PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
ProcessSymbolsManager Class Reference

#include <process_symbols.h>

Public Member Functions

 ProcessSymbolsManager ()
 
 ~ProcessSymbolsManager ()
 
bool InitSymbols (HANDLE _hProcess)
 
bool IsInitialized ()
 
std::string normalizeSyscallPrefix (std::string &funcName)
 
std::string funcNameFromAddr (IN const ULONG_PTR addr, OUT OPTIONAL size_t *displacement=nullptr)
 
bool dumpSymbolInfo (const ULONG_PTR addr)
 

Protected Member Functions

bool FreeSymbols ()
 

Protected Attributes

HANDLE hProcess
 
bool isInit
 

Detailed Description

Definition at line 8 of file process_symbols.h.

Constructor & Destructor Documentation

◆ ProcessSymbolsManager()

ProcessSymbolsManager::ProcessSymbolsManager ( )
inline

Definition at line 11 of file process_symbols.h.

◆ ~ProcessSymbolsManager()

ProcessSymbolsManager::~ProcessSymbolsManager ( )
inline

Definition at line 16 of file process_symbols.h.

Here is the call graph for this function:

Member Function Documentation

◆ dumpSymbolInfo()

bool ProcessSymbolsManager::dumpSymbolInfo ( const ULONG_PTR addr)
inline

Definition at line 74 of file process_symbols.h.

Here is the call graph for this function:

◆ FreeSymbols()

bool ProcessSymbolsManager::FreeSymbols ( )
inlineprotected

Definition at line 98 of file process_symbols.h.

◆ funcNameFromAddr()

std::string ProcessSymbolsManager::funcNameFromAddr ( IN const ULONG_PTR addr,
OUT OPTIONAL size_t * displacement = nullptr )
inline

Definition at line 53 of file process_symbols.h.

Here is the call graph for this function:

◆ InitSymbols()

bool ProcessSymbolsManager::InitSymbols ( HANDLE _hProcess)
inline

Definition at line 21 of file process_symbols.h.

◆ IsInitialized()

bool ProcessSymbolsManager::IsInitialized ( )
inline

Definition at line 37 of file process_symbols.h.

◆ normalizeSyscallPrefix()

std::string ProcessSymbolsManager::normalizeSyscallPrefix ( std::string & funcName)
inline

Definition at line 44 of file process_symbols.h.

Member Data Documentation

◆ hProcess

HANDLE ProcessSymbolsManager::hProcess
protected

Definition at line 108 of file process_symbols.h.

◆ isInit

bool ProcessSymbolsManager::isInit
protected

Definition at line 109 of file process_symbols.h.

The documentation for this class was generated from the following file:
Generated by doxygen 1.13.2