 |
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
Loading...
Searching...
No Matches
|
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
This is the complete list of members for pesieve::ArtefactScanner, including all inherited members.
| _findDosHdrByPatterns(BYTE *search_ptr, const size_t max_search_size) | pesieve::ArtefactScanner | protected |
| _findMZoffset(MemPageData &memPage, LPVOID hdr_ptr) | pesieve::ArtefactScanner | protected |
| _findSecByPatterns(BYTE *search_ptr, const size_t max_search_size) | pesieve::ArtefactScanner | protected |
| _validateSecRegions(MemPageData &memPage, LPVOID sec_hdr, size_t sec_count, ULONGLONG pe_image_base, bool is_virtual) | pesieve::ArtefactScanner | protected |
| _validateSecRegions(MemPageData &memPage, LPVOID sec_hdr, size_t sec_count) | pesieve::ArtefactScanner | protected |
| ArtefactScanner(HANDLE _procHndl, const process_details _proc_details, MemPageData &_memPageData, ProcessScanReport &_process_report) | pesieve::ArtefactScanner | inline |
| artPagePtr | pesieve::ArtefactScanner | protected |
| calcImageSize(MemPageData &memPage, IMAGE_SECTION_HEADER *hdr_ptr, ULONGLONG pe_image_base) | pesieve::ArtefactScanner | protected |
| calcImgSize(HANDLE processHandle, HMODULE modBaseAddr, BYTE *headerBuffer, size_t headerBufferSize, IMAGE_SECTION_HEADER *hdr_ptr=NULL) | pesieve::ArtefactScanner | static |
| calcPeBase(MemPageData &memPage, LPVOID hdr_ptr) | pesieve::ArtefactScanner | protected |
| deletePrevPage() | pesieve::ArtefactScanner | inlineprotected |
| findArtefacts(MemPageData &memPage, size_t start_offset) | pesieve::ArtefactScanner | protected |
| findDosHdrByPatterns(MemPageData &memPage, const size_t start_offset, size_t stop_offset=INVALID_OFFSET) | pesieve::ArtefactScanner | protected |
| findInPrevPages(ULONGLONG addr_start, ULONGLONG addr_stop) | pesieve::ArtefactScanner | protected |
| findMzPe(ArtefactsMapping &mapping, const size_t search_offset) | pesieve::ArtefactScanner | protected |
| findMzPeHeader(MemPageData &memPage, const size_t search_offset) | pesieve::ArtefactScanner | protected |
| findNtFileHdr(MemPageData &memPage, const size_t start_offset, size_t stop_offset=INVALID_OFFSET) | pesieve::ArtefactScanner | protected |
| findSecByPatterns(MemPageData &memPageData, const size_t max_search_size, const size_t search_offset) | pesieve::ArtefactScanner | protected |
| generateArtefacts(ArtefactsMapping &aMap) | pesieve::ArtefactScanner | protected |
| hasShellcode(HMODULE region_start, size_t region_size, PeArtefacts &peArt) | pesieve::ArtefactScanner | protected |
| isProcess64bit | pesieve::ArtefactScanner | protected |
| memPage | pesieve::ArtefactScanner | protected |
| pDetails | pesieve::ArtefactScanner | protected |
| prevMemPage | pesieve::ArtefactScanner | protected |
| ProcessFeatureScanner(HANDLE _processHandle) | pesieve::ProcessFeatureScanner | inline |
| processHandle | pesieve::ProcessFeatureScanner | protected |
| processReport | pesieve::ArtefactScanner | protected |
| scanRemote() | pesieve::ArtefactScanner | virtual |
| setMzPe(ArtefactsMapping &mapping, IMAGE_DOS_HEADER *_dos_hdr) | pesieve::ArtefactScanner | protected |
| setNtFileHdr(ArtefactScanner::ArtefactsMapping &aMap, IMAGE_FILE_HEADER *_nt_hdr) | pesieve::ArtefactScanner | protected |
| setSecHdr(ArtefactsMapping &mapping, IMAGE_SECTION_HEADER *_sec_hdr) | pesieve::ArtefactScanner | protected |
| ~ArtefactScanner() | pesieve::ArtefactScanner | inlinevirtual |
| ~ProcessFeatureScanner() | pesieve::ProcessFeatureScanner | inlinevirtual |
1.13.2