PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
pesieve::PeReconstructor Class Reference

#include <pe_reconstructor.h>

Public Member Functions

 PeReconstructor (PeArtefacts _artefacts, PeBuffer &_peBuffer)
 
bool reconstruct ()
 

Protected Member Functions

bool reconstructFileHdr ()
 
bool reconstructPeHdr ()
 
bool fixSectionsVirtualSize (HANDLE processHandle)
 
bool fixSectionsCharacteristics (HANDLE processHandle)
 
size_t shiftPeHeader ()
 

Protected Attributes

const PeArtefacts origArtefacts
 
PeArtefacts artefacts
 
PeBufferpeBuffer
 

Detailed Description

Definition at line 45 of file pe_reconstructor.h.

Constructor & Destructor Documentation

◆ PeReconstructor()

pesieve::PeReconstructor::PeReconstructor ( PeArtefacts _artefacts,
PeBuffer & _peBuffer )
inline

Definition at line 47 of file pe_reconstructor.h.

Member Function Documentation

◆ fixSectionsCharacteristics()

bool pesieve::PeReconstructor::fixSectionsCharacteristics ( HANDLE processHandle)
protected

Definition at line 185 of file pe_reconstructor.cpp.

Here is the call graph for this function:

◆ fixSectionsVirtualSize()

bool pesieve::PeReconstructor::fixSectionsVirtualSize ( HANDLE processHandle)
protected

Definition at line 103 of file pe_reconstructor.cpp.

◆ reconstruct()

bool pesieve::PeReconstructor::reconstruct ( )

Definition at line 75 of file pe_reconstructor.cpp.

◆ reconstructFileHdr()

bool pesieve::PeReconstructor::reconstructFileHdr ( )
protected

Definition at line 222 of file pe_reconstructor.cpp.

Here is the call graph for this function:

◆ reconstructPeHdr()

bool pesieve::PeReconstructor::reconstructPeHdr ( )
protected

Definition at line 266 of file pe_reconstructor.cpp.

Here is the call graph for this function:

◆ shiftPeHeader()

size_t pesieve::PeReconstructor::shiftPeHeader ( )
protected

Definition at line 18 of file pe_reconstructor.cpp.

Here is the call graph for this function:

Member Data Documentation

◆ artefacts

PeArtefacts pesieve::PeReconstructor::artefacts
protected

Definition at line 63 of file pe_reconstructor.h.

◆ origArtefacts

const PeArtefacts pesieve::PeReconstructor::origArtefacts
protected

Definition at line 62 of file pe_reconstructor.h.

◆ peBuffer

PeBuffer& pesieve::PeReconstructor::peBuffer
protected

Definition at line 64 of file pe_reconstructor.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.12.0