PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
#include <thread_scanner.h>
Public Member Functions | |
ThreadScanner (HANDLE hProc, bool _isReflection, const util::thread_info &_info, ModulesInfo &_modulesInfo, peconv::ExportsMapper *_exportsMap) | |
virtual ThreadScanReport * | scanRemote () |
Public Member Functions inherited from pesieve::ProcessFeatureScanner | |
ProcessFeatureScanner (HANDLE _processHandle) | |
virtual | ~ProcessFeatureScanner () |
Static Public Member Functions | |
static bool | InitSymbols (HANDLE hProc) |
static bool | FreeSymbols (HANDLE hProc) |
Protected Member Functions | |
bool | isAddrInShellcode (ULONGLONG addr) |
bool | resolveAddr (ULONGLONG addr) |
bool | fetchThreadCtx (IN HANDLE hProcess, IN HANDLE hThread, OUT thread_ctx &c) |
size_t | enumStackFrames (IN HANDLE hProcess, IN HANDLE hThread, IN LPVOID ctx, IN OUT thread_ctx &c) |
bool | fillAreaStats (ThreadScanReport *my_report) |
bool | reportSuspiciousAddr (ThreadScanReport *my_report, ULONGLONG susp_addr, thread_ctx &c) |
Protected Attributes | |
bool | isReflection |
const util::thread_info & | info |
ModulesInfo & | modulesInfo |
peconv::ExportsMapper * | exportsMap |
Protected Attributes inherited from pesieve::ProcessFeatureScanner | |
HANDLE | processHandle |
A scanner for threads Stack-scan inspired by the idea presented here: https://github.com/thefLink/Hunt-Sleeping-Beacons
Definition at line 89 of file thread_scanner.h.
|
inline |
Definition at line 95 of file thread_scanner.h.
|
protected |
|
protected |
|
virtual |
Perform the scan on the remote process
Implements pesieve::ProcessFeatureScanner.
Definition at line 382 of file thread_scanner.cpp.
|
protected |
Definition at line 115 of file thread_scanner.h.
|
protected |
Definition at line 113 of file thread_scanner.h.
|
protected |
Definition at line 112 of file thread_scanner.h.
|
protected |
Definition at line 114 of file thread_scanner.h.