process_slicer
A PowerShell wrapper script for PE-sieve and SysteminternalsSuite to freeze a target process in order to slice execution into time windows, then runs PE-sieve during these slices to capture evolving in-memory payloads.
GitHub
github.com/whiskywater/process_slicer
Requirements
- PE-sieve — github.com/hasherezade/pe-sieve
- SysteminternalsSuite — learn.microsoft.com/sysinternals-suite
By default, process_slicer assumes PE-sieve and SysteminternalsSuite are in the same working directory as itself.
Example usage
powershell -NoProfile -ExecutionPolicy Bypass -File .\process_slicer.ps1 -TargetExe "infected.exe" -PollMs 0.2 -RunSliceMs 0.2 -RescanForSeconds 800 -BaselineDumpModes 3 -RescanDumpModes 3 -PeImpMode 3 -PeReflection -PeMiniDump -FollowChildren -OnceAfterRescans -DebugMode
Flags
-TargetExe— This is your target you wish to run through process_slicer.-PollMs— This is how frequent process_slicer checks for the target process to appear, measured in milliseconds.-RunSliceMs— How long the target process is allowed to run between freezes per slice, measured in milliseconds.-RescanForSeconds— Total duration of the rescan window, measured in seconds. Keep this value high for total process scan, low for storage capacity restraints.-BaselineDumpModes&-RescanDumpModes— Maps directly to PE-sieve's/dmodeparameter. 1 (VIRTUAL), 2 (unmapped), 3 (realigned), 0 (auto).-PeImpMode— Points to PE-sieve's/imp(import) argument.-PeReflection— Toggle for PE-sieve's/reflflag.-PeMiniDump— Toggle for PE-sieve's/minidmpflag.-FollowChildren— Optional toggle that tells process_slicer to follow any child processes created by the parent process.-OnceAfterRescans— Toggles the script to stop after the target process exits or dies.-DebugMode— Verbosity flag. When enabled, the script logs detailed information about each slice, PE-sieve invocation, and child process discovery.