PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Static Public Member Functions | Public Attributes | Static Protected Member Functions | List of all members
pesieve::IATScanReport Class Reference

A report from an IAT scan, generated by IATScanner. More...

#include <iat_scanner.h>

Inheritance diagram for pesieve::IATScanReport:
Inheritance graph
[legend]

Public Member Functions

 IATScanReport (HMODULE _module, size_t _moduleSize, std::string _moduleFile)
 
virtual const bool toJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
 
bool generateList (IN const std::string &fileName, IN HANDLE hProcess, IN const ModulesInfo &modulesInfo, IN const peconv::ExportsMapper *exportsMap)
 
const bool hooksToJSON (std::stringstream &outs, size_t level)
 
size_t countHooked ()
 
- Public Member Functions inherited from pesieve::ModuleScanReport
 ModuleScanReport (HMODULE _module, size_t _moduleSize, t_scan_status _status)
 
 ModuleScanReport (HMODULE _module, size_t _moduleSize)
 
virtual ~ModuleScanReport ()
 
virtual ULONGLONG getRelocBase ()
 

Static Public Member Functions

static bool saveNotRecovered (IN std::string fileName, IN HANDLE hProcess, IN peconv::ImportsCollection *storedFunc, IN peconv::ImpsNotCovered &notCovered, IN const ModulesInfo &modulesInfo, IN const peconv::ExportsMapper *exportsMap)
 
- Static Public Member Functions inherited from pesieve::ModuleScanReport
static t_scan_status get_scan_status (const ModuleScanReport *report)
 

Public Attributes

peconv::ImportsCollection storedFunc
 
peconv::ImpsNotCovered notCovered
 
- Public Attributes inherited from pesieve::ModuleScanReport
HMODULE size_t moduleSize
 
bool isDotNetModule
 
std::string moduleFile
 
t_scan_status status
 

Static Protected Member Functions

static std::string formatHookedFuncName (IN peconv::ImportsCollection *storedFunc, DWORD thunk_rva)
 
static std::string formatTargetName (IN const peconv::ExportsMapper *exportsMap, IN const ModulesInfo &modulesInfo, IN const ULONGLONG module_start, IN ULONGLONG addr)
 

Additional Inherited Members

- Static Public Attributes inherited from pesieve::ModuleScanReport
static const size_t JSON_LEVEL = 1
 
- Protected Member Functions inherited from pesieve::ModuleScanReport
virtual const bool _toJSON (std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
 

Detailed Description

A report from an IAT scan, generated by IATScanner.

Definition at line 11 of file iat_scanner.h.

Constructor & Destructor Documentation

◆ IATScanReport()

pesieve::IATScanReport::IATScanReport ( HMODULE _module,
size_t _moduleSize,
std::string _moduleFile )
inline

Definition at line 22 of file iat_scanner.h.

Here is the call graph for this function:

Member Function Documentation

◆ countHooked()

size_t pesieve::IATScanReport::countHooked ( )
inline

Definition at line 49 of file iat_scanner.h.

◆ formatHookedFuncName()

std::string IATScanReport::formatHookedFuncName ( IN peconv::ImportsCollection * storedFunc,
DWORD thunk_rva )
staticprotected

Definition at line 75 of file iat_scanner.cpp.

Here is the call graph for this function:

◆ formatTargetName()

std::string IATScanReport::formatTargetName ( IN const peconv::ExportsMapper * exportsMap,
IN const ModulesInfo & modulesInfo,
IN const ULONGLONG module_start,
IN ULONGLONG addr )
staticprotected

Definition at line 50 of file iat_scanner.cpp.

Here is the call graph for this function:

◆ generateList()

bool IATScanReport::generateList ( IN const std::string & fileName,
IN HANDLE hProcess,
IN const ModulesInfo & modulesInfo,
IN const peconv::ExportsMapper * exportsMap )

Definition at line 143 of file iat_scanner.cpp.

Here is the call graph for this function:

◆ hooksToJSON()

const bool IATScanReport::hooksToJSON ( std::stringstream & outs,
size_t level )

Definition at line 11 of file iat_scanner.cpp.

Here is the call graph for this function:

◆ saveNotRecovered()

bool IATScanReport::saveNotRecovered ( IN std::string fileName,
IN HANDLE hProcess,
IN peconv::ImportsCollection * storedFunc,
IN peconv::ImpsNotCovered & notCovered,
IN const ModulesInfo & modulesInfo,
IN const peconv::ExportsMapper * exportsMap )
static

Definition at line 92 of file iat_scanner.cpp.

Here is the call graph for this function:

◆ toJSON()

virtual const bool pesieve::IATScanReport::toJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails )
inlinevirtual

Implements pesieve::ModuleScanReport.

Definition at line 28 of file iat_scanner.h.

Here is the call graph for this function:

Member Data Documentation

◆ notCovered

peconv::ImpsNotCovered pesieve::IATScanReport::notCovered

Definition at line 52 of file iat_scanner.h.

◆ storedFunc

peconv::ImportsCollection pesieve::IATScanReport::storedFunc

Definition at line 51 of file iat_scanner.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.10.0