 |
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
|
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
| ▼Npesieve | |
| ►Nstats | |
| ►Nutil | |
| C_ctx_details | A custom structure keeping a fragment of a thread context |
| C_process_details | |
| C_t_pattern | |
| CAreaEntropyStats | |
| CAreaInfo | |
| CAreaMultiStats | |
| CAreaStats | Base class for the statistics from analyzed buffer |
| CAreaStatsCalculator | A class responsible for filling in the statistics with the data from the particular buffer |
| ►CArtefactScanner | A scanner for detection of artefacts related to PE implants in the process workingset |
| CArtefactScanReport | A report from the artefacts scan, generated by ArtefactScanner |
| CCachedModule | |
| CChunkStats | Statistics from a block of data |
| CCodeMatcher | |
| CCodeScanner | A scanner for detection of patches in the code |
| CCodeScanReport | A report from the code scan, generated by CodeScanner |
| CEncryptedMatcher | |
| CErrorReport | |
| CHeadersScanner | A scanner for detection of PE header's modifications |
| CHeadersScanReport | A report from the headers scan, generated by HeadersScanner |
| CHookTargetResolver | Processes the list of the collected patches (preprocessed by PatchAnalyzer), and for those of them that were detected as hooks, it resolves information about to which modules do they lead to |
| CIATBlock | |
| CIATScanner | A scanner for detection of IAT hooking |
| CIATScanReport | A report from an IAT scan, generated by IATScanner |
| CIATThunksSeries | |
| CIATThunksSeriesPtrCompare | |
| CImportTableBuffer | |
| CImpReconstructor | |
| CMalformedHeaderReport | |
| CMappingScanner | A scanner for detection of inconsistencies in mapping. Checks if the mapped file name is different than the module file name |
| CMappingScanReport | |
| CMemPageData | |
| CModuleData | Loads a module from the disk, corresponding to the module in the scanned process' memory |
| CModuleDumpReport | |
| CModulesCache | |
| CModuleScanner | A base class for all the scanners operating on module data |
| CModuleScanReport | A base class of all the reports detailing on the output of the performed module's scan |
| CModulesInfo | A container of all the process modules that were scanned |
| CMultiStatsSettings | Settings defining what type of stats should be collected |
| CObfuscatedMatcher | |
| CPARAM_STRING | |
| CPatchAnalyzer | A postprocessor of the detected code patches. Detects if the patch is a hook, and if so, tries to indentify the address where it leads to |
| ►CPatchList | |
| CPatternMatcher | |
| CPeArtefacts | A report about the PE artefact detected in the workingset |
| CPeBuffer | |
| CPeReconstructor | |
| CPeSection | Buffers the defined PE section belonging to the module loaded in the scanned process into the local memory |
| CProcessDumpReport | The report aggregating the results of the performed dumps |
| CProcessFeatureScanner | A base class for all the scanners checking appropriate process' features |
| CProcessScanner | The root scanner, responsible for enumerating all the elements to be scanned within a given process, and performing apropriate scans on them |
| CProcessScanReport | The report aggregating the results of the performed scan |
| CRemoteModuleData | Buffers the data from the module loaded in the scanned process into the local memory |
| CReportEx | The final report about the actions performed on the process: scanning and dumping |
| CResultsDumper | |
| CRuleMatcher | |
| CRuleMatchersSet | |
| CScannedModule | Represents a basic info about the scanned module, such as its base offset, size, and the status |
| CSkippedModuleReport | |
| CStatsSettings | Base class for settings defining what type of stats should be collected |
| CSyscallTable | |
| Ct_data_scan_mode | |
| Ct_dotnet_policy | |
| Ct_dump_mode | |
| Ct_iat_scan_mode | |
| Ct_imprec_mode | |
| Ct_json_level | |
| Ct_obfusc_mode | |
| Ct_output_filter | |
| Ct_params | |
| Ct_report | |
| Ct_report_type | |
| Ct_shellc_mode | |
| CTextMatcher | |
| CThreadScanner | |
| CThreadScanReport | A report from the thread scan, generated by ThreadScanner |
| CThunkFoundCallback | A class containing callbacks for functions: find_iat, fill_iat |
| CUnreachableModuleReport | |
| CWorkingSetScanner | A scanner for detection of code implants in the process workingset |
| CWorkingSetScanReport | A report from the working set scan, generated by WorkingSetScanner |
| C_PARAM_STRING | A wrapper for a dynamically allocated string |
| C_t_stack_enum_params | |
| Cparams | Input parameters for PE-sieve, defining the configuration |
| CPEsieveParams | |
| CProcessSymbolsManager | |
| Creport | Final summary about the scanned process |
1.12.0