 |
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
|
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
This is the complete list of members for pesieve::ThreadScanner, including all inherited members.
| _analyzeCallStack(IN OUT ctx_details &cDetails, OUT IN std::set< ULONGLONG > &shcCandidates) | pesieve::ThreadScanner | protected |
| analyzeCallStackInfo(IN OUT ThreadScanReport &my_report) | pesieve::ThreadScanner | protected |
| checkReturnAddrIntegrity(IN const std::vector< ULONGLONG > &callStack, IN OUT ThreadScanReport &my_report) | pesieve::ThreadScanner | protected |
| choosePreferredFunctionName(const std::string &dbgSymbol, const std::string &manualSymbol) | pesieve::ThreadScanner | protectedstatic |
| exportsMap | pesieve::ThreadScanner | protected |
| fetchThreadCtxDetails(IN HANDLE hProcess, IN HANDLE hThread, OUT ThreadScanReport &my_report) | pesieve::ThreadScanner | protected |
| fillAreaStats(ThreadScanReport *my_report) | pesieve::ThreadScanner | protected |
| fillCallStackInfo(IN HANDLE hProcess, IN HANDLE hThread, IN LPVOID ctx, IN OUT ThreadScanReport &my_report) | pesieve::ThreadScanner | protected |
| filterDotNet(ThreadScanReport &my_report) | pesieve::ThreadScanner | protected |
| info | pesieve::ThreadScanner | protected |
| initReport(ThreadScanReport &my_report) | pesieve::ThreadScanner | protected |
| isAddrInNamedModule(ULONGLONG addr) | pesieve::ThreadScanner | protected |
| isManaged | pesieve::ThreadScanner | protected |
| isReflection | pesieve::ThreadScanner | protected |
| modulesInfo | pesieve::ThreadScanner | protected |
| printResolvedAddr(const ULONGLONG addr) | pesieve::ThreadScanner | protected |
| printThreadInfo(const util::thread_info &threadi) | pesieve::ThreadScanner | protected |
| ProcessFeatureScanner(HANDLE _processHandle) | pesieve::ProcessFeatureScanner | inline |
| processHandle | pesieve::ProcessFeatureScanner | protected |
| reportResolvedCallstack(ThreadScanReport &my_report) | pesieve::ThreadScanner | protected |
| reportSuspiciousAddr(ThreadScanReport *my_report, ULONGLONG susp_addr) | pesieve::ThreadScanner | protected |
| resolveAddrToString(IN ULONGLONG addr) | pesieve::ThreadScanner | protected |
| resolveLowLevelFuncName(IN const ULONGLONG addr, OUT OPTIONAL size_t *disp=nullptr) | pesieve::ThreadScanner | protected |
| scanRemote() | pesieve::ThreadScanner | virtual |
| scanRemoteThreadCtx(HANDLE hThread, ThreadScanReport &my_report) | pesieve::ThreadScanner | protected |
| symbols | pesieve::ThreadScanner | protected |
| ThreadScanner(HANDLE hProc, bool _isReflection, bool _isManaged, const util::thread_info &_info, ModulesInfo &_modulesInfo, peconv::ExportsMapper *_exportsMap, ProcessSymbolsManager *_symbols) | pesieve::ThreadScanner | inline |
| ~ProcessFeatureScanner() | pesieve::ProcessFeatureScanner | inlinevirtual |
1.13.2
