PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
Public Member Functions | Public Attributes | Protected Member Functions | Protected Attributes | Friends | List of all members
pesieve::IATBlock Class Reference

#include <iat_block.h>

Public Member Functions

 IATBlock (bool _is64bit, DWORD _iat_offset)
 
 ~IATBlock ()
 
bool operator< (const IATBlock &other) const
 
bool append (DWORD rva, ULONGLONG functionVA, const peconv::ExportedFunc *exp)
 
bool isCovered () const
 
bool isValid () const
 
size_t countThunks () const
 
std::string toString ()
 
void deleteThunkSeries ()
 
bool makeCoverage (IN const peconv::ExportsMapper *exportsMap)
 
size_t maxDllLen ()
 
size_t sizeOfDllsSpace ()
 

Public Attributes

bool isTerminated
 
bool isInMain
 
DWORD iatOffset
 
size_t iatSize
 
DWORD importTableOffset
 

Protected Member Functions

IATThunksSeriesSet splitSeries (IN IATThunksSeries *notCoveredSeries, IN const peconv::ExportsMapper &exportsMap)
 

Protected Attributes

IATThunksSeriesSet thunkSeries
 
bool is64bit
 
bool isCoverageComplete
 
std::map< ULONGLONG, const peconv::ExportedFunc * > functions
 
std::map< ULONGLONG, ULONGLONG > addrToFunctionVA
 

Friends

class ImpReconstructor
 

Detailed Description

Definition at line 87 of file iat_block.h.

Constructor & Destructor Documentation

◆ IATBlock()

pesieve::IATBlock::IATBlock ( bool _is64bit,
DWORD _iat_offset )
inline

Definition at line 90 of file iat_block.h.

◆ ~IATBlock()

pesieve::IATBlock::~IATBlock ( )
inline

Definition at line 98 of file iat_block.h.

Here is the call graph for this function:

Member Function Documentation

◆ append()

bool pesieve::IATBlock::append ( DWORD rva,
ULONGLONG functionVA,
const peconv::ExportedFunc * exp )
inline

Definition at line 108 of file iat_block.h.

Here is the call graph for this function:

◆ countThunks()

size_t pesieve::IATBlock::countThunks ( ) const
inline

Definition at line 144 of file iat_block.h.

◆ deleteThunkSeries()

void pesieve::IATBlock::deleteThunkSeries ( )
inline

Definition at line 151 of file iat_block.h.

◆ isCovered()

bool pesieve::IATBlock::isCovered ( ) const
inline

Definition at line 132 of file iat_block.h.

◆ isValid()

bool pesieve::IATBlock::isValid ( ) const
inline

Definition at line 137 of file iat_block.h.

Here is the call graph for this function:

◆ makeCoverage()

bool pesieve::IATBlock::makeCoverage ( IN const peconv::ExportsMapper * exportsMap)

Definition at line 108 of file iat_block.cpp.

Here is the call graph for this function:

◆ maxDllLen()

size_t pesieve::IATBlock::maxDllLen ( )

Definition at line 197 of file iat_block.cpp.

Here is the call graph for this function:

◆ operator<()

bool pesieve::IATBlock::operator< ( const IATBlock & other) const
inline

Definition at line 103 of file iat_block.h.

Here is the call graph for this function:

◆ sizeOfDllsSpace()

size_t pesieve::IATBlock::sizeOfDllsSpace ( )

Definition at line 209 of file iat_block.cpp.

Here is the call graph for this function:

◆ splitSeries()

pesieve::IATThunksSeriesSet pesieve::IATBlock::splitSeries ( IN IATThunksSeries * notCoveredSeries,
IN const peconv::ExportsMapper & exportsMap )
protected

Definition at line 159 of file iat_block.cpp.

Here is the call graph for this function:

◆ toString()

std::string pesieve::IATBlock::toString ( )

Definition at line 215 of file iat_block.cpp.

Here is the call graph for this function:

Friends And Related Symbol Documentation

◆ ImpReconstructor

friend class ImpReconstructor
friend

Definition at line 184 of file iat_block.h.

Member Data Documentation

◆ addrToFunctionVA

std::map<ULONGLONG, ULONGLONG> pesieve::IATBlock::addrToFunctionVA
protected

Definition at line 182 of file iat_block.h.

◆ functions

std::map<ULONGLONG, const peconv::ExportedFunc*> pesieve::IATBlock::functions
protected

Definition at line 181 of file iat_block.h.

◆ iatOffset

DWORD pesieve::IATBlock::iatOffset

Definition at line 168 of file iat_block.h.

◆ iatSize

size_t pesieve::IATBlock::iatSize

Definition at line 169 of file iat_block.h.

◆ importTableOffset

DWORD pesieve::IATBlock::importTableOffset

Definition at line 171 of file iat_block.h.

◆ is64bit

bool pesieve::IATBlock::is64bit
protected

Definition at line 178 of file iat_block.h.

◆ isCoverageComplete

bool pesieve::IATBlock::isCoverageComplete
protected

Definition at line 179 of file iat_block.h.

◆ isInMain

bool pesieve::IATBlock::isInMain

Definition at line 166 of file iat_block.h.

◆ isTerminated

bool pesieve::IATBlock::isTerminated

Definition at line 165 of file iat_block.h.

◆ thunkSeries

IATThunksSeriesSet pesieve::IATBlock::thunkSeries
protected

Definition at line 176 of file iat_block.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.13.2