 |
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
Loading...
Searching...
No Matches
|
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
Loads a module from the disk, corresponding to the module in the scanned process' memory. More...
#include <module_data.h>
Public Member Functions | |
| ModuleData (HANDLE _processHandle, HMODULE _module, bool _isPEBConnected, bool _useCache, const char *_moduleName=nullptr) | |
| ~ModuleData () | |
| bool | is64bit () |
| bool | isDotNet () |
| ULONGLONG | rvaToVa (DWORD rva, ULONGLONG module_base=0) |
| DWORD | vaToRva (ULONGLONG va, ULONGLONG module_base=0) |
| bool | isModuleInPEBList () |
| bool | isInitialized () |
| ULONGLONG | getHdrImageBase () |
| bool | loadOriginal () |
| bool | switchToMappedPath () |
| bool | switchToWow64Path () |
| bool | reloadWow64 () |
| bool | relocateToBase (ULONGLONG new_base) |
| bool | loadRelocatedFields (std::set< DWORD > &fields_rvas) |
| bool | loadImportThunks (std::set< DWORD > &fields_rvas) |
| bool | loadImportsList (peconv::ImportsCollection &collection) |
Public Attributes | |
| HANDLE | processHandle |
| HMODULE | moduleHandle |
| char | szModName [MAX_PATH] |
| bool | is_module_named |
| PBYTE | original_module |
| size_t | original_size |
Protected Member Functions | |
| bool | _loadOriginal (bool disableFSredir) |
| bool | loadModuleName () |
| bool | autoswichIfWow64Mapping () |
| bool | isDotNetManagedCode () |
Protected Attributes | |
| bool | is_dot_net |
| bool | isPEBConnected |
| bool | useCache |
Friends | |
| class | PeSection |
Loads a module from the disk, corresponding to the module in the scanned process' memory.
Definition at line 15 of file module_data.h.
|
inline |
Definition at line 35 of file module_data.h.
|
protected |
|
inline |
Definition at line 83 of file module_data.h.
|
inline |
Definition at line 40 of file module_data.h.
|
inline |
Definition at line 48 of file module_data.h.
|
protected |
Definition at line 235 of file module_data.cpp.
|
inline |
Definition at line 78 of file module_data.h.
|
inline |
Definition at line 73 of file module_data.h.
| bool pesieve::ModuleData::loadImportsList | ( | peconv::ImportsCollection & | collection | ) |
Definition at line 132 of file module_data.cpp.
| bool pesieve::ModuleData::loadImportThunks | ( | std::set< DWORD > & | fields_rvas | ) |
Definition at line 113 of file module_data.cpp.
|
protected |
| bool pesieve::ModuleData::loadOriginal | ( | ) |
Definition at line 30 of file module_data.cpp.
| bool pesieve::ModuleData::loadRelocatedFields | ( | std::set< DWORD > & | fields_rvas | ) |
| bool pesieve::ModuleData::reloadWow64 | ( | ) |
| bool pesieve::ModuleData::relocateToBase | ( | ULONGLONG | new_base | ) |
Definition at line 148 of file module_data.cpp.
|
inline |
Definition at line 50 of file module_data.h.
| bool pesieve::ModuleData::switchToMappedPath | ( | ) |
| bool pesieve::ModuleData::switchToWow64Path | ( | ) |
|
inline |
Definition at line 58 of file module_data.h.
|
friend |
Definition at line 116 of file module_data.h.
|
protected |
Definition at line 112 of file module_data.h.
| bool pesieve::ModuleData::is_module_named |
Definition at line 101 of file module_data.h.
|
protected |
Definition at line 113 of file module_data.h.
| HMODULE pesieve::ModuleData::moduleHandle |
Definition at line 99 of file module_data.h.
| PBYTE pesieve::ModuleData::original_module |
Definition at line 103 of file module_data.h.
| size_t pesieve::ModuleData::original_size |
Definition at line 104 of file module_data.h.
| HANDLE pesieve::ModuleData::processHandle |
Definition at line 98 of file module_data.h.
| char pesieve::ModuleData::szModName[MAX_PATH] |
Definition at line 100 of file module_data.h.
|
protected |
Definition at line 114 of file module_data.h.
1.12.0
