PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
Public Member Functions | Static Public Member Functions | Public Attributes | Static Public Attributes | List of all members
pesieve::ThreadScanReport Class Reference

A report from the thread scan, generated by ThreadScanner. More...

#include <thread_scanner.h>

Inheritance diagram for pesieve::ThreadScanReport:
Inheritance graph
[legend]

Public Member Functions

 ThreadScanReport (DWORD _tid)
 
virtual const void callstackToJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
 
const bool moduleInfoToJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
 
const bool threadInfoToJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
 
const bool indicatorsToJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
 
virtual const void fieldsToJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
 
virtual const bool toJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
 
- Public Member Functions inherited from pesieve::ModuleScanReport
 ModuleScanReport (HMODULE _module, size_t _moduleSize, t_scan_status _status=SCAN_NOT_SUSPICIOUS)
 
virtual ~ModuleScanReport ()
 
virtual ULONGLONG getRelocBase ()
 
- Public Member Functions inherited from pesieve::ElementScanReport
 ElementScanReport (t_scan_status _status=SCAN_NOT_SUSPICIOUS)
 

Static Public Member Functions

static std::string translate_thread_state (DWORD thread_state)
 
static std::string translate_wait_reason (DWORD thread_wait_reason)
 
- Static Public Member Functions inherited from pesieve::ElementScanReport
static t_scan_status get_scan_status (const ElementScanReport *report)
 

Public Attributes

DWORD tid
 
ULONGLONG susp_addr
 
DWORD protection
 
ULONGLONG stack_ptr
 
DWORD thread_state
 
DWORD thread_wait_reason
 
DWORD thread_wait_time
 
std::string lastSyscall
 
std::string lastFunction
 
ctx_details cDetails
 
std::map< ULONGLONG, std::string > addrToSymbol
 
std::set< ULONGLONG > shcCandidates
 
std::set< ThSusIndicatorindicators
 
AreaEntropyStats stats
 
bool is_code
 
- Public Attributes inherited from pesieve::ModuleScanReport
HMODULE module
 
size_t moduleSize
 
bool isDotNetModule
 
std::string moduleFile
 
ULONGLONG origBase
 
ULONGLONG relocBase
 
- Public Attributes inherited from pesieve::ElementScanReport
t_scan_status status
 

Static Public Attributes

static const DWORD THREAD_STATE_UNKNOWN = (-1)
 
static const DWORD THREAD_STATE_WAITING = 5
 
- Static Public Attributes inherited from pesieve::ElementScanReport
static const size_t JSON_LEVEL = 1
 

Additional Inherited Members

- Protected Member Functions inherited from pesieve::ModuleScanReport
virtual const bool _toJSON (std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
 

Detailed Description

A report from the thread scan, generated by ThreadScanner.

Definition at line 70 of file thread_scanner.h.

Constructor & Destructor Documentation

◆ ThreadScanReport()

pesieve::ThreadScanReport::ThreadScanReport ( DWORD _tid)
inline

Definition at line 81 of file thread_scanner.h.

Here is the call graph for this function:

Member Function Documentation

◆ callstackToJSON()

virtual const void pesieve::ThreadScanReport::callstackToJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails )
inlinevirtual

Definition at line 90 of file thread_scanner.h.

◆ fieldsToJSON()

virtual const void pesieve::ThreadScanReport::fieldsToJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails )
inlinevirtual

Definition at line 205 of file thread_scanner.h.

Here is the call graph for this function:

◆ indicatorsToJSON()

const bool pesieve::ThreadScanReport::indicatorsToJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails )
inline

Definition at line 192 of file thread_scanner.h.

Here is the call graph for this function:

◆ moduleInfoToJSON()

const bool pesieve::ThreadScanReport::moduleInfoToJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails )
inline

Definition at line 126 of file thread_scanner.h.

◆ threadInfoToJSON()

const bool pesieve::ThreadScanReport::threadInfoToJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails )
inline

Definition at line 149 of file thread_scanner.h.

Here is the call graph for this function:

◆ toJSON()

virtual const bool pesieve::ThreadScanReport::toJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails )
inlinevirtual

Implements pesieve::ModuleScanReport.

Definition at line 231 of file thread_scanner.h.

Here is the call graph for this function:

◆ translate_thread_state()

std::string ThreadScanReport::translate_thread_state ( DWORD thread_state)
static

Definition at line 139 of file thread_scanner.cpp.

◆ translate_wait_reason()

std::string ThreadScanReport::translate_wait_reason ( DWORD thread_wait_reason)
static

Definition at line 122 of file thread_scanner.cpp.

Member Data Documentation

◆ addrToSymbol

std::map<ULONGLONG, std::string> pesieve::ThreadScanReport::addrToSymbol

Definition at line 252 of file thread_scanner.h.

◆ cDetails

ctx_details pesieve::ThreadScanReport::cDetails

Definition at line 251 of file thread_scanner.h.

◆ indicators

std::set<ThSusIndicator> pesieve::ThreadScanReport::indicators

Definition at line 254 of file thread_scanner.h.

◆ is_code

bool pesieve::ThreadScanReport::is_code

Definition at line 257 of file thread_scanner.h.

◆ lastFunction

std::string pesieve::ThreadScanReport::lastFunction

Definition at line 249 of file thread_scanner.h.

◆ lastSyscall

std::string pesieve::ThreadScanReport::lastSyscall

Definition at line 248 of file thread_scanner.h.

◆ protection

DWORD pesieve::ThreadScanReport::protection

Definition at line 242 of file thread_scanner.h.

◆ shcCandidates

std::set<ULONGLONG> pesieve::ThreadScanReport::shcCandidates

Definition at line 253 of file thread_scanner.h.

◆ stack_ptr

ULONGLONG pesieve::ThreadScanReport::stack_ptr

Definition at line 243 of file thread_scanner.h.

◆ stats

AreaEntropyStats pesieve::ThreadScanReport::stats

Definition at line 256 of file thread_scanner.h.

◆ susp_addr

ULONGLONG pesieve::ThreadScanReport::susp_addr

Definition at line 241 of file thread_scanner.h.

◆ thread_state

DWORD pesieve::ThreadScanReport::thread_state

Definition at line 244 of file thread_scanner.h.

◆ THREAD_STATE_UNKNOWN

const DWORD pesieve::ThreadScanReport::THREAD_STATE_UNKNOWN = (-1)
static

Definition at line 73 of file thread_scanner.h.

◆ THREAD_STATE_WAITING

const DWORD pesieve::ThreadScanReport::THREAD_STATE_WAITING = 5
static

Definition at line 74 of file thread_scanner.h.

◆ thread_wait_reason

DWORD pesieve::ThreadScanReport::thread_wait_reason

Definition at line 245 of file thread_scanner.h.

◆ thread_wait_time

DWORD pesieve::ThreadScanReport::thread_wait_time

Definition at line 246 of file thread_scanner.h.

◆ tid

DWORD pesieve::ThreadScanReport::tid

Definition at line 240 of file thread_scanner.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.13.2