PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Static Public Member Functions | Public Attributes | Static Public Attributes | List of all members
pesieve::ThreadScanReport Class Reference

A report from the thread scan, generated by ThreadScanner. More...

#include <thread_scanner.h>

Inheritance diagram for pesieve::ThreadScanReport:
Inheritance graph
[legend]

Public Member Functions

 ThreadScanReport (DWORD _tid)
 ~ThreadScanReport ()
SuspAddrReportfindAreaForAddress (const ULONGLONG &susp_addr)
virtual const void callstackToJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails, const ctx_details &details)
const bool threadInfoToJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
const bool indicatorsToJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
virtual const void fieldsToJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
virtual const bool toJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Public Member Functions inherited from pesieve::ModuleScanReport
 ModuleScanReport (HMODULE _module, size_t _moduleSize, t_scan_status _status=SCAN_NOT_SUSPICIOUS)
virtual ~ModuleScanReport ()
virtual ULONGLONG getRelocBase ()
Public Member Functions inherited from pesieve::ElementScanReport
 ElementScanReport (t_scan_status _status=SCAN_NOT_SUSPICIOUS)

Static Public Member Functions

static std::string translate_thread_state (DWORD thread_state)
static std::string translate_wait_reason (DWORD thread_wait_reason)
Static Public Member Functions inherited from pesieve::ElementScanReport
static t_scan_status get_scan_status (const ElementScanReport *report)

Public Attributes

DWORD tid
ULONGLONG stack_ptr
DWORD thread_state
DWORD thread_wait_reason
DWORD thread_wait_time
std::string lastSyscall
std::string lastFunction
ctx_details cDetails
bool has_native_wow64_context
ctx_details nativeWow64Details
std::map< ULONGLONG, std::string > addrToSymbol
std::set< ULONGLONG > shcCandidates
std::set< ThSusIndicatorindicators
std::map< ULONGLONG, SuspAddrReport * > suspAreaReports
Public Attributes inherited from pesieve::ModuleScanReport
HMODULE module
size_t moduleSize
bool isDotNetModule
std::string moduleFile
ULONGLONG origBase
ULONGLONG relocBase
Public Attributes inherited from pesieve::ElementScanReport
t_scan_status status

Static Public Attributes

static const DWORD THREAD_STATE_UNKNOWN = (-1)
static const DWORD THREAD_STATE_WAITING = 5
Static Public Attributes inherited from pesieve::ElementScanReport
static const size_t JSON_LEVEL = 1

Additional Inherited Members

Protected Member Functions inherited from pesieve::ModuleScanReport
virtual const bool _toJSON (std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)

Detailed Description

A report from the thread scan, generated by ThreadScanner.

Definition at line 185 of file thread_scanner.h.

Constructor & Destructor Documentation

◆ ThreadScanReport()

pesieve::ThreadScanReport::ThreadScanReport ( DWORD _tid)
inline

Definition at line 196 of file thread_scanner.h.

Here is the call graph for this function:

◆ ~ThreadScanReport()

pesieve::ThreadScanReport::~ThreadScanReport ( )
inline

Definition at line 205 of file thread_scanner.h.

Member Function Documentation

◆ callstackToJSON()

virtual const void pesieve::ThreadScanReport::callstackToJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails,
const ctx_details & details )
inlinevirtual

Definition at line 230 of file thread_scanner.h.

◆ fieldsToJSON()

virtual const void pesieve::ThreadScanReport::fieldsToJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails )
inlinevirtual

Definition at line 331 of file thread_scanner.h.

Here is the call graph for this function:

◆ findAreaForAddress()

SuspAddrReport * pesieve::ThreadScanReport::findAreaForAddress ( const ULONGLONG & susp_addr)
inline

Definition at line 214 of file thread_scanner.h.

◆ indicatorsToJSON()

const bool pesieve::ThreadScanReport::indicatorsToJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails )
inline

Definition at line 318 of file thread_scanner.h.

Here is the call graph for this function:

◆ threadInfoToJSON()

const bool pesieve::ThreadScanReport::threadInfoToJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails )
inline

Definition at line 268 of file thread_scanner.h.

Here is the call graph for this function:

◆ toJSON()

virtual const bool pesieve::ThreadScanReport::toJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails )
inlinevirtual

Implements pesieve::ModuleScanReport.

Definition at line 367 of file thread_scanner.h.

Here is the call graph for this function:

◆ translate_thread_state()

std::string ThreadScanReport::translate_thread_state ( DWORD thread_state)
static

Definition at line 73 of file thread_scanner.cpp.

◆ translate_wait_reason()

std::string ThreadScanReport::translate_wait_reason ( DWORD thread_wait_reason)
static

Definition at line 56 of file thread_scanner.cpp.

Member Data Documentation

◆ addrToSymbol

std::map<ULONGLONG, std::string> pesieve::ThreadScanReport::addrToSymbol

Definition at line 394 of file thread_scanner.h.

◆ cDetails

ctx_details pesieve::ThreadScanReport::cDetails

Definition at line 387 of file thread_scanner.h.

◆ has_native_wow64_context

bool pesieve::ThreadScanReport::has_native_wow64_context

Definition at line 391 of file thread_scanner.h.

◆ indicators

std::set<ThSusIndicator> pesieve::ThreadScanReport::indicators

Definition at line 396 of file thread_scanner.h.

◆ lastFunction

std::string pesieve::ThreadScanReport::lastFunction

Definition at line 383 of file thread_scanner.h.

◆ lastSyscall

std::string pesieve::ThreadScanReport::lastSyscall

Definition at line 382 of file thread_scanner.h.

◆ nativeWow64Details

ctx_details pesieve::ThreadScanReport::nativeWow64Details

Definition at line 392 of file thread_scanner.h.

◆ shcCandidates

std::set<ULONGLONG> pesieve::ThreadScanReport::shcCandidates

Definition at line 395 of file thread_scanner.h.

◆ stack_ptr

ULONGLONG pesieve::ThreadScanReport::stack_ptr

Definition at line 377 of file thread_scanner.h.

◆ suspAreaReports

std::map<ULONGLONG, SuspAddrReport*> pesieve::ThreadScanReport::suspAreaReports

Definition at line 397 of file thread_scanner.h.

◆ thread_state

DWORD pesieve::ThreadScanReport::thread_state

Definition at line 378 of file thread_scanner.h.

◆ THREAD_STATE_UNKNOWN

const DWORD pesieve::ThreadScanReport::THREAD_STATE_UNKNOWN = (-1)
static

Definition at line 188 of file thread_scanner.h.

◆ THREAD_STATE_WAITING

const DWORD pesieve::ThreadScanReport::THREAD_STATE_WAITING = 5
static

Definition at line 189 of file thread_scanner.h.

◆ thread_wait_reason

DWORD pesieve::ThreadScanReport::thread_wait_reason

Definition at line 379 of file thread_scanner.h.

◆ thread_wait_time

DWORD pesieve::ThreadScanReport::thread_wait_time

Definition at line 380 of file thread_scanner.h.

◆ tid

DWORD pesieve::ThreadScanReport::tid

Definition at line 376 of file thread_scanner.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.17.0