LOKI control line commands
| Command options | Function parameter |
|---|---|
| -h | Show this help message and exit |
| -p | Path to scan |
| -s | (Kilobytes) Maximum file size in KB (default is 5000 KB) |
| -l | Log file |
| -r | Remote syslog system |
| -t | Remote syslog port |
| -a | Alarm score for alarm level |
| -w | Alarm score for warning level |
| -n | Notification score for notification level |
| –printall | Print all scanned documents |
| –allreasons | Print all the reasons that led to the score |
| –noprocscan | Skip process scan |
| –Nofilescan | Skip file scanning |
| –nolevcheck | Skip Levenshtein distance check |
| –scriptanalysis | Activation script analysis (beta) |
| –rootkit | Skip rootkit check |
| –No indicator | Do not show progress indicator |
| –Reginfs | Check Regin virtual file system |
| –dontwait | No need to wait for exit |
| –intense | Intensive scanning mode (also scans unknown file types and all extensions) |
| –csv | Write CSV log format to STDOUT (machine processing) |
| –onlyrelevant | Only print warnings or alarms |
| –nolog | Do not write local log files |
| –update | Update the signature database from the "signature database" subdirectory |
| –debug | Debug information output |
| –maxworkingset | MAXWORKINGSET The maximum working set size of the scanning process (in MB, the default is 100 MB) |
| –syslogtcp | Use TCP instead of UDP for syslog logging |
| -Log folder | Log folder |
| –Nopesieve | Do not perform pe-sieve scan |
| –pesieveshellc | Perform a pe-sieve shellcode scan |
| –Nolisten | Don't show listening connections |
| –excludeprocess | Specify the executable file name to be excluded from scanning, can be used multiple times |
My position on loki:An IOCs scanner that can detect whether the current host has APT samples in real time. You can also affectionately call it a THOR advertising product. There are some yara rules that can be used for free prostitution!
PE-SIEVE.EXE control line command
/ pid <target_pid>:设置目标进程的PID。
(十进制或前缀为“ 0x”的十六进制)
可选的扫描选项:
/ iat <*scan_mode>:扫描IAT挂钩。
扫描模式:
0-无:不扫描IAT挂钩(默认)
1-过滤:扫描IAT挂钩,过滤掉系统挂钩
2-未过滤:扫描IAT挂钩,报告所有
/ shellc:检测shellcode注入。 (默认情况下,它仅检测PE)。
/data <*data_scan_mode>:设置是否应扫描不可执行的页。
0-无:不扫描不可执行的页
1-.NET:在.NET应用程序中扫描不可执行的页
2-如果没有DEP:如果DEP被禁用(或者是.NET),则扫描非执行程序页
3-始终扫描:无条件扫描不可执行的页
/ mfilter <* mfilter_id>:过滤扫描的模块。
0-无过滤器(作为扫描仪)
1-只适用于32位
2-是适用于64位
3-全部可访问(默认)
/ mignore <模块名称>:指定模块名称(以’;'分隔),不会进行扫描。
示例:kernel32.dll; user32.dll
/ refl:在扫描之前进行过程反射。
/ dnet <* dotnet_policy>:设置用于扫描托管进程(.NET)的策略。
0-无:将托管进程与本地进程一样
1-跳过映射不匹配(仅在.NET模块中)
2-跳过shellcode(在托管进程的所有模块中)
3-跳过挂钩的模块(在托管进程内的所有模块中)
4-跳过以上所有内容(映射,shellcode,钩子)
DUMP转储选项
/ imp <* imprec_mode>:设置应以哪种方式恢复导入表。
0-无:不恢复导入表(默认)
1-尝试自动检测最合适的模式
2-恢复部分损坏或被擦除的导入表
3-根据找到的IAT从头开始构建导入表
/ dmode <*转储模式>:设置检测到的PE文件应以哪种模式转储。
0-自动检测(默认)
1-虚拟(因为它在内存中,没有取消映射)
2-未映射(使用节的原始标题转换为原始)
3-重新对齐的原始格式(转换后的原始格式与虚拟格式相同)
输出选项
/ ofilter <* ofilter_id>:过滤转储的输出。
0-无过滤器:转储所有内容(默认)
1-不要转储修改后的PE,但要保存报告
2-不要转储任何文件
/quiet: Only print brief summary information. During scanning, stdout will not be logged in.
/json: The summary output is in JSON report format.
/ minidmp: Create minidmp of the entire suspicious process.
/ dir <output directory>: Set the output root directory (default: current directory).
/help: Print this help.
/ version: Print the version number.
Common commands: run cmd and execute commands with administrator privileges
Pe-sieve64.exe /pid 996 /shellc /json /dir c:\test
The main purpose:The complete PE structure of the dll that can be quickly DUMP injected into the process can be used to unpack。