PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Protected Member Functions | Protected Attributes | Friends | List of all members
pesieve::PeBuffer Class Reference

#include <pe_buffer.h>

Public Member Functions

 PeBuffer (HANDLE _process_hndl, bool _is_refl)
 
 ~PeBuffer ()
 
bool isFilled ()
 
bool isValidPe ()
 
bool isCode ()
 
size_t getBufferSize () const
 
bool readRemote (ULONGLONG module_base, size_t pe_vsize)
 
bool fillFromBuffer (ULONGLONG module_base, util::ByteBuffer &data_cache)
 
bool resizeBuffer (size_t new_size)
 
bool resizeLastSection (size_t new_img_size)
 
bool dumpPeToFile (IN std::string dumpFileName, IN OUT peconv::t_pe_dump_mode &dumpMode, IN OPTIONAL const peconv::ExportsMapper *exportsMap=NULL, OUT OPTIONAL peconv::ImpsNotCovered *notCovered=NULL)
 
bool dumpToFile (IN std::string dumpFileName)
 
ULONGLONG getModuleBase () const
 
ULONGLONG getRelocBase () const
 
void setRelocBase (ULONGLONG reloc_base)
 

Protected Member Functions

bool _readRemote (ULONGLONG module_base, size_t pe_vsize)
 
size_t calcRemoteImgSize (ULONGLONG module_base) const
 
bool allocBuffer (const size_t pe_vsize)
 
void freeBuffer ()
 

Protected Attributes

HANDLE processHndl
 
bool isRefl
 
BYTEvBuf
 
size_t vBufSize
 
ULONGLONG moduleBase
 
ULONGLONG relocBase
 

Friends

class ImpReconstructor
 
class PeReconstructor
 

Detailed Description

Definition at line 8 of file pe_buffer.h.

Constructor & Destructor Documentation

◆ PeBuffer()

pesieve::PeBuffer::PeBuffer ( HANDLE _process_hndl,
bool _is_refl )
inline

Definition at line 10 of file pe_buffer.h.

◆ ~PeBuffer()

pesieve::PeBuffer::~PeBuffer ( )
inline

Definition at line 16 of file pe_buffer.h.

Here is the call graph for this function:

Member Function Documentation

◆ _readRemote()

bool pesieve::PeBuffer::_readRemote ( ULONGLONG module_base,
size_t pe_vsize )
protected

Definition at line 58 of file pe_buffer.cpp.

Here is the call graph for this function:

◆ allocBuffer()

bool pesieve::PeBuffer::allocBuffer ( const size_t pe_vsize)
inlineprotected

Definition at line 87 of file pe_buffer.h.

Here is the call graph for this function:

◆ calcRemoteImgSize()

size_t pesieve::PeBuffer::calcRemoteImgSize ( ULONGLONG module_base) const
protected

Definition at line 7 of file pe_buffer.cpp.

Here is the call graph for this function:

◆ dumpPeToFile()

bool pesieve::PeBuffer::dumpPeToFile ( IN std::string dumpFileName,
IN OUT peconv::t_pe_dump_mode & dumpMode,
IN OPTIONAL const peconv::ExportsMapper * exportsMap = NULL,
OUT OPTIONAL peconv::ImpsNotCovered * notCovered = NULL )

Definition at line 129 of file pe_buffer.cpp.

Here is the call graph for this function:

◆ dumpToFile()

bool pesieve::PeBuffer::dumpToFile ( IN std::string dumpFileName)

Definition at line 169 of file pe_buffer.cpp.

◆ fillFromBuffer()

bool pesieve::PeBuffer::fillFromBuffer ( ULONGLONG module_base,
util::ByteBuffer & data_cache )

Definition at line 42 of file pe_buffer.cpp.

Here is the call graph for this function:

◆ freeBuffer()

void pesieve::PeBuffer::freeBuffer ( )
inlineprotected

Definition at line 98 of file pe_buffer.h.

◆ getBufferSize()

size_t pesieve::PeBuffer::getBufferSize ( ) const
inline

Definition at line 38 of file pe_buffer.h.

◆ getModuleBase()

ULONGLONG pesieve::PeBuffer::getModuleBase ( ) const
inline

Definition at line 67 of file pe_buffer.h.

◆ getRelocBase()

ULONGLONG pesieve::PeBuffer::getRelocBase ( ) const
inline

Definition at line 72 of file pe_buffer.h.

◆ isCode()

bool pesieve::PeBuffer::isCode ( )

Definition at line 175 of file pe_buffer.cpp.

Here is the call graph for this function:

◆ isFilled()

bool pesieve::PeBuffer::isFilled ( )
inline

Definition at line 21 of file pe_buffer.h.

◆ isValidPe()

bool pesieve::PeBuffer::isValidPe ( )
inline

Definition at line 26 of file pe_buffer.h.

◆ readRemote()

bool pesieve::PeBuffer::readRemote ( ULONGLONG module_base,
size_t pe_vsize )

Definition at line 27 of file pe_buffer.cpp.

Here is the call graph for this function:

◆ resizeBuffer()

bool pesieve::PeBuffer::resizeBuffer ( size_t new_size)

Definition at line 81 of file pe_buffer.cpp.

Here is the call graph for this function:

◆ resizeLastSection()

bool pesieve::PeBuffer::resizeLastSection ( size_t new_img_size)

Definition at line 99 of file pe_buffer.cpp.

Here is the call graph for this function:

◆ setRelocBase()

void pesieve::PeBuffer::setRelocBase ( ULONGLONG reloc_base)
inline

Definition at line 77 of file pe_buffer.h.

Here is the call graph for this function:

Friends And Related Symbol Documentation

◆ ImpReconstructor

friend class ImpReconstructor
friend

Definition at line 112 of file pe_buffer.h.

◆ PeReconstructor

friend class PeReconstructor
friend

Definition at line 113 of file pe_buffer.h.

Member Data Documentation

◆ isRefl

bool pesieve::PeBuffer::isRefl
protected

Definition at line 106 of file pe_buffer.h.

◆ moduleBase

ULONGLONG pesieve::PeBuffer::moduleBase
protected

Definition at line 109 of file pe_buffer.h.

◆ processHndl

HANDLE pesieve::PeBuffer::processHndl
protected

Definition at line 105 of file pe_buffer.h.

◆ relocBase

ULONGLONG pesieve::PeBuffer::relocBase
protected

Definition at line 110 of file pe_buffer.h.

◆ vBuf

BYTE* pesieve::PeBuffer::vBuf
protected

Definition at line 107 of file pe_buffer.h.

◆ vBufSize

size_t pesieve::PeBuffer::vBufSize
protected

Definition at line 108 of file pe_buffer.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.10.0