-
Notifications
You must be signed in to change notification settings - Fork 439
4.8. Create Process Reflection (refl)
PE-sieve scans the process without interfering in its execution. During the normal scan the process is still running. It may cause concurrency issues.
To prevent those issues, you can use the option refl:
/refl
It creates a suspended copy of the process to be scanned. Detailed explanation given in 🎞️ the video.
The benefit of using a process reflection rather than a raw process, is also that it gives an ability to manipulate selected elements without affecting the original process. It allows, for example, to force access to the pages that are otherwise set as inaccessible - that's why this mode needs to be turned on whenever we want to scan inaccessible pages (more info here).
WARNING: it doesn't work on old versions of Windows (below Windows 7).
If the reflection mode was successfully enabled on a process, it will be mentioned in the scan report (scan_report.json):
"used_reflection" : 1,