PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Public Attributes | Static Public Attributes | List of all members
pesieve::PeArtefacts Class Reference

A report about the PE artefact detected in the workingset. More...

#include <artefact_scanner.h>

Public Member Functions

 PeArtefacts ()
 
bool hasNtHdrs ()
 
bool hasSectionHdrs ()
 
ULONGLONG peImageBase ()
 
ULONGLONG dropPeBase (const ULONGLONG offset_with_pe_base) const
 
virtual const bool fieldsToJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
 
virtual const bool toJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
 

Public Attributes

LONGLONG regionStart
 
size_t peBaseOffset
 
size_t ntFileHdrsOffset
 
size_t secHdrsOffset
 
size_t secCount
 
size_t calculatedImgSize
 
bool isMzPeFound
 
bool isDll
 
bool is64bit
 

Static Public Attributes

static const size_t JSON_LEVEL = 1
 

Detailed Description

A report about the PE artefact detected in the workingset.

Definition at line 22 of file artefact_scanner.h.

Constructor & Destructor Documentation

◆ PeArtefacts()

pesieve::PeArtefacts::PeArtefacts ( )
inline

Definition at line 26 of file artefact_scanner.h.

Member Function Documentation

◆ dropPeBase()

ULONGLONG pesieve::PeArtefacts::dropPeBase ( const ULONGLONG offset_with_pe_base) const
inline

Definition at line 56 of file artefact_scanner.h.

Here is the call graph for this function:

◆ fieldsToJSON()

virtual const bool pesieve::PeArtefacts::fieldsToJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails )
inlinevirtual

Definition at line 67 of file artefact_scanner.h.

Here is the call graph for this function:

◆ hasNtHdrs()

bool pesieve::PeArtefacts::hasNtHdrs ( )
inline

Definition at line 38 of file artefact_scanner.h.

◆ hasSectionHdrs()

bool pesieve::PeArtefacts::hasSectionHdrs ( )
inline

Definition at line 43 of file artefact_scanner.h.

◆ peImageBase()

ULONGLONG pesieve::PeArtefacts::peImageBase ( )
inline

Definition at line 48 of file artefact_scanner.h.

◆ toJSON()

virtual const bool pesieve::PeArtefacts::toJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails )
inlinevirtual

Definition at line 96 of file artefact_scanner.h.

Here is the call graph for this function:

Member Data Documentation

◆ calculatedImgSize

size_t pesieve::PeArtefacts::calculatedImgSize

Definition at line 110 of file artefact_scanner.h.

◆ is64bit

bool pesieve::PeArtefacts::is64bit

Definition at line 113 of file artefact_scanner.h.

◆ isDll

bool pesieve::PeArtefacts::isDll

Definition at line 112 of file artefact_scanner.h.

◆ isMzPeFound

bool pesieve::PeArtefacts::isMzPeFound

Definition at line 111 of file artefact_scanner.h.

◆ JSON_LEVEL

const size_t pesieve::PeArtefacts::JSON_LEVEL = 1
static

Definition at line 24 of file artefact_scanner.h.

◆ ntFileHdrsOffset

size_t pesieve::PeArtefacts::ntFileHdrsOffset

Definition at line 107 of file artefact_scanner.h.

◆ peBaseOffset

size_t pesieve::PeArtefacts::peBaseOffset

Definition at line 106 of file artefact_scanner.h.

◆ regionStart

LONGLONG pesieve::PeArtefacts::regionStart

Definition at line 105 of file artefact_scanner.h.

◆ secCount

size_t pesieve::PeArtefacts::secCount

Definition at line 109 of file artefact_scanner.h.

◆ secHdrsOffset

size_t pesieve::PeArtefacts::secHdrsOffset

Definition at line 108 of file artefact_scanner.h.

The documentation for this class was generated from the following file:
Generated by doxygen 1.10.0