PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
#include <artefact_scanner.h>
Public Member Functions | |
ArtefactsMapping (MemPageData &_memPage, bool _is64bit) | |
bool | foundAny () |
size_t | getScore () const |
bool | operator< (const ArtefactsMapping &map2) const |
ArtefactsMapping & | operator= (const ArtefactsMapping &other) |
Public Attributes | |
MemPageData & | memPage |
ULONGLONG | pe_image_base |
IMAGE_DOS_HEADER * | dos_hdr |
IMAGE_FILE_HEADER * | nt_file_hdr |
IMAGE_SECTION_HEADER * | sec_hdr |
size_t | sec_count |
bool | isMzPeFound |
bool | is64bit |
Definition at line 178 of file artefact_scanner.h.
|
inline |
|
inline |
Definition at line 193 of file artefact_scanner.h.
|
inline |
|
inline |
|
inline |
Definition at line 217 of file artefact_scanner.h.
IMAGE_DOS_HEADER* pesieve::ArtefactScanner::ArtefactsMapping::dos_hdr |
Definition at line 230 of file artefact_scanner.h.
bool pesieve::ArtefactScanner::ArtefactsMapping::is64bit |
Definition at line 235 of file artefact_scanner.h.
bool pesieve::ArtefactScanner::ArtefactsMapping::isMzPeFound |
Definition at line 234 of file artefact_scanner.h.
MemPageData& pesieve::ArtefactScanner::ArtefactsMapping::memPage |
Definition at line 228 of file artefact_scanner.h.
IMAGE_FILE_HEADER* pesieve::ArtefactScanner::ArtefactsMapping::nt_file_hdr |
Definition at line 231 of file artefact_scanner.h.
ULONGLONG pesieve::ArtefactScanner::ArtefactsMapping::pe_image_base |
Definition at line 229 of file artefact_scanner.h.
size_t pesieve::ArtefactScanner::ArtefactsMapping::sec_count |
Definition at line 233 of file artefact_scanner.h.
IMAGE_SECTION_HEADER* pesieve::ArtefactScanner::ArtefactsMapping::sec_hdr |
Definition at line 232 of file artefact_scanner.h.