PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Public Attributes | Protected Member Functions | Protected Attributes | List of all members
pesieve::MemPageData Class Reference

#include <mempage_data.h>

Public Member Functions

 MemPageData (HANDLE _process, bool _is_process_refl, ULONGLONG _start_va, ULONGLONG _stop_va)
virtual ~MemPageData ()
bool isRefl () const
bool fillInfo ()
bool isInfoFilled ()
size_t getLoadedSize (bool trimmed=false)
const PBYTE getLoadedData (bool trimmed=false)
const size_t getStartOffset (bool trimmed=false)
bool validatePtr (const LPVOID field_bgn, size_t field_size)
bool load ()
bool loadMappedName ()
bool loadModuleName ()
bool isRealMapping ()

Public Attributes

ULONGLONG start_va
 VA that was requested. May not be beginning of the region.
ULONGLONG stop_va
 the VA at which the read will stop
DWORD protection
 page protection
DWORD initial_protect
bool is_private
DWORD mapping_type
bool is_listed_module
ULONGLONG alloc_base
ULONGLONG region_start
ULONGLONG region_end
std::string mapped_name
 if the region is mapped from a file, stores its file name
std::string module_name
 if the region is on the list of loaded PEs, stores its module name
util::ByteBuffer loadedData

Protected Member Functions

bool _loadRemote ()
void _freeRemote ()

Protected Attributes

bool is_info_filled
const bool is_process_refl
HANDLE processHandle

Detailed Description

Definition at line 11 of file mempage_data.h.

Constructor & Destructor Documentation

◆ MemPageData()

pesieve::MemPageData::MemPageData ( HANDLE _process,
bool _is_process_refl,
ULONGLONG _start_va,
ULONGLONG _stop_va )
inline

Definition at line 14 of file mempage_data.h.

Here is the call graph for this function:

◆ ~MemPageData()

virtual pesieve::MemPageData::~MemPageData ( )
inlinevirtual

Definition at line 23 of file mempage_data.h.

Here is the call graph for this function:

Member Function Documentation

◆ _freeRemote()

void pesieve::MemPageData::_freeRemote ( )
inlineprotected

Definition at line 82 of file mempage_data.h.

◆ _loadRemote()

bool pesieve::MemPageData::_loadRemote ( )
protected

Definition at line 112 of file mempage_data.cpp.

Here is the call graph for this function:

◆ fillInfo()

bool pesieve::MemPageData::fillInfo ( )

Definition at line 7 of file mempage_data.cpp.

◆ getLoadedData()

const PBYTE pesieve::MemPageData::getLoadedData ( bool trimmed = false)
inline

Definition at line 32 of file mempage_data.h.

◆ getLoadedSize()

size_t pesieve::MemPageData::getLoadedSize ( bool trimmed = false)
inline

Definition at line 31 of file mempage_data.h.

◆ getStartOffset()

const size_t pesieve::MemPageData::getStartOffset ( bool trimmed = false)
inline

Definition at line 33 of file mempage_data.h.

◆ isInfoFilled()

bool pesieve::MemPageData::isInfoFilled ( )
inline

Definition at line 30 of file mempage_data.h.

◆ isRealMapping()

bool pesieve::MemPageData::isRealMapping ( )

Definition at line 60 of file mempage_data.cpp.

Here is the call graph for this function:

◆ isRefl()

bool pesieve::MemPageData::isRefl ( ) const
inline

Definition at line 28 of file mempage_data.h.

◆ load()

bool pesieve::MemPageData::load ( )
inline

Definition at line 56 of file mempage_data.h.

Here is the call graph for this function:

◆ loadMappedName()

bool pesieve::MemPageData::loadMappedName ( )

Definition at line 44 of file mempage_data.cpp.

Here is the call graph for this function:

◆ loadModuleName()

bool pesieve::MemPageData::loadModuleName ( )

Definition at line 30 of file mempage_data.cpp.

Here is the call graph for this function:

◆ validatePtr()

bool pesieve::MemPageData::validatePtr ( const LPVOID field_bgn,
size_t field_size )
inline

Definition at line 35 of file mempage_data.h.

Member Data Documentation

◆ alloc_base

ULONGLONG pesieve::MemPageData::alloc_base

Definition at line 48 of file mempage_data.h.

◆ initial_protect

DWORD pesieve::MemPageData::initial_protect

Definition at line 43 of file mempage_data.h.

◆ is_info_filled

bool pesieve::MemPageData::is_info_filled
protected

Definition at line 87 of file mempage_data.h.

◆ is_listed_module

bool pesieve::MemPageData::is_listed_module

Definition at line 46 of file mempage_data.h.

◆ is_private

bool pesieve::MemPageData::is_private

Definition at line 44 of file mempage_data.h.

◆ is_process_refl

const bool pesieve::MemPageData::is_process_refl
protected

Definition at line 88 of file mempage_data.h.

◆ loadedData

util::ByteBuffer pesieve::MemPageData::loadedData

Definition at line 77 of file mempage_data.h.

◆ mapped_name

std::string pesieve::MemPageData::mapped_name

if the region is mapped from a file, stores its file name

Definition at line 52 of file mempage_data.h.

◆ mapping_type

DWORD pesieve::MemPageData::mapping_type

Definition at line 45 of file mempage_data.h.

◆ module_name

std::string pesieve::MemPageData::module_name

if the region is on the list of loaded PEs, stores its module name

Definition at line 53 of file mempage_data.h.

◆ processHandle

HANDLE pesieve::MemPageData::processHandle
protected

Definition at line 89 of file mempage_data.h.

◆ protection

DWORD pesieve::MemPageData::protection

page protection

Definition at line 42 of file mempage_data.h.

◆ region_end

ULONGLONG pesieve::MemPageData::region_end

Definition at line 50 of file mempage_data.h.

◆ region_start

ULONGLONG pesieve::MemPageData::region_start

Definition at line 49 of file mempage_data.h.

◆ start_va

ULONGLONG pesieve::MemPageData::start_va

VA that was requested. May not be beginning of the region.

Definition at line 40 of file mempage_data.h.

◆ stop_va

ULONGLONG pesieve::MemPageData::stop_va

the VA at which the read will stop

Definition at line 41 of file mempage_data.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.17.0