PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Public Attributes | Protected Member Functions | Static Protected Member Functions | List of all members
pesieve::WorkingSetScanReport Class Reference

A report from the working set scan, generated by WorkingSetScanner. More...

#include <workingset_scanner.h>

Inheritance diagram for pesieve::WorkingSetScanReport:
Inheritance graph
[legend]

Public Member Functions

 WorkingSetScanReport (HMODULE _module, size_t _moduleSize, t_scan_status status)
 
virtual const bool toJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
 
virtual const void fieldsToJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
 
size_t generateTags (const std::string &reportPath)
 
- Public Member Functions inherited from pesieve::ModuleScanReport
 ModuleScanReport (HMODULE _module, size_t _moduleSize, t_scan_status _status=SCAN_NOT_SUSPICIOUS)
 
virtual ~ModuleScanReport ()
 
virtual ULONGLONG getRelocBase ()
 

Public Attributes

bool is_executable
 
bool is_listed_module
 
bool has_pe
 
bool has_shellcode
 
util::ByteBuffer data_cache
 
std::vector< sig_finder::Match > custom_matched
 
size_t all_matched_count
 
size_t match_area_start
 
AreaMultiStats stats
 
AreaInfo area_info
 
DWORD protection
 
DWORD mapping_type
 
std::string mapped_name
 
- Public Attributes inherited from pesieve::ModuleScanReport
HMODULE module
 
size_t moduleSize
 
bool isDotNetModule
 
std::string moduleFile
 
ULONGLONG origBase
 
ULONGLONG relocBase
 
t_scan_status status
 

Protected Member Functions

const void patternsToJSON (std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
 
- Protected Member Functions inherited from pesieve::ModuleScanReport
virtual const bool _toJSON (std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
 

Static Protected Member Functions

static std::string translate_mapping_type (DWORD type)
 

Additional Inherited Members

- Static Public Member Functions inherited from pesieve::ModuleScanReport
static t_scan_status get_scan_status (const ModuleScanReport *report)
 
- Static Public Attributes inherited from pesieve::ModuleScanReport
static const size_t JSON_LEVEL = 1
 

Detailed Description

A report from the working set scan, generated by WorkingSetScanner.

Definition at line 28 of file workingset_scanner.h.

Constructor & Destructor Documentation

◆ WorkingSetScanReport()

pesieve::WorkingSetScanReport::WorkingSetScanReport ( HMODULE _module,
size_t _moduleSize,
t_scan_status status )
inline

Definition at line 31 of file workingset_scanner.h.

Member Function Documentation

◆ fieldsToJSON()

virtual const void pesieve::WorkingSetScanReport::fieldsToJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails )
inlinevirtual

Reimplemented in pesieve::ArtefactScanReport.

Definition at line 53 of file workingset_scanner.h.

Here is the call graph for this function:

◆ generateTags()

size_t WorkingSetScanReport::generateTags ( const std::string & reportPath)

Definition at line 46 of file workingset_scanner.cpp.

Here is the call graph for this function:

◆ patternsToJSON()

const void pesieve::WorkingSetScanReport::patternsToJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails )
inlineprotected

Definition at line 125 of file workingset_scanner.h.

◆ toJSON()

virtual const bool pesieve::WorkingSetScanReport::toJSON ( std::stringstream & outs,
size_t level,
const pesieve::t_json_level & jdetails )
inlinevirtual

Implements pesieve::ModuleScanReport.

Reimplemented in pesieve::ArtefactScanReport.

Definition at line 44 of file workingset_scanner.h.

Here is the call graph for this function:

◆ translate_mapping_type()

static std::string pesieve::WorkingSetScanReport::translate_mapping_type ( DWORD type)
inlinestaticprotected

Definition at line 114 of file workingset_scanner.h.

Member Data Documentation

◆ all_matched_count

size_t pesieve::WorkingSetScanReport::all_matched_count

Definition at line 103 of file workingset_scanner.h.

◆ area_info

AreaInfo pesieve::WorkingSetScanReport::area_info

Definition at line 107 of file workingset_scanner.h.

◆ custom_matched

std::vector<sig_finder::Match> pesieve::WorkingSetScanReport::custom_matched

Definition at line 102 of file workingset_scanner.h.

◆ data_cache

util::ByteBuffer pesieve::WorkingSetScanReport::data_cache

Definition at line 101 of file workingset_scanner.h.

◆ has_pe

bool pesieve::WorkingSetScanReport::has_pe

Definition at line 98 of file workingset_scanner.h.

◆ has_shellcode

bool pesieve::WorkingSetScanReport::has_shellcode

Definition at line 99 of file workingset_scanner.h.

◆ is_executable

bool pesieve::WorkingSetScanReport::is_executable

Definition at line 96 of file workingset_scanner.h.

◆ is_listed_module

bool pesieve::WorkingSetScanReport::is_listed_module

Definition at line 97 of file workingset_scanner.h.

◆ mapped_name

std::string pesieve::WorkingSetScanReport::mapped_name

Definition at line 111 of file workingset_scanner.h.

◆ mapping_type

DWORD pesieve::WorkingSetScanReport::mapping_type

Definition at line 110 of file workingset_scanner.h.

◆ match_area_start

size_t pesieve::WorkingSetScanReport::match_area_start

Definition at line 104 of file workingset_scanner.h.

◆ protection

DWORD pesieve::WorkingSetScanReport::protection

Definition at line 109 of file workingset_scanner.h.

◆ stats

AreaMultiStats pesieve::WorkingSetScanReport::stats

Definition at line 106 of file workingset_scanner.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.12.0