PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
pesieve::WorkingSetScanner Class Reference

A scanner for detection of code implants in the process workingset. More...

#include <workingset_scanner.h>

Inheritance diagram for pesieve::WorkingSetScanner:
Inheritance graph
[legend]

Public Member Functions

 WorkingSetScanner (HANDLE _procHndl, process_details _proc_details, const util::mem_region_info _mem_region, pesieve::t_params _args, ProcessScanReport &_process_report)
 
virtual ~WorkingSetScanner ()
 
virtual WorkingSetScanReportscanRemote ()
 
- Public Member Functions inherited from pesieve::ProcessFeatureScanner
 ProcessFeatureScanner (HANDLE _processHandle)
 
virtual ~ProcessFeatureScanner ()
 

Protected Member Functions

bool scanImg (MemPageData &memPage)
 
bool isScannedAsModule (MemPageData &memPageData)
 
bool isExecutable (MemPageData &memPageData)
 
bool isPotentiallyExecutable (MemPageData &memPageData, const t_data_scan_mode &mode)
 
bool checkAreaContent (IN MemPageData &_memPage, OUT WorkingSetScanReport *my_report)
 
WorkingSetScanReportscanExecutableArea (MemPageData &memPageData)
 

Protected Attributes

const process_details pDetails
 
const util::mem_region_info memRegion
 
ProcessScanReportprocessReport
 
pesieve::t_params args
 
- Protected Attributes inherited from pesieve::ProcessFeatureScanner
HANDLE processHandle
 

Detailed Description

A scanner for detection of code implants in the process workingset.

Definition at line 147 of file workingset_scanner.h.

Constructor & Destructor Documentation

◆ WorkingSetScanner()

pesieve::WorkingSetScanner::WorkingSetScanner ( HANDLE _procHndl,
process_details _proc_details,
const util::mem_region_info _mem_region,
pesieve::t_params _args,
ProcessScanReport & _process_report )
inline

Definition at line 149 of file workingset_scanner.h.

◆ ~WorkingSetScanner()

virtual pesieve::WorkingSetScanner::~WorkingSetScanner ( )
inlinevirtual

Definition at line 157 of file workingset_scanner.h.

Member Function Documentation

◆ checkAreaContent()

bool pesieve::WorkingSetScanner::checkAreaContent ( IN MemPageData & _memPage,
OUT WorkingSetScanReport * my_report )
protected

Definition at line 68 of file workingset_scanner.cpp.

Here is the call graph for this function:

◆ isExecutable()

bool pesieve::WorkingSetScanner::isExecutable ( MemPageData & memPageData)
protected

Definition at line 160 of file workingset_scanner.cpp.

Here is the call graph for this function:

◆ isPotentiallyExecutable()

bool pesieve::WorkingSetScanner::isPotentiallyExecutable ( MemPageData & memPageData,
const t_data_scan_mode & mode )
protected

Definition at line 168 of file workingset_scanner.cpp.

Here is the call graph for this function:

◆ isScannedAsModule()

bool pesieve::WorkingSetScanner::isScannedAsModule ( MemPageData & memPageData)
protected

Definition at line 242 of file workingset_scanner.cpp.

Here is the call graph for this function:

◆ scanExecutableArea()

WorkingSetScanReport * pesieve::WorkingSetScanner::scanExecutableArea ( MemPageData & memPageData)
protected

Definition at line 201 of file workingset_scanner.cpp.

Here is the call graph for this function:

◆ scanImg()

bool pesieve::WorkingSetScanner::scanImg ( MemPageData & memPage)
protected

Definition at line 253 of file workingset_scanner.cpp.

Here is the call graph for this function:

◆ scanRemote()

WorkingSetScanReport * pesieve::WorkingSetScanner::scanRemote ( )
virtual

Perform the scan on the remote process

Returns
a pointer to an object of the class inherited from ModuleScanReport

Implements pesieve::ProcessFeatureScanner.

Definition at line 306 of file workingset_scanner.cpp.

Here is the call graph for this function:

Member Data Documentation

◆ args

pesieve::t_params pesieve::WorkingSetScanner::args
protected

Definition at line 174 of file workingset_scanner.h.

◆ memRegion

const util::mem_region_info pesieve::WorkingSetScanner::memRegion
protected

Definition at line 171 of file workingset_scanner.h.

◆ pDetails

const process_details pesieve::WorkingSetScanner::pDetails
protected

Definition at line 170 of file workingset_scanner.h.

◆ processReport

ProcessScanReport& pesieve::WorkingSetScanner::processReport
protected

Definition at line 173 of file workingset_scanner.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.10.0