 |
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
|
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
| Npesieve | |
| Nutil | |
| Nstats | |
| Ct_output_filter | |
| Ct_shellc_mode | |
| Ct_obfusc_mode | |
| Ct_imprec_mode | |
| Ct_dump_mode | |
| Ct_iat_scan_mode | |
| Ct_dotnet_policy | |
| Ct_data_scan_mode | |
| Ct_json_level | |
| Ct_results_filter | |
| Ct_report_type | |
| CPARAM_STRING | |
| Ct_params | |
| Ct_report | |
| CErrorReport | |
| CReportEx | The final report about the actions performed on the process: scanning and dumping |
| CModuleDumpReport | |
| CProcessDumpReport | The report aggregating the results of the performed dumps |
| CIATThunksSeries | |
| CIATThunksSeriesPtrCompare | |
| CIATBlock | |
| CThunkFoundCallback | A class containing callbacks for functions: find_iat, fill_iat |
| CImportTableBuffer | |
| CImpReconstructor | |
| CPeBuffer | |
| CPeReconstructor | |
| CResultsDumper | |
| CPeArtefacts | A report about the PE artefact detected in the workingset |
| CArtefactScanReport | A report from the artefacts scan, generated by ArtefactScanner |
| CArtefactScanner | A scanner for detection of artefacts related to PE implants in the process workingset |
| CCodeScanReport | A report from the code scan, generated by CodeScanner |
| CCodeScanner | A scanner for detection of patches in the code |
| CHeadersScanReport | A report from the headers scan, generated by HeadersScanner |
| CHeadersScanner | A scanner for detection of PE header's modifications |
| CHookTargetResolver | Processes the list of the collected patches (preprocessed by PatchAnalyzer), and for those of them that were detected as hooks, it resolves information about to which modules do they lead to |
| CIATScanReport | A report from an IAT scan, generated by IATScanner |
| CIATScanner | A scanner for detection of IAT hooking |
| CMappingScanReport | |
| CMappingScanner | A scanner for detection of inconsistencies in mapping. Checks if the mapped file name is different than the module file name |
| CMemPageData | |
| CCachedModule | |
| CModulesCache | |
| CModuleData | Loads a module from the disk, corresponding to the module in the scanned process' memory |
| CRemoteModuleData | Buffers the data from the module loaded in the scanned process into the local memory |
| CElementScanReport | A base class of all the reports detailing on the output of the performed element scan |
| CModuleScanReport | A base class of all the reports detailing on the output of the performed module's scan |
| CUnreachableModuleReport | |
| CSkippedModuleReport | |
| CMalformedHeaderReport | |
| CModuleScanner | A base class for all the scanners operating on module data |
| CPatchAnalyzer | A postprocessor of the detected code patches. Detects if the patch is a hook, and if so, tries to indentify the address where it leads to |
| CPatchList | |
| CPeSection | Buffers the defined PE section belonging to the module loaded in the scanned process into the local memory |
| C_process_details | |
| CProcessFeatureScanner | A base class for all the scanners checking appropriate process' features |
| CProcessScanReport | The report aggregating the results of the performed scan |
| CScannedModule | Represents a basic info about the scanned module, such as its base offset, size, and the status |
| CModulesInfo | A container of all the process modules that were scanned |
| CProcessScanner | The root scanner, responsible for enumerating all the elements to be scanned within a given process, and performing apropriate scans on them |
| C_ctx_details | A custom structure keeping a fragment of a thread context |
| CThreadScanReport | A report from the thread scan, generated by ThreadScanner |
| CThreadScanner | |
| CWorkingSetScanReport | A report from the working set scan, generated by WorkingSetScanner |
| CWorkingSetScanner | A scanner for detection of code implants in the process workingset |
| CAreaEntropyStats | |
| CMultiStatsSettings | Settings defining what type of stats should be collected |
| CChunkStats | Statistics from a block of data |
| CAreaMultiStats | |
| CStatsSettings | Base class for settings defining what type of stats should be collected |
| CAreaStats | Base class for the statistics from analyzed buffer |
| CAreaStatsCalculator | A class responsible for filling in the statistics with the data from the particular buffer |
| CCodeMatcher | |
| CObfuscatedMatcher | |
| CEncryptedMatcher | |
| CTextMatcher | |
| CRuleMatcher | |
| CAreaInfo | |
| CRuleMatchersSet | |
| CPatternMatcher | |
| C_t_pattern | |
| CSyscallTable | |
| C_PARAM_STRING | A wrapper for a dynamically allocated string |
| C_t_stack_enum_params | |
| Cparams | Input parameters for PE-sieve, defining the configuration |
| CPEsieveParams | |
| CProcessSymbolsManager | |
| Creport | Final summary about the scanned process |
1.16.1