PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Classes | Public Member Functions | Static Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
pesieve::ArtefactScanner Class Reference

A scanner for detection of artefacts related to PE implants in the process workingset. More...

#include <artefact_scanner.h>

Inheritance diagram for pesieve::ArtefactScanner:
Inheritance graph
[legend]

Classes

class  ArtefactsMapping
 

Public Member Functions

 ArtefactScanner (HANDLE _procHndl, const process_details _proc_details, MemPageData &_memPageData, ProcessScanReport &_process_report)
 
virtual ~ArtefactScanner ()
 
virtual ArtefactScanReportscanRemote ()
 
- Public Member Functions inherited from pesieve::ProcessFeatureScanner
 ProcessFeatureScanner (HANDLE _processHandle)
 
virtual ~ProcessFeatureScanner ()
 

Static Public Member Functions

static size_t calcImgSize (HANDLE processHandle, HMODULE modBaseAddr, BYTE *headerBuffer, size_t headerBufferSize, IMAGE_SECTION_HEADER *hdr_ptr=NULL)
 

Protected Member Functions

void deletePrevPage ()
 
bool hasShellcode (HMODULE region_start, size_t region_size, PeArtefacts &peArt)
 
bool findMzPe (ArtefactsMapping &mapping, const size_t search_offset)
 
bool setMzPe (ArtefactsMapping &mapping, IMAGE_DOS_HEADER *_dos_hdr)
 
bool setSecHdr (ArtefactsMapping &mapping, IMAGE_SECTION_HEADER *_sec_hdr)
 
bool setNtFileHdr (ArtefactScanner::ArtefactsMapping &aMap, IMAGE_FILE_HEADER *_nt_hdr)
 
PeArtefactsgenerateArtefacts (ArtefactsMapping &aMap)
 
PeArtefactsfindArtefacts (MemPageData &memPage, size_t start_offset)
 
PeArtefactsfindInPrevPages (ULONGLONG addr_start, ULONGLONG addr_stop)
 
ULONGLONG _findMZoffset (MemPageData &memPage, LPVOID hdr_ptr)
 
ULONGLONG calcPeBase (MemPageData &memPage, LPVOID hdr_ptr)
 
size_t calcImageSize (MemPageData &memPage, IMAGE_SECTION_HEADER *hdr_ptr, ULONGLONG pe_image_base)
 
IMAGE_FILE_HEADER * findNtFileHdr (MemPageData &memPage, const size_t start_offset, size_t stop_offset=INVALID_OFFSET)
 
bool _validateSecRegions (MemPageData &memPage, LPVOID sec_hdr, size_t sec_count, ULONGLONG pe_image_base, bool is_virtual)
 
bool _validateSecRegions (MemPageData &memPage, LPVOID sec_hdr, size_t sec_count)
 
BYTE * _findSecByPatterns (BYTE *search_ptr, const size_t max_search_size)
 
IMAGE_SECTION_HEADER * findSecByPatterns (MemPageData &memPageData, const size_t max_search_size, const size_t search_offset)
 
IMAGE_DOS_HEADER * findMzPeHeader (MemPageData &memPage, const size_t search_offset)
 
IMAGE_DOS_HEADER * _findDosHdrByPatterns (BYTE *search_ptr, const size_t max_search_size)
 
IMAGE_DOS_HEADER * findDosHdrByPatterns (MemPageData &memPage, const size_t start_offset, size_t stop_offset=INVALID_OFFSET)
 

Protected Attributes

MemPageDatamemPage
 
MemPageDataprevMemPage
 
MemPageDataartPagePtr
 
bool isProcess64bit
 
const process_details pDetails
 
ProcessScanReportprocessReport
 
- Protected Attributes inherited from pesieve::ProcessFeatureScanner
HANDLE processHandle
 

Detailed Description

A scanner for detection of artefacts related to PE implants in the process workingset.

Definition at line 157 of file artefact_scanner.h.

Constructor & Destructor Documentation

◆ ArtefactScanner()

pesieve::ArtefactScanner::ArtefactScanner ( HANDLE _procHndl,
const process_details _proc_details,
MemPageData & _memPageData,
ProcessScanReport & _process_report )
inline

Definition at line 162 of file artefact_scanner.h.

Here is the call graph for this function:

◆ ~ArtefactScanner()

virtual pesieve::ArtefactScanner::~ArtefactScanner ( )
inlinevirtual

Definition at line 170 of file artefact_scanner.h.

Here is the call graph for this function:

Member Function Documentation

◆ _findDosHdrByPatterns()

IMAGE_DOS_HEADER * pesieve::ArtefactScanner::_findDosHdrByPatterns ( BYTE * search_ptr,
const size_t max_search_size )
protected

Definition at line 254 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ _findMZoffset()

ULONGLONG pesieve::ArtefactScanner::_findMZoffset ( MemPageData & memPage,
LPVOID hdr_ptr )
protected

Definition at line 125 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ _findSecByPatterns()

BYTE * pesieve::ArtefactScanner::_findSecByPatterns ( BYTE * search_ptr,
const size_t max_search_size )
protected

Definition at line 374 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ _validateSecRegions() [1/2]

bool pesieve::ArtefactScanner::_validateSecRegions ( MemPageData & memPage,
LPVOID sec_hdr,
size_t sec_count )
protected

Definition at line 336 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ _validateSecRegions() [2/2]

bool pesieve::ArtefactScanner::_validateSecRegions ( MemPageData & memPage,
LPVOID sec_hdr,
size_t sec_count,
ULONGLONG pe_image_base,
bool is_virtual )
protected

Definition at line 298 of file artefact_scanner.cpp.

◆ calcImageSize()

size_t pesieve::ArtefactScanner::calcImageSize ( MemPageData & memPage,
IMAGE_SECTION_HEADER * hdr_ptr,
ULONGLONG pe_image_base )
protected

Definition at line 229 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ calcImgSize()

size_t pesieve::ArtefactScanner::calcImgSize ( HANDLE processHandle,
HMODULE modBaseAddr,
BYTE * headerBuffer,
size_t headerBufferSize,
IMAGE_SECTION_HEADER * hdr_ptr = NULL )
static

Definition at line 176 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ calcPeBase()

ULONGLONG pesieve::ArtefactScanner::calcPeBase ( MemPageData & memPage,
LPVOID hdr_ptr )
protected

Definition at line 150 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ deletePrevPage()

void pesieve::ArtefactScanner::deletePrevPage ( )
inlineprotected

Definition at line 238 of file artefact_scanner.h.

◆ findArtefacts()

PeArtefacts * pesieve::ArtefactScanner::findArtefacts ( MemPageData & memPage,
size_t start_offset )
protected

Definition at line 734 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ findDosHdrByPatterns()

IMAGE_DOS_HEADER * pesieve::ArtefactScanner::findDosHdrByPatterns ( MemPageData & memPage,
const size_t start_offset,
size_t stop_offset = INVALID_OFFSET )
protected

Definition at line 234 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ findInPrevPages()

PeArtefacts * pesieve::ArtefactScanner::findInPrevPages ( ULONGLONG addr_start,
ULONGLONG addr_stop )
protected

Definition at line 836 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ findMzPe()

bool pesieve::ArtefactScanner::findMzPe ( ArtefactScanner::ArtefactsMapping & aMap,
const size_t search_offset )
protected

Definition at line 593 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ findMzPeHeader()

IMAGE_DOS_HEADER * pesieve::ArtefactScanner::findMzPeHeader ( MemPageData & memPage,
const size_t search_offset )
protected

Definition at line 560 of file artefact_scanner.cpp.

◆ findNtFileHdr()

IMAGE_FILE_HEADER * pesieve::ArtefactScanner::findNtFileHdr ( MemPageData & memPage,
const size_t start_offset,
size_t stop_offset = INVALID_OFFSET )
protected

Definition at line 497 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ findSecByPatterns()

IMAGE_SECTION_HEADER * pesieve::ArtefactScanner::findSecByPatterns ( MemPageData & memPageData,
const size_t max_search_size,
const size_t search_offset )
protected

Definition at line 428 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ generateArtefacts()

PeArtefacts * pesieve::ArtefactScanner::generateArtefacts ( ArtefactScanner::ArtefactsMapping & aMap)
protected

Definition at line 690 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ hasShellcode()

bool pesieve::ArtefactScanner::hasShellcode ( HMODULE region_start,
size_t region_size,
PeArtefacts & peArt )
protected

Definition at line 862 of file artefact_scanner.cpp.

◆ scanRemote()

ArtefactScanReport * pesieve::ArtefactScanner::scanRemote ( )
virtual

Perform the scan on the remote process

Returns
a pointer to an object of the class inherited from ModuleScanReport

Implements pesieve::ProcessFeatureScanner.

Definition at line 876 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ setMzPe()

bool pesieve::ArtefactScanner::setMzPe ( ArtefactsMapping & mapping,
IMAGE_DOS_HEADER * _dos_hdr )
protected

Definition at line 608 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ setNtFileHdr()

bool pesieve::ArtefactScanner::setNtFileHdr ( ArtefactScanner::ArtefactsMapping & aMap,
IMAGE_FILE_HEADER * _nt_hdr )
protected

Definition at line 663 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ setSecHdr()

bool pesieve::ArtefactScanner::setSecHdr ( ArtefactScanner::ArtefactsMapping & aMap,
IMAGE_SECTION_HEADER * _sec_hdr )
protected

Definition at line 626 of file artefact_scanner.cpp.

Here is the call graph for this function:

Member Data Documentation

◆ artPagePtr

MemPageData* pesieve::ArtefactScanner::artPagePtr
protected

Definition at line 273 of file artefact_scanner.h.

◆ isProcess64bit

bool pesieve::ArtefactScanner::isProcess64bit
protected

Definition at line 274 of file artefact_scanner.h.

◆ memPage

MemPageData& pesieve::ArtefactScanner::memPage
protected

Definition at line 271 of file artefact_scanner.h.

◆ pDetails

const process_details pesieve::ArtefactScanner::pDetails
protected

Definition at line 275 of file artefact_scanner.h.

◆ prevMemPage

MemPageData* pesieve::ArtefactScanner::prevMemPage
protected

Definition at line 272 of file artefact_scanner.h.

◆ processReport

ProcessScanReport& pesieve::ArtefactScanner::processReport
protected

Definition at line 276 of file artefact_scanner.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.13.2