PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Types | Public Member Functions | List of all members
pesieve::ImpReconstructor Class Reference

#include <imp_reconstructor.h>

Public Types

enum  imprec_filter { IMP_REC0 , IMP_REC1 , IMP_REC2 , IMP_REC_COUNT }
 
enum  imprec_res {
  IMP_NOT_FOUND = -3 , IMP_RECOVERY_ERROR = -2 , IMP_RECOVERY_NOT_APPLICABLE = -1 , IMP_RECOVERY_SKIPPED = 0 ,
  IMP_ALREADY_OK = 1 , IMP_DIR_FIXED = 2 , IMP_FIXED = 3 , IMP_RECREATED_FILTER0 = 4 ,
  IMP_RECREATED_FILTER1 = 5 , IMP_RECREATED_FILTER2 = 6
}
 
typedef enum pesieve::ImpReconstructor::imprec_filter t_imprec_filter
 
typedef enum pesieve::ImpReconstructor::imprec_res t_imprec_res
 

Public Member Functions

 ImpReconstructor (PeBuffer &_peBuffer)
 
 ~ImpReconstructor ()
 
t_imprec_res rebuildImportTable (const IN peconv::ExportsMapper *exportsMap, IN const pesieve::t_imprec_mode &imprec_mode)
 
bool printFoundIATs (std::string reportPath)
 

Detailed Description

Definition at line 156 of file imp_reconstructor.h.

Member Typedef Documentation

◆ t_imprec_filter

typedef enum pesieve::ImpReconstructor::imprec_filter pesieve::ImpReconstructor::t_imprec_filter

◆ t_imprec_res

typedef enum pesieve::ImpReconstructor::imprec_res pesieve::ImpReconstructor::t_imprec_res

Member Enumeration Documentation

◆ imprec_filter

enum pesieve::ImpReconstructor::imprec_filter
Enumerator
IMP_REC0 
IMP_REC1 
IMP_REC2 
IMP_REC_COUNT 

Definition at line 179 of file imp_reconstructor.h.

◆ imprec_res

enum pesieve::ImpReconstructor::imprec_res
Enumerator
IMP_NOT_FOUND 
IMP_RECOVERY_ERROR 
IMP_RECOVERY_NOT_APPLICABLE 
IMP_RECOVERY_SKIPPED 
IMP_ALREADY_OK 
IMP_DIR_FIXED 
IMP_FIXED 
IMP_RECREATED_FILTER0 
IMP_RECREATED_FILTER1 
IMP_RECREATED_FILTER2 

Definition at line 186 of file imp_reconstructor.h.

Constructor & Destructor Documentation

◆ ImpReconstructor()

pesieve::ImpReconstructor::ImpReconstructor ( PeBuffer & _peBuffer)
inline

Definition at line 160 of file imp_reconstructor.h.

Here is the call graph for this function:

◆ ~ImpReconstructor()

pesieve::ImpReconstructor::~ImpReconstructor ( )
inline

Definition at line 174 of file imp_reconstructor.h.

Member Function Documentation

◆ printFoundIATs()

bool pesieve::ImpReconstructor::printFoundIATs ( std::string reportPath)

Definition at line 201 of file imp_reconstructor.cpp.

Here is the call graph for this function:

◆ rebuildImportTable()

pesieve::ImpReconstructor::t_imprec_res pesieve::ImpReconstructor::rebuildImportTable ( const IN peconv::ExportsMapper * exportsMap,
IN const pesieve::t_imprec_mode & imprec_mode )

Definition at line 152 of file imp_reconstructor.cpp.

Here is the call graph for this function:
The documentation for this class was generated from the following files:
Generated by doxygen 1.10.0