PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
pesieve::PeReconstructor Class Reference

#include <pe_reconstructor.h>

Public Member Functions

 PeReconstructor (PeArtefacts _artefacts, PeBuffer &_peBuffer)
bool reconstruct ()

Protected Member Functions

bool reconstructFileHdr ()
bool reconstructPeHdr ()
bool fixSectionsVirtualSize (HANDLE processHandle)
bool fixSectionsCharacteristics (HANDLE processHandle)
size_t shiftPeHeader ()

Protected Attributes

const PeArtefacts origArtefacts
PeArtefacts artefacts
PeBufferpeBuffer

Detailed Description

Definition at line 45 of file pe_reconstructor.h.

Constructor & Destructor Documentation

◆ PeReconstructor()

pesieve::PeReconstructor::PeReconstructor ( PeArtefacts _artefacts,
PeBuffer & _peBuffer )
inline

Definition at line 47 of file pe_reconstructor.h.

Member Function Documentation

◆ fixSectionsCharacteristics()

bool pesieve::PeReconstructor::fixSectionsCharacteristics ( HANDLE processHandle)
protected

Definition at line 191 of file pe_reconstructor.cpp.

Here is the call graph for this function:

◆ fixSectionsVirtualSize()

bool pesieve::PeReconstructor::fixSectionsVirtualSize ( HANDLE processHandle)
protected

Definition at line 109 of file pe_reconstructor.cpp.

◆ reconstruct()

bool pesieve::PeReconstructor::reconstruct ( )

Definition at line 75 of file pe_reconstructor.cpp.

Here is the call graph for this function:

◆ reconstructFileHdr()

bool pesieve::PeReconstructor::reconstructFileHdr ( )
protected

Definition at line 228 of file pe_reconstructor.cpp.

Here is the call graph for this function:

◆ reconstructPeHdr()

bool pesieve::PeReconstructor::reconstructPeHdr ( )
protected

Definition at line 272 of file pe_reconstructor.cpp.

Here is the call graph for this function:

◆ shiftPeHeader()

size_t pesieve::PeReconstructor::shiftPeHeader ( )
protected

Definition at line 18 of file pe_reconstructor.cpp.

Here is the call graph for this function:

Member Data Documentation

◆ artefacts

PeArtefacts pesieve::PeReconstructor::artefacts
protected

Definition at line 63 of file pe_reconstructor.h.

◆ origArtefacts

const PeArtefacts pesieve::PeReconstructor::origArtefacts
protected

Definition at line 62 of file pe_reconstructor.h.

◆ peBuffer

PeBuffer& pesieve::PeReconstructor::peBuffer
protected

Definition at line 64 of file pe_reconstructor.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.17.0