PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
code_patterns.h
Go to the documentation of this file.
1#pragma once
2#include <windows.h>
3
4namespace pesieve {
5
6 typedef struct _t_pattern {
7 BYTE* ptr;
8 size_t size;
9 } t_pattern;
10
11 BYTE prolog32_pattern[] = {
12 0x55, // PUSH EBP
13 0x8b, 0xEC // MOV EBP, ESP
14 };
15
16 BYTE prolog32_2_pattern[] = {
17 0x55, // PUSH EBP
18 0x89, 0xE5 // MOV EBP, ESP
19 };
20
21 BYTE prolog32_3_pattern[] = {
22 0x60, // PUSHAD
23 0x89, 0xE5 // MOV EBP, ESP
24 };
25
31
32 BYTE prolog64_pattern[] = {
33 0x40, 0x53, // PUSH RBX
34 0x48, 0x83, 0xEC // SUB RSP, <BYTE>
35 };
36 BYTE prolog64_2_pattern[] = {
37 0x55, // PUSH RBP
38 0x48, 0x8B, 0xEC // MOV RBP, RSP
39 };
40 BYTE prolog64_3_pattern[] = {
41 0x40, 0x55, // PUSH RBP
42 0x48, 0x83, 0xEC // SUB RSP, <BYTE>
43 };
44 BYTE prolog64_4_pattern[] = {
45 0x53, // PUSH RBX
46 0x48, 0x81, 0xEC // SUB RSP, <DWORD>
47 };
48 BYTE prolog64_5_pattern[] = {
49 0x48, 0x83, 0xE4, 0xF0 // AND rsp, FFFFFFFFFFFFFFF0; Align RSP to 16 bytes
50 };
51 BYTE prolog64_6_pattern[] = {
52 0x57, // PUSH RDI
53 0x48, 0x89, 0xE7 // MOV RDI, RSP
54 };
55 BYTE prolog64_7_pattern[] = {
56 0x48, 0x8B, 0xC4, // MOV RAX, RSP
57 0x48, 0x89, 0x58, 0x08, // MOV QWORD PTR [RAX + 8], RBX
58 0x4C, 0x89, 0x48, 0x20, // MOV QWORD PTR [RAX + 0X20], R9
59 0x4C, 0x89, 0x40, 0x18, // MOV QWORD PTR [RAX + 0X18], R8
60 0x48, 0x89, 0x50, 0x10, // MOV QWORD PTR [RAX + 0X10], RDX
61 0x55, // PUSH RBP
62 0x56, // PUSH RSI
63 0x57, // PUSH RDI
64 0x41, 0x54, // PUSH R12
65 0x41, 0x55, // PUSH R13
66 0x41, 0x56, // PUSH R14
67 0x41, 0x57 // PUSH R15
68 };
69
79
80}; // namespace pesieve
pesieve::prolog64_3_pattern
BYTE prolog64_3_pattern[]
Definition code_patterns.h:40
pesieve::prolog32_pattern
BYTE prolog32_pattern[]
Definition code_patterns.h:11
pesieve::prolog64_5_pattern
BYTE prolog64_5_pattern[]
Definition code_patterns.h:48
pesieve::t_pattern
struct pesieve::_t_pattern t_pattern
pesieve::prolog32_3_pattern
BYTE prolog32_3_pattern[]
Definition code_patterns.h:21
pesieve::patterns32
t_pattern patterns32[]
Definition code_patterns.h:26
pesieve::prolog64_6_pattern
BYTE prolog64_6_pattern[]
Definition code_patterns.h:51
pesieve::prolog64_4_pattern
BYTE prolog64_4_pattern[]
Definition code_patterns.h:44
pesieve::prolog64_pattern
BYTE prolog64_pattern[]
Definition code_patterns.h:32
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
pesieve::prolog64_2_pattern
BYTE prolog64_2_pattern[]
Definition code_patterns.h:36
pesieve::patterns64
t_pattern patterns64[]
Definition code_patterns.h:70
pesieve::prolog32_2_pattern
BYTE prolog32_2_pattern[]
Definition code_patterns.h:16
pesieve::prolog64_7_pattern
BYTE prolog64_7_pattern[]
Definition code_patterns.h:55
pesieve::_t_pattern
Definition code_patterns.h:6
pesieve::_t_pattern::size
size_t size
Definition code_patterns.h:8
pesieve::_t_pattern::ptr
BYTE * ptr
Definition code_patterns.h:7
Generated by doxygen 1.10.0