Kill processes

ZwTerminateProcess is simply called from kernel land to terminate any process. Additionally, you can bury a process to avoid it to restart by setting a kernel callback to process creation: If the target process is created, Banshee will set the CreationStatus of the target process to STATUS_ACCESS_DENIED.

Change protection levels

This is done by modifying the EPROCESS structure, which is an kernel object that describes a processes attributes. It also holds a value that specifies the protection level of the process.
We can directly modify this value (aka Direct Kernel Object Modification or DKOM), since we are operating in Ring 0.

Elevate any process token to SYSTEM

EPROCESS also holds a pointer to the current access token, so we can just make it point to e.g. the token of process 4 (SYSTEM) to elevate any process to SYSTEM

Enumerating and erasing kernel callbacks

For now, only Process- and Thread-Creation kernel callbacks are enumerated, by parsing the PsSetCreateNotifyProcess/ThreadRoutine routine to reach the private Psp* routine and then parsing the address of the array, where kernel callbacks are stored.

Protecting the driver file

By hooking the NTFS filesystem's IRP_MJ_CREATE handler, we can block any process from opening a handle to our driver file

Hide Process by PID

Again, EPROCESS comes to help here - it contains a LIST_ENTRY of a doubly linked list called ActiveProcessLink which is queried by Windows to enumerate running processes. If we simply unlink an entry here, we can hide our process from tools like Process Monitor or Task Manager.

replaced/injected PEs, shellcodes, hooks, and other in-memory patches.
Detects inline hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection, etc.

PE-sieve is meant to be a light-weight engine dedicated to scan a single process at the time. It can be built as an EXE or as a DLL. The DLL version exposes a simple API and can be easily integrated with other applications.