PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Static Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
pesieve::ThreadScanner Class Reference

#include <thread_scanner.h>

Inheritance diagram for pesieve::ThreadScanner:
Inheritance graph
[legend]

Public Member Functions

 ThreadScanner (HANDLE hProc, bool _isReflection, const util::thread_info &_info, ModulesInfo &_modulesInfo, peconv::ExportsMapper *_exportsMap)
 
virtual ThreadScanReportscanRemote ()
 
- Public Member Functions inherited from pesieve::ProcessFeatureScanner
 ProcessFeatureScanner (HANDLE _processHandle)
 
virtual ~ProcessFeatureScanner ()
 

Static Public Member Functions

static bool InitSymbols (HANDLE hProc)
 
static bool FreeSymbols (HANDLE hProc)
 

Protected Member Functions

bool isAddrInShellcode (ULONGLONG addr)
 
bool resolveAddr (ULONGLONG addr)
 
bool fetchThreadCtx (IN HANDLE hProcess, IN HANDLE hThread, OUT thread_ctx &c)
 
size_t enumStackFrames (IN HANDLE hProcess, IN HANDLE hThread, IN LPVOID ctx, IN OUT thread_ctx &c)
 
bool fillAreaStats (ThreadScanReport *my_report)
 
bool reportSuspiciousAddr (ThreadScanReport *my_report, ULONGLONG susp_addr, thread_ctx &c)
 

Protected Attributes

bool isReflection
 
const util::thread_infoinfo
 
ModulesInfomodulesInfo
 
peconv::ExportsMapper * exportsMap
 
- Protected Attributes inherited from pesieve::ProcessFeatureScanner
HANDLE processHandle
 

Detailed Description

A scanner for threads Stack-scan inspired by the idea presented here: https://github.com/thefLink/Hunt-Sleeping-Beacons

Definition at line 89 of file thread_scanner.h.

Constructor & Destructor Documentation

◆ ThreadScanner()

pesieve::ThreadScanner::ThreadScanner ( HANDLE hProc,
bool _isReflection,
const util::thread_info & _info,
ModulesInfo & _modulesInfo,
peconv::ExportsMapper * _exportsMap )
inline

Definition at line 95 of file thread_scanner.h.

Member Function Documentation

◆ enumStackFrames()

size_t pesieve::ThreadScanner::enumStackFrames ( IN HANDLE hProcess,
IN HANDLE hThread,
IN LPVOID ctx,
IN OUT thread_ctx & c )
protected

Definition at line 127 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ fetchThreadCtx()

bool pesieve::ThreadScanner::fetchThreadCtx ( IN HANDLE hProcess,
IN HANDLE hThread,
OUT thread_ctx & c )
protected

Definition at line 193 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ fillAreaStats()

bool pesieve::ThreadScanner::fillAreaStats ( ThreadScanReport * my_report)
protected

Definition at line 293 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ FreeSymbols()

bool pesieve::ThreadScanner::FreeSymbols ( HANDLE hProc)
static

Definition at line 344 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ InitSymbols()

bool pesieve::ThreadScanner::InitSymbols ( HANDLE hProc)
static

Definition at line 336 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ isAddrInShellcode()

bool pesieve::ThreadScanner::isAddrInShellcode ( ULONGLONG addr)
protected

Definition at line 238 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ reportSuspiciousAddr()

bool pesieve::ThreadScanner::reportSuspiciousAddr ( ThreadScanReport * my_report,
ULONGLONG susp_addr,
thread_ctx & c )
protected

Definition at line 306 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ resolveAddr()

bool pesieve::ThreadScanner::resolveAddr ( ULONGLONG addr)
protected

Definition at line 250 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ scanRemote()

ThreadScanReport * pesieve::ThreadScanner::scanRemote ( )
virtual

Perform the scan on the remote process

Returns
a pointer to an object of the class inherited from ModuleScanReport

Implements pesieve::ProcessFeatureScanner.

Definition at line 382 of file thread_scanner.cpp.

Here is the call graph for this function:

Member Data Documentation

◆ exportsMap

peconv::ExportsMapper* pesieve::ThreadScanner::exportsMap
protected

Definition at line 115 of file thread_scanner.h.

◆ info

const util::thread_info& pesieve::ThreadScanner::info
protected

Definition at line 113 of file thread_scanner.h.

◆ isReflection

bool pesieve::ThreadScanner::isReflection
protected

Definition at line 112 of file thread_scanner.h.

◆ modulesInfo

ModulesInfo& pesieve::ThreadScanner::modulesInfo
protected

Definition at line 114 of file thread_scanner.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.10.0