sieve on PIDs")
        while True:
            for pid in self.pids:
                try:
                    # Run PE-sieve and wait for it to complete
                    process = subprocess.Popen([self.pesieve_path, '/pid', str(pid)], shell=False)
                    process.wait()
                    log.info("PE-sieve run on PID: %s", pid)

                    # Check and upload the process_<PID> folder
                    self.upload_process_folder(pid)

                except Exception as e:
                    log.error(f"Failed to run PE-sieve on PID {pid}: {e}")
                time.sleep(1)

    def upload_process_folder(self, pid):
        process_folder_path = os.path.join(os.path.dirname(self.pesieve_path), f'process_{pid}')
        if os.path.exists(process_folder_path) and os.path.isdir(process_folder_path):
            # Upload each file in the folder
            for root, dirs, files in os.walk(process_folder_path):
                for file in files:
                    file_path = os.path.join(root, file)
                    upload_to_host(file_path, os.path.join("pesieve", os.path.basename(file_path)))
                    log.info(f"Uploaded {os.path.basename(file_path)} for PID {pid}")
        else:
            log.error(f"Folder for PID {pid} not found or is not a directory")

    def stop(self):
        
        pass

``

[hasherezade]

hi @WiltedDeath !
Few things should be kept in mind:

• if the process was not detected as suspicious, no output directory will be generated
• by default, the directory where the output will be saved, is the current working directory (where PE-sieve was run). So, it is not necessarily the same directory as the one where PE-sieve binary is located. If the path to PE-sieve is C:\\Users\\CapeUser\\Desktop\\pesieve\\pe-sieve64.exe but I run it from C:\\Users\\tester\\Desktop the result will be saved to C:\\Users\\tester\\Desktop

I don't know if you are familiar with the parameter /dir - with the help of it, you can give to PE-sieve the exact path where you want your results to be stored, i.e. /dir C:/dumps.
BTW, you may also consider using PE-sieve DLL instead of EXE, and the dedicated Python bindings:

• https://github.com/hasherezade/pe-sieve/tree/master/bindings/python

[cccs-mog]

Hi @WiltedDeath,

I would like to point out that you might like to be using https://github.com/hasherezade/hollows_hunter instead maybe if you are not using the PE-sieve DLL for python binding ? It would allow you to run system wise if this is what you intend for the auxiliary.
https://github.com/hasherezade/pe-sieve/wiki/1.-FAQ#pe-sieve-vs-hollowshunter---what-is-the-difference

You might want to look at the https://github.com/hasherezade/pe-sieve/wiki/3.3.-JSON-reports to see if you should be expecting results for you auxiliary when in doubt.

Also, you might want to add a check for 32 bits vs 64 bits PE-sieve/Hollowshunter if you are using it as an EXE.

Probably just a FYI as this is more specific to CAPE but there could be a problem with your auxiliary, make sure that you actually see the logs in the analysis.log for your module. The /dir option should solve your issue on PE-sieve part.

[WiltedDeath]

Alright, thanks for the reply, will definetely look into it.
one more thing: if i use the /dir parameter how should the overall command for running pe sieve be constructed?

will it be : pe-sieve64.exe /pid 1234 /dir
or am i in the wrong?

[hasherezade]

Alright, thanks for the reply, will definetely look into it. one more thing: if i use the /dir parameter how should the overall command for running pe sieve be constructed?

will it be : pe-sieve64.exe /pid 1234 /dir or am i in the wrong?

you need give your path after the /dir parameter. For example, pe-sieve64.exe /pid 1234 /dir C:/dumps if I want to save the output to C:/dumps.

BTW, all the parameters are listed if you run PE-sieve without any parameters:

You can also ask more details about one particular argument of your choice, by running i.e. pe-sieve.exe /dir ?.

Check also Wiki for more info.