PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Public Attributes | Protected Member Functions | Protected Attributes | Friends | List of all members
pesieve::IATBlock Class Reference

#include <iat_block.h>

Public Member Functions

 IATBlock (bool _is64bit, DWORD _iat_offset)
 
 ~IATBlock ()
 
bool operator< (const IATBlock &other) const
 
void appendSeries (IATThunksSeries *series)
 
bool append (ULONGLONG offset, ULONGLONG functionVA, const peconv::ExportedFunc *exp)
 
bool isCovered () const
 
bool isValid () const
 
size_t countThunks () const
 
std::string toString ()
 
void deleteThunkSeries ()
 
bool makeCoverage (IN const peconv::ExportsMapper *exportsMap)
 
size_t maxDllLen ()
 
size_t sizeOfDllsSpace ()
 

Public Attributes

bool isTerminated
 
bool isInMain
 
DWORD iatOffset
 
size_t iatSize
 
DWORD importTableOffset
 

Protected Member Functions

IATThunksSeriesSet splitSeries (IN IATThunksSeries *notCoveredSeries, IN const peconv::ExportsMapper &exportsMap)
 

Protected Attributes

IATThunksSeriesSet thunkSeries
 
bool is64bit
 
bool isCoverageComplete
 
std::map< ULONGLONG, const peconv::ExportedFunc * > functions
 
std::map< ULONGLONG, ULONGLONG > addrToFunctionVA
 

Friends

class ImpReconstructor
 

Detailed Description

Definition at line 78 of file iat_block.h.

Constructor & Destructor Documentation

◆ IATBlock()

pesieve::IATBlock::IATBlock ( bool _is64bit,
DWORD _iat_offset )
inline

Definition at line 81 of file iat_block.h.

◆ ~IATBlock()

pesieve::IATBlock::~IATBlock ( )
inline

Definition at line 89 of file iat_block.h.

Here is the call graph for this function:

Member Function Documentation

◆ append()

bool pesieve::IATBlock::append ( ULONGLONG offset,
ULONGLONG functionVA,
const peconv::ExportedFunc * exp )
inline

Definition at line 104 of file iat_block.h.

◆ appendSeries()

void pesieve::IATBlock::appendSeries ( IATThunksSeries * series)
inline

Definition at line 99 of file iat_block.h.

◆ countThunks()

size_t pesieve::IATBlock::countThunks ( ) const
inline

Definition at line 125 of file iat_block.h.

◆ deleteThunkSeries()

void pesieve::IATBlock::deleteThunkSeries ( )
inline

Definition at line 132 of file iat_block.h.

◆ isCovered()

bool pesieve::IATBlock::isCovered ( ) const
inline

Definition at line 113 of file iat_block.h.

◆ isValid()

bool pesieve::IATBlock::isValid ( ) const
inline

Definition at line 118 of file iat_block.h.

Here is the call graph for this function:

◆ makeCoverage()

bool pesieve::IATBlock::makeCoverage ( IN const peconv::ExportsMapper * exportsMap)

Definition at line 108 of file iat_block.cpp.

Here is the call graph for this function:

◆ maxDllLen()

size_t pesieve::IATBlock::maxDllLen ( )

Definition at line 189 of file iat_block.cpp.

Here is the call graph for this function:

◆ operator<()

bool pesieve::IATBlock::operator< ( const IATBlock & other) const
inline

Definition at line 94 of file iat_block.h.

◆ sizeOfDllsSpace()

size_t pesieve::IATBlock::sizeOfDllsSpace ( )

Definition at line 201 of file iat_block.cpp.

◆ splitSeries()

pesieve::IATThunksSeriesSet pesieve::IATBlock::splitSeries ( IN IATThunksSeries * notCoveredSeries,
IN const peconv::ExportsMapper & exportsMap )
protected

Definition at line 151 of file iat_block.cpp.

Here is the call graph for this function:

◆ toString()

std::string pesieve::IATBlock::toString ( )

Definition at line 207 of file iat_block.cpp.

Friends And Related Symbol Documentation

◆ ImpReconstructor

friend class ImpReconstructor
friend

Definition at line 165 of file iat_block.h.

Member Data Documentation

◆ addrToFunctionVA

std::map<ULONGLONG, ULONGLONG> pesieve::IATBlock::addrToFunctionVA
protected

Definition at line 163 of file iat_block.h.

◆ functions

std::map<ULONGLONG, const peconv::ExportedFunc*> pesieve::IATBlock::functions
protected

Definition at line 162 of file iat_block.h.

◆ iatOffset

DWORD pesieve::IATBlock::iatOffset

Definition at line 149 of file iat_block.h.

◆ iatSize

size_t pesieve::IATBlock::iatSize

Definition at line 150 of file iat_block.h.

◆ importTableOffset

DWORD pesieve::IATBlock::importTableOffset

Definition at line 152 of file iat_block.h.

◆ is64bit

bool pesieve::IATBlock::is64bit
protected

Definition at line 159 of file iat_block.h.

◆ isCoverageComplete

bool pesieve::IATBlock::isCoverageComplete
protected

Definition at line 160 of file iat_block.h.

◆ isInMain

bool pesieve::IATBlock::isInMain

Definition at line 147 of file iat_block.h.

◆ isTerminated

bool pesieve::IATBlock::isTerminated

Definition at line 146 of file iat_block.h.

◆ thunkSeries

IATThunksSeriesSet pesieve::IATBlock::thunkSeries
protected

Definition at line 157 of file iat_block.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.12.0