PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Static Public Member Functions | Public Attributes | Protected Member Functions | Protected Attributes | Friends | List of all members
pesieve::RemoteModuleData Class Reference

Buffers the data from the module loaded in the scanned process into the local memory. More...

#include <module_data.h>

Public Member Functions

 RemoteModuleData (HANDLE _processHandle, bool _isRefl, HMODULE _modBaseAddr)
 
virtual ~RemoteModuleData ()
 
bool isSectionEntry (const size_t section_number)
 
bool isSectionExecutable (const size_t section_number, bool allow_data, bool allow_inaccessible)
 
bool hasExecutableSection (bool allow_data, bool allow_inaccessible)
 
bool isInitialized ()
 
bool is64bit ()
 
size_t getHdrImageSize ()
 
ULONGLONG getHdrImageBase ()
 
size_t getModuleSize ()
 
size_t getHeaderSize ()
 
bool loadFullImage ()
 
bool isFullImageLoaded ()
 
ULONGLONG getRemoteSectionVa (const size_t section_num)
 
bool loadImportsList (peconv::ImportsCollection &collection)
 
ULONGLONG getModuleBase ()
 

Static Public Member Functions

static std::string getModuleName (HANDLE _processHandle, HMODULE _modBaseAddr)
 
static std::string getMappedName (HANDLE _processHandle, LPVOID _modBaseAddr)
 

Public Attributes

BYTE headerBuffer [peconv::MAX_HEADER_SIZE]
 

Protected Member Functions

bool init ()
 
bool loadHeader ()
 
size_t calcImgSize ()
 
bool _loadFullImage (size_t v_size)
 
void freeFullImage ()
 

Protected Attributes

HANDLE processHandle
 
const bool isReflection
 
HMODULE modBaseAddr
 
BYTEimgBuffer
 
size_t imgBufferSize
 

Friends

class PeSection
 
class IATScanner
 

Detailed Description

Buffers the data from the module loaded in the scanned process into the local memory.

Definition at line 122 of file module_data.h.

Constructor & Destructor Documentation

◆ RemoteModuleData()

pesieve::RemoteModuleData::RemoteModuleData ( HANDLE _processHandle,
bool _isRefl,
HMODULE _modBaseAddr )
inline

Definition at line 128 of file module_data.h.

Here is the call graph for this function:

◆ ~RemoteModuleData()

virtual pesieve::RemoteModuleData::~RemoteModuleData ( )
inlinevirtual

Definition at line 137 of file module_data.h.

Here is the call graph for this function:

Member Function Documentation

◆ _loadFullImage()

bool pesieve::RemoteModuleData::_loadFullImage ( size_t v_size)
protected

Definition at line 296 of file module_data.cpp.

Here is the call graph for this function:

◆ calcImgSize()

size_t pesieve::RemoteModuleData::calcImgSize ( )
protected

Definition at line 416 of file module_data.cpp.

Here is the call graph for this function:

◆ freeFullImage()

void pesieve::RemoteModuleData::freeFullImage ( )
inlineprotected

Definition at line 203 of file module_data.h.

◆ getHdrImageBase()

ULONGLONG pesieve::RemoteModuleData::getHdrImageBase ( )
inline

Definition at line 165 of file module_data.h.

Here is the call graph for this function:

◆ getHdrImageSize()

size_t pesieve::RemoteModuleData::getHdrImageSize ( )
inline

Definition at line 159 of file module_data.h.

Here is the call graph for this function:

◆ getHeaderSize()

size_t pesieve::RemoteModuleData::getHeaderSize ( )
inline

Definition at line 179 of file module_data.h.

◆ getMappedName()

std::string pesieve::RemoteModuleData::getMappedName ( HANDLE _processHandle,
LPVOID _modBaseAddr )
static

Definition at line 257 of file module_data.cpp.

Here is the call graph for this function:

◆ getModuleBase()

ULONGLONG pesieve::RemoteModuleData::getModuleBase ( )
inline

Definition at line 189 of file module_data.h.

Here is the call graph for this function:

◆ getModuleName()

std::string pesieve::RemoteModuleData::getModuleName ( HANDLE _processHandle,
HMODULE _modBaseAddr )
static

Definition at line 243 of file module_data.cpp.

Here is the call graph for this function:

◆ getModuleSize()

size_t pesieve::RemoteModuleData::getModuleSize ( )
inline

Definition at line 171 of file module_data.h.

Here is the call graph for this function:

◆ getRemoteSectionVa()

ULONGLONG pesieve::RemoteModuleData::getRemoteSectionVa ( const size_t section_num)

Definition at line 332 of file module_data.cpp.

Here is the call graph for this function:

◆ hasExecutableSection()

bool pesieve::RemoteModuleData::hasExecutableSection ( bool allow_data,
bool allow_inaccessible )

Definition at line 404 of file module_data.cpp.

Here is the call graph for this function:

◆ init()

bool pesieve::RemoteModuleData::init ( )
protected

Definition at line 286 of file module_data.cpp.

◆ is64bit()

bool pesieve::RemoteModuleData::is64bit ( )
inline

Definition at line 153 of file module_data.h.

◆ isFullImageLoaded()

bool pesieve::RemoteModuleData::isFullImageLoaded ( )
inline

Definition at line 185 of file module_data.h.

◆ isInitialized()

bool pesieve::RemoteModuleData::isInitialized ( )
inline

Definition at line 145 of file module_data.h.

Here is the call graph for this function:

◆ isSectionEntry()

bool pesieve::RemoteModuleData::isSectionEntry ( const size_t section_number)

Definition at line 343 of file module_data.cpp.

Here is the call graph for this function:

◆ isSectionExecutable()

bool pesieve::RemoteModuleData::isSectionExecutable ( const size_t section_number,
bool allow_data,
bool allow_inaccessible )

Definition at line 364 of file module_data.cpp.

Here is the call graph for this function:

◆ loadFullImage()

bool pesieve::RemoteModuleData::loadFullImage ( )

Definition at line 310 of file module_data.cpp.

Here is the call graph for this function:

◆ loadHeader()

bool pesieve::RemoteModuleData::loadHeader ( )
protected

Definition at line 324 of file module_data.cpp.

Here is the call graph for this function:

◆ loadImportsList()

bool pesieve::RemoteModuleData::loadImportsList ( peconv::ImportsCollection & collection)

Definition at line 270 of file module_data.cpp.

Here is the call graph for this function:

Friends And Related Symbol Documentation

◆ IATScanner

friend class IATScanner
friend

Definition at line 221 of file module_data.h.

◆ PeSection

friend class PeSection
friend

Definition at line 220 of file module_data.h.

Member Data Documentation

◆ headerBuffer

BYTE pesieve::RemoteModuleData::headerBuffer[peconv::MAX_HEADER_SIZE]

Definition at line 194 of file module_data.h.

◆ imgBuffer

BYTE* pesieve::RemoteModuleData::imgBuffer
protected

Definition at line 214 of file module_data.h.

◆ imgBufferSize

size_t pesieve::RemoteModuleData::imgBufferSize
protected

Definition at line 215 of file module_data.h.

◆ isReflection

const bool pesieve::RemoteModuleData::isReflection
protected

Definition at line 211 of file module_data.h.

◆ modBaseAddr

HMODULE pesieve::RemoteModuleData::modBaseAddr
protected

Definition at line 212 of file module_data.h.

◆ processHandle

HANDLE pesieve::RemoteModuleData::processHandle
protected

Definition at line 210 of file module_data.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.10.0