-
Notifications
You must be signed in to change notification settings - Fork 281
Misc
Ido Veltzman edited this page Jan 15, 2024
·
4 revisions
PE-Sieve is a great memory analysis tool often used by DFIR teams to detect suspicious activity and dump processes for further investigation made by Hasherezade.
Nidhogg provides the ability to disrupt the tool's operation by trimming the PROCESS_DUP_HANDLE, PROCESS_CREATE_THREAD and PROCESS_VM_OPERATION (These permissions has been chosen to be revoked by looking at pe-sieve's code and understand its behavior) permissions from the requestor process handle via the process obcallback.