449cfe9708
Added comprehensive section-by-section PE comparison that reads the executable from disk, parses PE sections, and compares them against memory using SHA-256 hashing. Detects: - Modified code sections (>5% difference from disk) - Missing PE sections in memory - Section hash mismatches This catches sophisticated hollowing techniques that modify specific code sections while preserving the PE header structure.