pesieve::ProcessScanner Class Reference

The root scanner, responsible for enumerating all the elements to be scanned within a given process, and performing apropriate scans on them. More...

#include <scanner.h>

Public Member Functions
	ProcessScanner (HANDLE procHndl, bool is_reflection, pesieve::t_params _args)
	~ProcessScanner ()
ProcessScanReport *	scanRemote ()
	The main function of ProcessScanner, deploying the scan. Throws exceptions in case of a failure.

Static Public Member Functions
static t_scan_status	scanForHollows (HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report)
static t_scan_status	scanForHooks (HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report, bool scan_data, bool scan_inaccessible)
static t_scan_status	scanForIATHooks (HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report, t_iat_scan_mode filter)

Protected Member Functions
size_t	scanModules (ProcessScanReport &pReport)
size_t	scanModulesIATs (ProcessScanReport &pReport)
size_t	scanThreads (ProcessScanReport &pReport)
size_t	scanWorkingSet (ProcessScanReport &pReport)
ModuleScanReport *	scanForMappingMismatch (ModuleData &modData, ProcessScanReport &process_report)
bool	resolveHooksTargets (ProcessScanReport &process_report)
bool	filterDotNetReport (ProcessScanReport &process_report)

Protected Attributes
HANDLE	processHandle
bool	isDEP
const bool	isReflection
pesieve::t_params	args
std::set< std::string >	ignoredModules

Detailed Description

The root scanner, responsible for enumerating all the elements to be scanned within a given process, and performing apropriate scans on them.

Definition at line 14 of file scanner.h.

Constructor & Destructor Documentation

ProcessScanner()

pesieve::ProcessScanner::ProcessScanner	(	HANDLE	procHndl,
		bool	is_reflection,
		pesieve::t_params	_args )

A constructor of ProcessScanner.

Parameters

procHndl	: a HANDLE to the process to be scanned (must be opened with appropriate access rights)
is_reflection	: a flag indicating if the given handle (procHndl) leads to a raw process, or the process reflection
args	: the configuration of the scan (defined as t_params)

Definition at line 69 of file scanner.cpp.

Here is the call graph for this function:

~ProcessScanner()

pesieve::ProcessScanner::~ProcessScanner ( )

inline

Definition at line 25 of file scanner.h.

Member Function Documentation

filterDotNetReport()

bool pesieve::ProcessScanner::filterDotNetReport ( ProcessScanReport & process_report )

protected

Definition at line 179 of file scanner.cpp.

Here is the call graph for this function:

resolveHooksTargets()

bool pesieve::ProcessScanner::resolveHooksTargets ( ProcessScanReport & process_report )

protected

Definition at line 150 of file scanner.cpp.

Here is the call graph for this function:

scanForHollows()

t_scan_status pesieve::ProcessScanner::scanForHollows ( HANDLE hProcess, ModuleData & modData, RemoteModuleData & remoteModData, ProcessScanReport & process_report )

static

Definition at line 78 of file scanner.cpp.

Here is the call graph for this function:

scanForHooks()

t_scan_status pesieve::ProcessScanner::scanForHooks ( HANDLE hProcess, ModuleData & modData, RemoteModuleData & remoteModData, ProcessScanReport & process_report, bool scan_data, bool scan_inaccessible )

static

Definition at line 134 of file scanner.cpp.

Here is the call graph for this function:

scanForIATHooks()

t_scan_status pesieve::ProcessScanner::scanForIATHooks ( HANDLE hProcess, ModuleData & modData, RemoteModuleData & remoteModData, ProcessScanReport & process_report, t_iat_scan_mode filter )

static

Definition at line 110 of file scanner.cpp.

Here is the call graph for this function:

scanForMappingMismatch()

ModuleScanReport * pesieve::ProcessScanner::scanForMappingMismatch ( ModuleData & modData, ProcessScanReport & process_report )

protected

Definition at line 327 of file scanner.cpp.

Here is the call graph for this function:

scanModules()

size_t pesieve::ProcessScanner::scanModules ( ProcessScanReport & pReport )

protected

Definition at line 336 of file scanner.cpp.

Here is the call graph for this function:

scanModulesIATs()

size_t pesieve::ProcessScanner::scanModulesIATs ( ProcessScanReport & pReport )

protected

Definition at line 424 of file scanner.cpp.

Here is the call graph for this function:

scanRemote()

ProcessScanReport * pesieve::ProcessScanner::scanRemote

(

)

The main function of ProcessScanner, deploying the scan. Throws exceptions in case of a failure.

Returns

pointer to the generated report of type ProcessScanReport

Definition at line 216 of file scanner.cpp.

Here is the call graph for this function:

scanThreads()

size_t pesieve::ProcessScanner::scanThreads ( ProcessScanReport & pReport )

protected

Definition at line 471 of file scanner.cpp.

Here is the call graph for this function:

scanWorkingSet()

size_t pesieve::ProcessScanner::scanWorkingSet ( ProcessScanReport & pReport )

protected

Definition at line 284 of file scanner.cpp.

Here is the call graph for this function:

Member Data Documentation

args

pesieve::t_params pesieve::ProcessScanner::args

protected

Definition at line 53 of file scanner.h.

ignoredModules

std::set<std::string> pesieve::ProcessScanner::ignoredModules

protected

Definition at line 55 of file scanner.h.

isDEP

bool pesieve::ProcessScanner::isDEP

protected

Definition at line 51 of file scanner.h.

isReflection

const bool pesieve::ProcessScanner::isReflection

protected

Definition at line 52 of file scanner.h.

processHandle

HANDLE pesieve::ProcessScanner::processHandle

protected

Definition at line 50 of file scanner.h.

---

The documentation for this class was generated from the following files:

• scanners/scanner.h
• scanners/scanner.cpp