PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Protected Member Functions | Protected Attributes | Friends | List of all members
pesieve::PeBuffer Class Reference

#include <pe_buffer.h>

Public Member Functions

 PeBuffer (HANDLE _process_hndl, bool _is_refl)
 ~PeBuffer ()
bool isFilled ()
bool isValidPe ()
bool isCode ()
size_t getBufferSize () const
bool readRemote (ULONGLONG module_base, size_t pe_vsize)
bool fillFromBuffer (ULONGLONG module_base, util::ByteBuffer &data_cache)
bool resizeBuffer (size_t new_size)
bool resizeLastSection (size_t new_img_size)
bool dumpPeToFile (IN std::string dumpFileName, IN OUT peconv::t_pe_dump_mode &dumpMode, IN OPTIONAL const peconv::ExportsMapper *exportsMap=nullptr, OUT OPTIONAL peconv::ImpsNotCovered *notCovered=nullptr)
bool dumpToFile (IN std::string dumpFileName)
ULONGLONG getModuleBase () const
ULONGLONG getRelocBase () const
void setRelocBase (ULONGLONG reloc_base)

Protected Member Functions

bool _readRemote (ULONGLONG module_base, size_t pe_vsize)
size_t calcRemoteImgSize (ULONGLONG module_base) const
bool allocBuffer (const size_t pe_vsize)
void freeBuffer ()

Protected Attributes

HANDLE processHndl
bool isRefl
BYTE * vBuf
size_t vBufSize
ULONGLONG moduleBase
ULONGLONG relocBase

Friends

class ImpReconstructor
class PeReconstructor

Detailed Description

Definition at line 8 of file pe_buffer.h.

Constructor & Destructor Documentation

◆ PeBuffer()

pesieve::PeBuffer::PeBuffer ( HANDLE _process_hndl,
bool _is_refl )
inline

Definition at line 10 of file pe_buffer.h.

◆ ~PeBuffer()

pesieve::PeBuffer::~PeBuffer ( )
inline

Definition at line 17 of file pe_buffer.h.

Here is the call graph for this function:

Member Function Documentation

◆ _readRemote()

bool pesieve::PeBuffer::_readRemote ( ULONGLONG module_base,
size_t pe_vsize )
protected

Definition at line 60 of file pe_buffer.cpp.

Here is the call graph for this function:

◆ allocBuffer()

bool pesieve::PeBuffer::allocBuffer ( const size_t pe_vsize)
inlineprotected

Definition at line 88 of file pe_buffer.h.

Here is the call graph for this function:

◆ calcRemoteImgSize()

size_t pesieve::PeBuffer::calcRemoteImgSize ( ULONGLONG module_base) const
protected

Definition at line 7 of file pe_buffer.cpp.

Here is the call graph for this function:

◆ dumpPeToFile()

bool pesieve::PeBuffer::dumpPeToFile ( IN std::string dumpFileName,
IN OUT peconv::t_pe_dump_mode & dumpMode,
IN OPTIONAL const peconv::ExportsMapper * exportsMap = nullptr,
OUT OPTIONAL peconv::ImpsNotCovered * notCovered = nullptr )

Definition at line 133 of file pe_buffer.cpp.

Here is the call graph for this function:

◆ dumpToFile()

bool pesieve::PeBuffer::dumpToFile ( IN std::string dumpFileName)

Definition at line 173 of file pe_buffer.cpp.

◆ fillFromBuffer()

bool pesieve::PeBuffer::fillFromBuffer ( ULONGLONG module_base,
util::ByteBuffer & data_cache )

Definition at line 44 of file pe_buffer.cpp.

Here is the call graph for this function:

◆ freeBuffer()

void pesieve::PeBuffer::freeBuffer ( )
inlineprotected

Definition at line 99 of file pe_buffer.h.

◆ getBufferSize()

size_t pesieve::PeBuffer::getBufferSize ( ) const
inline

Definition at line 39 of file pe_buffer.h.

◆ getModuleBase()

ULONGLONG pesieve::PeBuffer::getModuleBase ( ) const
inline

Definition at line 68 of file pe_buffer.h.

◆ getRelocBase()

ULONGLONG pesieve::PeBuffer::getRelocBase ( ) const
inline

Definition at line 73 of file pe_buffer.h.

◆ isCode()

bool pesieve::PeBuffer::isCode ( )

Definition at line 179 of file pe_buffer.cpp.

Here is the call graph for this function:

◆ isFilled()

bool pesieve::PeBuffer::isFilled ( )
inline

Definition at line 22 of file pe_buffer.h.

◆ isValidPe()

bool pesieve::PeBuffer::isValidPe ( )
inline

Definition at line 27 of file pe_buffer.h.

◆ readRemote()

bool pesieve::PeBuffer::readRemote ( ULONGLONG module_base,
size_t pe_vsize )

Definition at line 27 of file pe_buffer.cpp.

Here is the call graph for this function:

◆ resizeBuffer()

bool pesieve::PeBuffer::resizeBuffer ( size_t new_size)

Definition at line 85 of file pe_buffer.cpp.

Here is the call graph for this function:

◆ resizeLastSection()

bool pesieve::PeBuffer::resizeLastSection ( size_t new_img_size)

Definition at line 103 of file pe_buffer.cpp.

◆ setRelocBase()

void pesieve::PeBuffer::setRelocBase ( ULONGLONG reloc_base)
inline

Definition at line 78 of file pe_buffer.h.

◆ ImpReconstructor

friend class ImpReconstructor
friend

Definition at line 113 of file pe_buffer.h.

◆ PeReconstructor

friend class PeReconstructor
friend

Definition at line 114 of file pe_buffer.h.

Member Data Documentation

◆ isRefl

bool pesieve::PeBuffer::isRefl
protected

Definition at line 107 of file pe_buffer.h.

◆ moduleBase

ULONGLONG pesieve::PeBuffer::moduleBase
protected

Definition at line 110 of file pe_buffer.h.

◆ processHndl

HANDLE pesieve::PeBuffer::processHndl
protected

Definition at line 106 of file pe_buffer.h.

◆ relocBase

ULONGLONG pesieve::PeBuffer::relocBase
protected

Definition at line 111 of file pe_buffer.h.

◆ vBuf

BYTE* pesieve::PeBuffer::vBuf
protected

Definition at line 108 of file pe_buffer.h.

◆ vBufSize

size_t pesieve::PeBuffer::vBufSize
protected

Definition at line 109 of file pe_buffer.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.17.0