PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Static Public Member Functions | Public Attributes | Protected Member Functions | Protected Attributes | Friends | List of all members
pesieve::RemoteModuleData Class Reference

Buffers the data from the module loaded in the scanned process into the local memory. More...

#include <module_data.h>

Public Member Functions

 RemoteModuleData (HANDLE _processHandle, bool _isRefl, HMODULE _modBaseAddr)
 
virtual ~RemoteModuleData ()
 
bool isSectionEntry (const size_t section_number)
 
bool isSectionExecutable (const size_t section_number, bool allow_data, bool allow_inaccessible)
 
bool hasExecutableSection (bool allow_data, bool allow_inaccessible)
 
bool isInitialized ()
 
bool is64bit ()
 
size_t getHdrImageSize ()
 
ULONGLONG getHdrImageBase ()
 
size_t getModuleSize ()
 
size_t getHeaderSize ()
 
bool loadFullImage ()
 
bool isFullImageLoaded ()
 
ULONGLONG getRemoteSectionVa (const size_t section_num)
 
bool loadImportsList (peconv::ImportsCollection &collection)
 
ULONGLONG getModuleBase ()
 

Static Public Member Functions

static std::string getModuleName (HANDLE _processHandle, HMODULE _modBaseAddr)
 
static std::string getMappedName (HANDLE _processHandle, LPVOID _modBaseAddr)
 

Public Attributes

BYTE headerBuffer [peconv::MAX_HEADER_SIZE]
 

Protected Member Functions

bool init ()
 
bool loadHeader ()
 
size_t calcImgSize ()
 
bool _loadFullImage (size_t v_size)
 
void freeFullImage ()
 

Protected Attributes

HANDLE processHandle
 
const bool isReflection
 
HMODULE modBaseAddr
 
BYTE * imgBuffer
 
size_t imgBufferSize
 

Friends

class PeSection
 
class IATScanner
 

Detailed Description

Buffers the data from the module loaded in the scanned process into the local memory.

Definition at line 120 of file module_data.h.

Constructor & Destructor Documentation

◆ RemoteModuleData()

pesieve::RemoteModuleData::RemoteModuleData ( HANDLE _processHandle,
bool _isRefl,
HMODULE _modBaseAddr )
inline

Definition at line 126 of file module_data.h.

Here is the call graph for this function:

◆ ~RemoteModuleData()

virtual pesieve::RemoteModuleData::~RemoteModuleData ( )
inlinevirtual

Definition at line 135 of file module_data.h.

Here is the call graph for this function:

Member Function Documentation

◆ _loadFullImage()

bool pesieve::RemoteModuleData::_loadFullImage ( size_t v_size)
protected

Definition at line 308 of file module_data.cpp.

◆ calcImgSize()

size_t pesieve::RemoteModuleData::calcImgSize ( )
protected

Definition at line 428 of file module_data.cpp.

Here is the call graph for this function:

◆ freeFullImage()

void pesieve::RemoteModuleData::freeFullImage ( )
inlineprotected

Definition at line 205 of file module_data.h.

◆ getHdrImageBase()

ULONGLONG pesieve::RemoteModuleData::getHdrImageBase ( )
inline

Definition at line 163 of file module_data.h.

◆ getHdrImageSize()

size_t pesieve::RemoteModuleData::getHdrImageSize ( )
inline

Definition at line 157 of file module_data.h.

◆ getHeaderSize()

size_t pesieve::RemoteModuleData::getHeaderSize ( )
inline

Definition at line 181 of file module_data.h.

◆ getMappedName()

std::string pesieve::RemoteModuleData::getMappedName ( HANDLE _processHandle,
LPVOID _modBaseAddr )
static

Definition at line 269 of file module_data.cpp.

Here is the call graph for this function:

◆ getModuleBase()

ULONGLONG pesieve::RemoteModuleData::getModuleBase ( )
inline

Definition at line 191 of file module_data.h.

◆ getModuleName()

std::string pesieve::RemoteModuleData::getModuleName ( HANDLE _processHandle,
HMODULE _modBaseAddr )
static

Definition at line 255 of file module_data.cpp.

Here is the call graph for this function:

◆ getModuleSize()

size_t pesieve::RemoteModuleData::getModuleSize ( )
inline

Definition at line 169 of file module_data.h.

Here is the call graph for this function:

◆ getRemoteSectionVa()

ULONGLONG pesieve::RemoteModuleData::getRemoteSectionVa ( const size_t section_num)

Definition at line 344 of file module_data.cpp.

◆ hasExecutableSection()

bool pesieve::RemoteModuleData::hasExecutableSection ( bool allow_data,
bool allow_inaccessible )

Definition at line 416 of file module_data.cpp.

◆ init()

bool pesieve::RemoteModuleData::init ( )
protected

Definition at line 298 of file module_data.cpp.

◆ is64bit()

bool pesieve::RemoteModuleData::is64bit ( )
inline

Definition at line 151 of file module_data.h.

◆ isFullImageLoaded()

bool pesieve::RemoteModuleData::isFullImageLoaded ( )
inline

Definition at line 187 of file module_data.h.

◆ isInitialized()

bool pesieve::RemoteModuleData::isInitialized ( )
inline

Definition at line 143 of file module_data.h.

Here is the call graph for this function:

◆ isSectionEntry()

bool pesieve::RemoteModuleData::isSectionEntry ( const size_t section_number)

Definition at line 355 of file module_data.cpp.

Here is the call graph for this function:

◆ isSectionExecutable()

bool pesieve::RemoteModuleData::isSectionExecutable ( const size_t section_number,
bool allow_data,
bool allow_inaccessible )

Definition at line 376 of file module_data.cpp.

Here is the call graph for this function:

◆ loadFullImage()

bool pesieve::RemoteModuleData::loadFullImage ( )

Definition at line 322 of file module_data.cpp.

◆ loadHeader()

bool pesieve::RemoteModuleData::loadHeader ( )
protected

Definition at line 336 of file module_data.cpp.

◆ loadImportsList()

bool pesieve::RemoteModuleData::loadImportsList ( peconv::ImportsCollection & collection)

Definition at line 282 of file module_data.cpp.

Friends And Related Symbol Documentation

◆ IATScanner

friend class IATScanner
friend

Definition at line 223 of file module_data.h.

◆ PeSection

friend class PeSection
friend

Definition at line 222 of file module_data.h.

Member Data Documentation

◆ headerBuffer

BYTE pesieve::RemoteModuleData::headerBuffer[peconv::MAX_HEADER_SIZE]

Definition at line 196 of file module_data.h.

◆ imgBuffer

BYTE* pesieve::RemoteModuleData::imgBuffer
protected

Definition at line 216 of file module_data.h.

◆ imgBufferSize

size_t pesieve::RemoteModuleData::imgBufferSize
protected

Definition at line 217 of file module_data.h.

◆ isReflection

const bool pesieve::RemoteModuleData::isReflection
protected

Definition at line 213 of file module_data.h.

◆ modBaseAddr

HMODULE pesieve::RemoteModuleData::modBaseAddr
protected

Definition at line 214 of file module_data.h.

◆ processHandle

HANDLE pesieve::RemoteModuleData::processHandle
protected

Definition at line 212 of file module_data.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.12.0