 |
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
|
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
| Cpesieve::_ctx_details | A custom structure keeping a fragment of a thread context |
| Cpesieve::util::_mem_region_info | |
| C_PARAM_STRING | A wrapper for a dynamically allocated string |
| Cpesieve::_process_details | |
| Cpesieve::_t_pattern | |
| C_t_stack_enum_params | |
| Cpesieve::util::_thread_info | |
| Cpesieve::util::_thread_info_ext | |
| Cpesieve::util::_THREAD_LAST_SYSCALL_INFORMATION | |
| Cpesieve::AreaInfo | |
| ▼Cpesieve::AreaStats | Base class for the statistics from analyzed buffer |
| Cpesieve::AreaEntropyStats | |
| Cpesieve::AreaMultiStats | |
| Cpesieve::AreaStatsCalculator | A class responsible for filling in the statistics with the data from the particular buffer |
| Cpesieve::ArtefactScanner::ArtefactsMapping | |
| Cpesieve::util::AutoBuffer | |
| ▼Cpesieve::util::BasicBuffer | |
| Cpesieve::util::ByteBuffer | |
| ▼Cctypes.c_int | |
| Cpesieve.t_data_scan_mode | |
| Cpesieve.t_dotnet_policy | |
| Cpesieve.t_dump_mode | |
| Cpesieve.t_iat_scan_mode | |
| Cpesieve.t_imprec_mode | |
| Cpesieve.t_json_level | |
| Cpesieve.t_obfusc_mode | |
| Cpesieve.t_output_filter | |
| Cpesieve.t_report_type | |
| Cpesieve.t_shellc_mode | |
| Cpesieve::CachedModule | |
| Cpesieve::ChunkStats | Statistics from a block of data |
| Cpesieve::HookTargetResolver | Processes the list of the collected patches (preprocessed by PatchAnalyzer), and for those of them that were detected as hooks, it resolves information about to which modules do they lead to |
| Cpesieve::IATBlock | |
| Cpesieve::IATThunksSeries | |
| Cpesieve::IATThunksSeriesPtrCompare | |
| Cpesieve::ImportTableBuffer | |
| Cpesieve::ImpReconstructor | |
| Cpesieve::MemPageData | |
| Cpesieve::ModuleData | Loads a module from the disk, corresponding to the module in the scanned process' memory |
| Cpesieve::ModuleDumpReport | |
| Cpesieve::ModulesCache | |
| ▼Cpesieve::ModuleScanReport | A base class of all the reports detailing on the output of the performed module's scan |
| Cpesieve::CodeScanReport | A report from the code scan, generated by CodeScanner |
| Cpesieve::HeadersScanReport | A report from the headers scan, generated by HeadersScanner |
| Cpesieve::IATScanReport | A report from an IAT scan, generated by IATScanner |
| Cpesieve::MalformedHeaderReport | |
| Cpesieve::MappingScanReport | |
| Cpesieve::SkippedModuleReport | |
| Cpesieve::ThreadScanReport | A report from the thread scan, generated by ThreadScanner |
| Cpesieve::UnreachableModuleReport | |
| ►Cpesieve::WorkingSetScanReport | A report from the working set scan, generated by WorkingSetScanner |
| Cpesieve::ModulesInfo | A container of all the process modules that were scanned |
| Cpesieve::util::Mutex | |
| Cpesieve::util::MutexLocker | |
| ▼CParams | |
| CPEsieveParams | |
| Cparams | Input parameters for PE-sieve, defining the configuration |
| Cpesieve::PatchList::Patch | |
| Cpesieve::PatchAnalyzer | A postprocessor of the detected code patches. Detects if the patch is a hook, and if so, tries to indentify the address where it leads to |
| Cpesieve::PatchList | |
| Cpesieve::PatternMatcher | |
| Cpesieve::PeArtefacts | A report about the PE artefact detected in the workingset |
| Cpesieve::PeBuffer | |
| Cpesieve::PeReconstructor | |
| Cpesieve::PeSection | Buffers the defined PE section belonging to the module loaded in the scanned process into the local memory |
| Cpesieve::ProcessDumpReport | The report aggregating the results of the performed dumps |
| ▼Cpesieve::ProcessFeatureScanner | A base class for all the scanners checking appropriate process' features |
| Cpesieve::ArtefactScanner | A scanner for detection of artefacts related to PE implants in the process workingset |
| Cpesieve::MappingScanner | A scanner for detection of inconsistencies in mapping. Checks if the mapped file name is different than the module file name |
| ►Cpesieve::ModuleScanner | A base class for all the scanners operating on module data |
| Cpesieve::ThreadScanner | |
| Cpesieve::WorkingSetScanner | A scanner for detection of code implants in the process workingset |
| Cpesieve::ProcessScanner | The root scanner, responsible for enumerating all the elements to be scanned within a given process, and performing apropriate scans on them |
| Cpesieve::ProcessScanReport | The report aggregating the results of the performed scan |
| CProcessSymbolsManager | |
| Cpesieve::util::PSS_VA_CLONE_INFORMATION | |
| Cpesieve::RemoteModuleData | Buffers the data from the module loaded in the scanned process into the local memory |
| Creport | Final summary about the scanned process |
| Cpesieve::ReportEx | The final report about the actions performed on the process: scanning and dumping |
| Cpesieve::ResultsDumper | |
| ▼Cpesieve::RuleMatcher | |
| Cpesieve::CodeMatcher | |
| Cpesieve::EncryptedMatcher | |
| Cpesieve::ObfuscatedMatcher | |
| Cpesieve::TextMatcher | |
| Cpesieve::RuleMatchersSet | |
| Cpesieve::ScannedModule | Represents a basic info about the scanned module, such as its base offset, size, and the status |
| ▼Cpesieve::StatsSettings | Base class for settings defining what type of stats should be collected |
| Cpesieve::MultiStatsSettings | Settings defining what type of stats should be collected |
| Cpesieve::stats::StdDeviationCalc | |
| ▼Cctypes.Structure | |
| Cpesieve.PARAM_STRING | |
| Cpesieve.t_params | |
| Cpesieve.t_report | |
| Cpesieve::SyscallTable | |
| Cpesieve::util::T_CLIENT_ID | |
| Cpesieve::util::t_refl_args | |
| Cpesieve::util::T_RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION | |
| Cpesieve::ThunkFoundCallback | A class containing callbacks for functions: find_iat, fill_iat |
1.12.0