PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Static Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
ProcessSymbolsManager Class Reference

#include <process_symbols.h>

Public Member Functions

 ProcessSymbolsManager ()
 ~ProcessSymbolsManager ()
 ProcessSymbolsManager (const ProcessSymbolsManager &)=delete
ProcessSymbolsManageroperator= (const ProcessSymbolsManager &)=delete
bool InitSymbols (HANDLE process, bool enableAutoDownload, bool lazy)
bool RefreshModules ()
bool RunStackWalk64 (_In_ DWORD MachineType, _In_ HANDLE hThread, _Inout_ LPSTACKFRAME64 StackFrame, _Inout_ PVOID ContextRecord, _In_opt_ PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemoryRoutine, _In_opt_ PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccessRoutine, _In_opt_ PGET_MODULE_BASE_ROUTINE64 GetModuleBaseRoutine, _In_opt_ PTRANSLATE_ADDRESS_ROUTINE64 TranslateAddress)
bool IsInitialized () const
void NormalizeNtZwPrefix (std::string &funcName)
std::string funcNameFromAddr (ULONG_PTR addr, size_t *displacement=NULL)
bool dumpSymbolInfo (ULONG_PTR va)

Static Public Member Functions

static DWORD BuildSymOptions ()
static std::string FilterSymbolPath (const std::string &input, bool allowDownload)
static std::string BuildSymbolPath (bool enableAutoDownload)

Protected Member Functions

bool FreeSymbols ()

Protected Attributes

HANDLE hProcess
bool isInit

Detailed Description

Definition at line 16 of file process_symbols.h.

Constructor & Destructor Documentation

◆ ProcessSymbolsManager() [1/2]

ProcessSymbolsManager::ProcessSymbolsManager ( )
inline

Definition at line 20 of file process_symbols.h.

◆ ~ProcessSymbolsManager()

ProcessSymbolsManager::~ProcessSymbolsManager ( )
inline

Definition at line 25 of file process_symbols.h.

Here is the call graph for this function:

◆ ProcessSymbolsManager() [2/2]

ProcessSymbolsManager::ProcessSymbolsManager ( const ProcessSymbolsManager & )
delete
Here is the call graph for this function:

Member Function Documentation

◆ BuildSymbolPath()

std::string ProcessSymbolsManager::BuildSymbolPath ( bool enableAutoDownload)
inlinestatic

Definition at line 135 of file process_symbols.h.

Here is the call graph for this function:

◆ BuildSymOptions()

DWORD ProcessSymbolsManager::BuildSymOptions ( )
inlinestatic

Definition at line 49 of file process_symbols.h.

◆ dumpSymbolInfo()

bool ProcessSymbolsManager::dumpSymbolInfo ( ULONG_PTR va)
inline

Definition at line 277 of file process_symbols.h.

Here is the call graph for this function:

◆ FilterSymbolPath()

std::string ProcessSymbolsManager::FilterSymbolPath ( const std::string & input,
bool allowDownload )
inlinestatic

Definition at line 64 of file process_symbols.h.

◆ FreeSymbols()

bool ProcessSymbolsManager::FreeSymbols ( )
inlineprotected

Definition at line 306 of file process_symbols.h.

Here is the call graph for this function:

◆ funcNameFromAddr()

std::string ProcessSymbolsManager::funcNameFromAddr ( ULONG_PTR addr,
size_t * displacement = NULL )
inline

Definition at line 249 of file process_symbols.h.

Here is the call graph for this function:

◆ InitSymbols()

bool ProcessSymbolsManager::InitSymbols ( HANDLE process,
bool enableAutoDownload,
bool lazy )
inline

Definition at line 157 of file process_symbols.h.

Here is the call graph for this function:

◆ IsInitialized()

bool ProcessSymbolsManager::IsInitialized ( ) const
inline

Definition at line 232 of file process_symbols.h.

◆ NormalizeNtZwPrefix()

void ProcessSymbolsManager::NormalizeNtZwPrefix ( std::string & funcName)
inline

Definition at line 237 of file process_symbols.h.

◆ operator=()

ProcessSymbolsManager & ProcessSymbolsManager::operator= ( const ProcessSymbolsManager & )
delete
Here is the call graph for this function:

◆ RefreshModules()

bool ProcessSymbolsManager::RefreshModules ( )
inline

Definition at line 199 of file process_symbols.h.

Here is the call graph for this function:

◆ RunStackWalk64()

bool ProcessSymbolsManager::RunStackWalk64 ( _In_ DWORD MachineType,
_In_ HANDLE hThread,
_Inout_ LPSTACKFRAME64 StackFrame,
_Inout_ PVOID ContextRecord,
_In_opt_ PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemoryRoutine,
_In_opt_ PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccessRoutine,
_In_opt_ PGET_MODULE_BASE_ROUTINE64 GetModuleBaseRoutine,
_In_opt_ PTRANSLATE_ADDRESS_ROUTINE64 TranslateAddress )
inline

Definition at line 207 of file process_symbols.h.

Here is the call graph for this function:

Member Data Documentation

◆ hProcess

HANDLE ProcessSymbolsManager::hProcess
protected

Definition at line 321 of file process_symbols.h.

◆ isInit

bool ProcessSymbolsManager::isInit
protected

Definition at line 322 of file process_symbols.h.

The documentation for this class was generated from the following file:
Generated by doxygen 1.17.0