 |
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
Loading...
Searching...
No Matches
|
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
A report from an IAT scan, generated by IATScanner. More...
#include <iat_scanner.h>
Public Member Functions | |
| IATScanReport (HMODULE _module, size_t _moduleSize, std::string _moduleFile) | |
| virtual const bool | toJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails) |
| bool | generateList (IN const std::string &fileName, IN HANDLE hProcess, IN const ModulesInfo &modulesInfo, IN const peconv::ExportsMapper *exportsMap) |
| const bool | hooksToJSON (std::stringstream &outs, size_t level) |
| size_t | countHooked () |
| Public Member Functions inherited from pesieve::ModuleScanReport | |
| ModuleScanReport (HMODULE _module, size_t _moduleSize, t_scan_status _status=SCAN_NOT_SUSPICIOUS) | |
| virtual | ~ModuleScanReport () |
| virtual ULONGLONG | getRelocBase () |
| Public Member Functions inherited from pesieve::ElementScanReport | |
| ElementScanReport (t_scan_status _status=SCAN_NOT_SUSPICIOUS) | |
Static Public Member Functions | |
| static bool | saveNotRecovered (IN const std::string &fileName, IN HANDLE hProcess, IN peconv::ImportsCollection *storedFunc, IN peconv::ImpsNotCovered ¬Covered, IN const ModulesInfo &modulesInfo, IN const peconv::ExportsMapper *exportsMap) |
| Static Public Member Functions inherited from pesieve::ElementScanReport | |
| static t_scan_status | get_scan_status (const ElementScanReport *report) |
Public Attributes | |
| peconv::ImportsCollection | storedFunc |
| peconv::ImpsNotCovered | notCovered |
| Public Attributes inherited from pesieve::ModuleScanReport | |
| HMODULE | module |
| size_t | moduleSize |
| bool | isDotNetModule |
| std::string | moduleFile |
| ULONGLONG | origBase |
| ULONGLONG | relocBase |
| Public Attributes inherited from pesieve::ElementScanReport | |
| t_scan_status | status |
Static Protected Member Functions | |
| static std::string | formatHookedFuncName (IN peconv::ImportsCollection *storedFunc, DWORD thunk_rva) |
| static std::string | formatTargetName (IN const peconv::ExportsMapper *exportsMap, IN const ModulesInfo &modulesInfo, IN const ULONGLONG module_start, IN ULONGLONG addr) |
Additional Inherited Members | |
| Static Public Attributes inherited from pesieve::ElementScanReport | |
| static const size_t | JSON_LEVEL = 1 |
| Protected Member Functions inherited from pesieve::ModuleScanReport | |
| virtual const bool | _toJSON (std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC) |
A report from an IAT scan, generated by IATScanner.
Definition at line 11 of file iat_scanner.h.
|
inline |
|
inline |
Definition at line 49 of file iat_scanner.h.
|
staticprotected |
Definition at line 75 of file iat_scanner.cpp.
|
staticprotected |
| bool IATScanReport::generateList | ( | IN const std::string & | fileName, |
| IN HANDLE | hProcess, | ||
| IN const ModulesInfo & | modulesInfo, | ||
| IN const peconv::ExportsMapper * | exportsMap ) |
| const bool IATScanReport::hooksToJSON | ( | std::stringstream & | outs, |
| size_t | level ) |
Definition at line 11 of file iat_scanner.cpp.
|
static |
|
inlinevirtual |
Implements pesieve::ModuleScanReport.
Definition at line 28 of file iat_scanner.h.
| peconv::ImpsNotCovered pesieve::IATScanReport::notCovered |
Definition at line 52 of file iat_scanner.h.
| peconv::ImportsCollection pesieve::IATScanReport::storedFunc |
Definition at line 51 of file iat_scanner.h.
1.17.0
