Namespaces
namespace	stats

namespace	util

Classes
struct	_ctx_details
	A custom structure keeping a fragment of a thread context. More...

struct	_process_details

struct	_t_pattern

class	AreaEntropyStats

struct	AreaInfo

class	AreaMultiStats

class	AreaStats
	Base class for the statistics from analyzed buffer. More...

class	AreaStatsCalculator
	A class responsible for filling in the statistics with the data from the particular buffer. More...

class	ArtefactScanner
	A scanner for detection of artefacts related to PE implants in the process workingset. More...

class	ArtefactScanReport
	A report from the artefacts scan, generated by ArtefactScanner. More...

struct	CachedModule

struct	ChunkStats
	Statistics from a block of data. More...

class	CodeMatcher

class	CodeScanner
	A scanner for detection of patches in the code. More...

class	CodeScanReport
	A report from the code scan, generated by CodeScanner. More...

class	EncryptedMatcher

class	ErrorReport

class	HeadersScanner
	A scanner for detection of PE header's modifications. More...

class	HeadersScanReport
	A report from the headers scan, generated by HeadersScanner. More...

class	HookTargetResolver
	Processes the list of the collected patches (preprocessed by PatchAnalyzer), and for those of them that were detected as hooks, it resolves information about to which modules do they lead to. More...

class	IATBlock

class	IATScanner
	A scanner for detection of IAT hooking. More...

class	IATScanReport
	A report from an IAT scan, generated by IATScanner. More...

class	IATThunksSeries

struct	IATThunksSeriesPtrCompare

class	ImportTableBuffer

class	ImpReconstructor

class	MalformedHeaderReport

class	MappingScanner
	A scanner for detection of inconsistencies in mapping. Checks if the mapped file name is different than the module file name. More...

class	MappingScanReport

class	MemPageData

class	ModuleData
	Loads a module from the disk, corresponding to the module in the scanned process' memory. More...

class	ModuleDumpReport

class	ModulesCache

class	ModuleScanner
	A base class for all the scanners operating on module data. More...

class	ModuleScanReport
	A base class of all the reports detailing on the output of the performed module's scan. More...

class	ModulesInfo
	A container of all the process modules that were scanned. More...

struct	MultiStatsSettings
	Settings defining what type of stats should be collected. More...

class	ObfuscatedMatcher

class	PARAM_STRING

class	PatchAnalyzer
	A postprocessor of the detected code patches. Detects if the patch is a hook, and if so, tries to indentify the address where it leads to. More...

class	PatchList

class	PatternMatcher

class	PeArtefacts
	A report about the PE artefact detected in the workingset. More...

class	PeBuffer

class	PeReconstructor

class	PeSection
	Buffers the defined PE section belonging to the module loaded in the scanned process into the local memory. More...

class	ProcessDumpReport
	The report aggregating the results of the performed dumps. More...

class	ProcessFeatureScanner
	A base class for all the scanners checking appropriate process' features. More...

class	ProcessScanner
	The root scanner, responsible for enumerating all the elements to be scanned within a given process, and performing apropriate scans on them. More...

class	ProcessScanReport
	The report aggregating the results of the performed scan. More...

class	RemoteModuleData
	Buffers the data from the module loaded in the scanned process into the local memory. More...

class	ReportEx
	The final report about the actions performed on the process: scanning and dumping. More...

class	ResultsDumper

class	RuleMatcher

struct	RuleMatchersSet

class	ScannedModule
	Represents a basic info about the scanned module, such as its base offset, size, and the status. More...

class	SkippedModuleReport

struct	StatsSettings
	Base class for settings defining what type of stats should be collected. More...

struct	SyscallTable

class	t_data_scan_mode

class	t_dotnet_policy

class	t_dump_mode

class	t_iat_scan_mode

class	t_imprec_mode

class	t_json_level

class	t_obfusc_mode

class	t_output_filter

class	t_params

class	t_report

class	t_report_type

class	t_shellc_mode

class	TextMatcher

class	ThreadScanner

class	ThreadScanReport
	A report from the thread scan, generated by ThreadScanner. More...

class	ThunkFoundCallback
	A class containing callbacks for functions: find_iat, fill_iat. More...

class	UnreachableModuleReport

class	WorkingSetScanner
	A scanner for detection of code implants in the process workingset. More...

class	WorkingSetScanReport
	A report from the working set scan, generated by WorkingSetScanner. More...

Typedefs
typedef std::set< IATThunksSeries *, IATThunksSeriesPtrCompare >	IATThunksSeriesSet

typedef enum pesieve::module_scan_status	t_scan_status

typedef struct pesieve::_process_details	process_details

typedef struct pesieve::_ctx_details	ctx_details
	A custom structure keeping a fragment of a thread context.

typedef struct pesieve::_t_pattern	t_pattern

Enumerations
enum	module_scan_status { SCAN_ERROR = -1 , SCAN_NOT_SUSPICIOUS = 0 , SCAN_SUSPICIOUS = 1 }

enum	t_patch_type { PATCH_UNKNOWN , HOOK_INLINE , HOOK_ADDR_REPLACEMENT , PATCH_PADDING , PATCH_BREAKPOINT , COUNT_PATCH_TYPES }

Functions
	version_to_str (version_val)

	init ()

	PESieve_help ()

t_report	PESieve_scan (t_params params)

(t_report, str, int)	PESieve_scan_ex (t_params params, t_report_type rtype, int buf_size)

void	params_fields_to_JSON (pesieve::t_params &params, std::stringstream &outs, size_t level)

void	params_to_JSON (pesieve::t_params &params, std::stringstream &stream, size_t start_level)

std::string	translate_dump_mode (const DWORD dump_mode)

std::string	translate_out_filter (const pesieve::t_output_filter o_filter)

std::string	translate_results_filter (const pesieve::t_results_filter r_filter)

std::string	results_filter_to_id (const DWORD r_filter)

std::string	translate_data_mode (const pesieve::t_data_scan_mode &mode)

std::string	translate_imprec_mode (const pesieve::t_imprec_mode imprec_mode)

std::string	translate_dotnet_policy (const pesieve::t_dotnet_policy &mode)

std::string	translate_iat_scan_mode (const pesieve::t_iat_scan_mode mode)

std::string	translate_json_level (const pesieve::t_json_level &mode)

std::string	translate_shellc_mode (const pesieve::t_shellc_mode &mode)

std::string	shellc_mode_mode_to_id (const pesieve::t_shellc_mode &mode)

std::string	translate_obfusc_mode (const pesieve::t_obfusc_mode &mode)

std::string	obfusc_mode_mode_to_id (const pesieve::t_obfusc_mode &mode)

std::string	dump_mode_to_id (const DWORD dump_mode)

std::string	imprec_mode_to_id (const pesieve::t_imprec_mode imprec_mode)

void	check_access_denied (DWORD processID)

bool	is_scanner_compatible (IN HANDLE hProcess)

HANDLE	open_process (DWORD processID, bool reflection, bool quiet)

pesieve::ProcessDumpReport *	make_dump (IN HANDLE hProcess, IN bool isRefl, IN const pesieve::t_params &args, IN ProcessScanReport &process_report)

bool	is_by_patterns (const t_shellc_mode &shellc_mode)

std::string	info ()
	The string with the basic information about the scanner.

ReportEx *	scan_and_dump (IN const pesieve::t_params args)
	The main action performed by PE-sieve: scanning the process and dumping the detected material.

size_t	get_longest_func_name (std::map< ULONGLONG, std::set< peconv::ExportedFunc > > &addrToFunc)

template<typename FIELD_T >
size_t	fill_iat (BYTE vBuf, size_t vBufSize, IN const peconv::ExportsMapper exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)

template<typename FIELD_T >
IATBlock *	find_iat (BYTE vBuf, size_t vBufSize, IN const peconv::ExportsMapper exportsMap, IN size_t search_offset, IN ThunkFoundCallback *callback)

BYTE *	get_buffer_space_at (IN BYTE *buffer, IN const size_t buffer_size, IN const DWORD buffer_rva, IN const DWORD required_rva, IN const size_t required_size)

template<typename FIELD_T >
bool	is_valid_import_descriptor (BYTE vBuf, size_t vBufSize, IN const peconv::ExportsMapper exportsMap, IMAGE_IMPORT_DESCRIPTOR *desc)

template<typename FIELD_T >
size_t	calc_import_table_size (BYTE vBuf, size_t vBufSize, IN const peconv::ExportsMapper exportsMap, IMAGE_IMPORT_DESCRIPTOR *first_desc)

template<typename FIELD_T >
IMAGE_IMPORT_DESCRIPTOR *	find_first_import_descriptor (BYTE vBuf, size_t vBufSize, IN const peconv::ExportsMapper exportsMap, IMAGE_IMPORT_DESCRIPTOR *found_desc)

template<typename FIELD_T >
IMAGE_IMPORT_DESCRIPTOR *	find_import_table_tpl (IN BYTE vBuf, IN size_t vBufSize, IN const peconv::ExportsMapper exportsMap, IN DWORD iat_offset, OUT size_t &table_size, IN OPTIONAL size_t search_offset)

IMAGE_IMPORT_DESCRIPTOR *	find_import_table (IN bool is64bit, IN BYTE vBuf, IN size_t vBufSize, IN const peconv::ExportsMapper exportsMap, IN DWORD iat_offset, OUT size_t &table_size, IN OPTIONAL size_t search_offset)

bool	shift_artefacts (PeArtefacts &artefacts, size_t shift_size)

template<typename IMAGE_OPTIONAL_HEADER_T >
bool	overwrite_opt_hdr (BYTE vBuf, size_t vBufSize, IMAGE_OPTIONAL_HEADER_T opt_hdr_ptr, PeArtefacts &artefacts)

std::string	scan_report_to_string (const ProcessScanReport &report)

std::string	scan_report_to_json (const ProcessScanReport &process_report, t_results_filter filter, const pesieve::t_json_level &jdetails, size_t start_level=0)

std::string	dump_report_to_json (const ProcessDumpReport &process_report, const pesieve::t_json_level &jdetails, size_t start_level=0)

std::string	err_report_to_json (const ErrorReport &err_report, t_results_filter filter, size_t start_level=0)

std::string	report_to_json (const ReportEx &report, const t_report_type rtype, t_results_filter filter, const pesieve::t_json_level &jdetails, size_t start_level=0)

std::string	get_payload_ext (const ArtefactScanReport &artefactRepot)

std::string	get_dump_mode_name (peconv::t_pe_dump_mode dump_mode)

std::string	get_imprec_res_name (const ImpReconstructor::t_imprec_res &res)

peconv::t_pe_dump_mode	convert_to_peconv_dump_mode (const pesieve::t_dump_mode dump_mode)

bool	make_dump_dir (const std::string &directory)

std::string	get_module_file_name (HANDLE processHandle, const ModuleScanReport &mod)

bool	is_valid_file_hdr (BYTE loadedData, size_t loadedSize, BYTE hdr_ptr, DWORD charact)

bool	is_valid_section (BYTE loadedData, size_t loadedSize, BYTE hdr_ptr, DWORD charact)

BYTE *	first_different (const BYTE *buf_ptr, size_t bif_size, const BYTE padding)

bool	is_shown_type (t_scan_status status, t_results_filter filter)

bool	validate_param_str (PARAM_STRING &strparam)

void	print_scan_time (const char *scanned_element, size_t total_time)

bool	is_running (HANDLE processHandle)

bool	is_thread_running (HANDLE hThread)

bool	is_by_stats (const t_shellc_mode &shellc_mode)

bool	match_to_tag (std::ofstream &patch_report, const char delimiter, size_t start_offset, const sig_finder::Match &match)

double	getValRatio (IN const AreaMultiStats &stats, BYTE val)

size_t	checkRatios (IN const AreaMultiStats &stats, IN std::map< BYTE, double > &ratios)

size_t	countFoundStrings (IN const AreaMultiStats &stats, IN const std::set< std::string > &neededStrings, IN size_t minOccurrence)

size_t	init_32_patterns (Node *rootN)

size_t	init_64_patterns (Node *rootN)

size_t	search_till_pattern (sig_finder::Node &rootN, const BYTE *loadedData, size_t loadedSize)

Variables
int	PESIEVE_MIN_VER = 0x030800

int	PESIEVE_MAX_VER = 0x030800

int	ERROR_SCAN_FAILURE = -1

int	MAX_PATH = 260

	lib = None

	PESieve_version = None

const WORD	ERROR_COLOR = 0x0c

const WORD	WARNING_COLOR = 0x0c

const WORD	HILIGHTED_COLOR = 0x0f

const char	PESIEVE_URL [] = "https://github.com/hasherezade/pe-sieve"

std::set< DWORD >	HardcodedPatterns

pesieve::util::Mutex	g_HardcodedPatternsMutex

BYTE	prolog32_pattern []

BYTE	prolog32_2_pattern []

BYTE	prolog32_3_pattern []

t_pattern	patterns32 []

BYTE	prolog64_pattern []

BYTE	prolog64_2_pattern []

BYTE	prolog64_3_pattern []

BYTE	prolog64_4_pattern []

BYTE	prolog64_5_pattern []

BYTE	prolog64_6_pattern []

BYTE	prolog64_7_pattern []

t_pattern	patterns64 []

Typedef Documentation

◆ ctx_details

typedef struct pesieve::_ctx_details pesieve.ctx_details

A custom structure keeping a fragment of a thread context.

◆ IATThunksSeriesSet

typedef std::set<IATThunksSeries*, IATThunksSeriesPtrCompare> pesieve.IATThunksSeriesSet

Definition at line 76 of file iat_block.h.

◆ process_details

typedef struct pesieve::_process_details pesieve.process_details

◆ t_pattern

typedef struct pesieve::_t_pattern pesieve.t_pattern

◆ t_scan_status

typedef enum pesieve::module_scan_status pesieve.t_scan_status

Enumeration Type Documentation

◆ module_scan_status

enum pesieve::module_scan_status

Enumerator
SCAN_ERROR
SCAN_NOT_SUSPICIOUS
SCAN_SUSPICIOUS

Definition at line 18 of file module_scan_report.h.

◆ t_patch_type

enum pesieve::t_patch_type

Enumerator
PATCH_UNKNOWN
HOOK_INLINE
HOOK_ADDR_REPLACEMENT
PATCH_PADDING
PATCH_BREAKPOINT
COUNT_PATCH_TYPES

Definition at line 11 of file patch_list.h.

Function Documentation

◆ calc_import_table_size()

template<typename FIELD_T >

size_t pesieve::calc_import_table_size	(	BYTE *	vBuf,
		size_t	vBufSize,
		IN const peconv::ExportsMapper *	exportsMap,
		IMAGE_IMPORT_DESCRIPTOR *	first_desc )

Definition at line 45 of file import_table_finder.h.

Here is the call graph for this function:

◆ check_access_denied()

void pesieve::check_access_denied ( DWORD processID )

Definition at line 28 of file pe_sieve.cpp.

Here is the call graph for this function:

◆ checkRatios()

size_t pesieve::checkRatios	(	IN const AreaMultiStats &	stats,
		IN std::map< BYTE, double > &	ratios )

Definition at line 42 of file stats_analyzer.cpp.

Here is the call graph for this function:

◆ convert_to_peconv_dump_mode()

peconv::t_pe_dump_mode pesieve::convert_to_peconv_dump_mode ( const pesieve::t_dump_mode dump_mode )

Definition at line 71 of file results_dumper.cpp.

◆ countFoundStrings()

size_t pesieve::countFoundStrings	(	IN const AreaMultiStats &	stats,
		IN const std::set< std::string > &	neededStrings,
		IN size_t	minOccurrence )

Definition at line 59 of file stats_analyzer.cpp.

◆ dump_mode_to_id()

std::string pesieve::dump_mode_to_id ( const DWORD dump_mode )

Definition at line 22 of file pe_sieve_params_info.cpp.

◆ dump_report_to_json()

std::string pesieve::dump_report_to_json	(	const ProcessDumpReport &	process_report,
		const pesieve::t_json_level &	jdetails,
		size_t	start_level = 0 )

Definition at line 87 of file report_formatter.cpp.

Here is the call graph for this function:

◆ err_report_to_json()

std::string pesieve::err_report_to_json	(	const ErrorReport &	err_report,
		t_results_filter	filter,
		size_t	start_level = 0 )

Definition at line 39 of file report_formatter.cpp.

◆ fill_iat()

template<typename FIELD_T >

size_t pesieve::fill_iat	(	BYTE *	vBuf,
		size_t	vBufSize,
		IN const peconv::ExportsMapper *	exportsMap,
		IN OUT IATBlock &	iat,
		IN ThunkFoundCallback *	callback )

Definition at line 31 of file iat_finder.h.

Here is the call graph for this function:

◆ find_first_import_descriptor()

template<typename FIELD_T >

IMAGE_IMPORT_DESCRIPTOR * pesieve::find_first_import_descriptor	(	BYTE *	vBuf,
		size_t	vBufSize,
		IN const peconv::ExportsMapper *	exportsMap,
		IMAGE_IMPORT_DESCRIPTOR *	found_desc )

Definition at line 67 of file import_table_finder.h.

Here is the call graph for this function:

◆ find_iat()

template<typename FIELD_T >

IATBlock * pesieve::find_iat	(	BYTE *	vBuf,
		size_t	vBufSize,
		IN const peconv::ExportsMapper *	exportsMap,
		IN size_t	search_offset,
		IN ThunkFoundCallback *	callback )

Definition at line 94 of file iat_finder.h.

Here is the call graph for this function:

◆ find_import_table()

IMAGE_IMPORT_DESCRIPTOR * pesieve::find_import_table	(	IN bool	is64bit,
		IN BYTE *	vBuf,
		IN size_t	vBufSize,
		IN const peconv::ExportsMapper *	exportsMap,
		IN DWORD	iat_offset,
		OUT size_t &	table_size,
		IN OPTIONAL size_t	search_offset )

Definition at line 3 of file import_table_finder.cpp.

◆ find_import_table_tpl()

template<typename FIELD_T >

IMAGE_IMPORT_DESCRIPTOR * pesieve::find_import_table_tpl	(	IN BYTE *	vBuf,
		IN size_t	vBufSize,
		IN const peconv::ExportsMapper *	exportsMap,
		IN DWORD	iat_offset,
		OUT size_t &	table_size,
		IN OPTIONAL size_t	search_offset )

Definition at line 87 of file import_table_finder.h.

Here is the call graph for this function:

◆ first_different()

BYTE * pesieve::first_different	(	const BYTE *	buf_ptr,
		size_t	bif_size,
		const BYTE	padding )

inline

Definition at line 168 of file code_scanner.cpp.

◆ get_buffer_space_at()

BYTE * pesieve::get_buffer_space_at	(	IN BYTE *	buffer,
		IN const size_t	buffer_size,
		IN const DWORD	buffer_rva,
		IN const DWORD	required_rva,
		IN const size_t	required_size )

Definition at line 13 of file imp_reconstructor.cpp.

◆ get_dump_mode_name()

std::string pesieve::get_dump_mode_name ( peconv::t_pe_dump_mode dump_mode )

Definition at line 31 of file results_dumper.cpp.

◆ get_imprec_res_name()

std::string pesieve::get_imprec_res_name ( const ImpReconstructor::t_imprec_res & res )

Definition at line 44 of file results_dumper.cpp.

◆ get_longest_func_name()

size_t pesieve::get_longest_func_name ( std::map< ULONGLONG, std::set< peconv::ExportedFunc > > & addrToFunc )

Definition at line 5 of file iat_block.cpp.

◆ get_module_file_name()

std::string pesieve::get_module_file_name	(	HANDLE	processHandle,
		const ModuleScanReport &	mod )

Definition at line 97 of file results_dumper.cpp.

◆ get_payload_ext()

std::string pesieve::get_payload_ext ( const ArtefactScanReport & artefactRepot )

Definition at line 20 of file results_dumper.cpp.

◆ getValRatio()

double pesieve::getValRatio	(	IN const AreaMultiStats &	stats,
		BYTE	val )

Definition at line 16 of file stats_analyzer.cpp.

◆ imprec_mode_to_id()

std::string pesieve::imprec_mode_to_id ( const pesieve::t_imprec_mode imprec_mode )

Definition at line 96 of file pe_sieve_params_info.cpp.

◆ info()

std::string pesieve::info ( )

The string with the basic information about the scanner.

Definition at line 274 of file pe_sieve.cpp.

◆ init()

pesieve.init ( )

Definition at line 147 of file pesieve.py.

Here is the call graph for this function:

◆ init_32_patterns()

size_t pesieve::init_32_patterns ( Node * rootN )

Definition at line 26 of file artefacts_util.cpp.

◆ init_64_patterns()

size_t pesieve::init_64_patterns ( Node * rootN )

Definition at line 45 of file artefacts_util.cpp.

◆ is_by_patterns()

bool pesieve::is_by_patterns ( const t_shellc_mode & shellc_mode )

inline

Definition at line 185 of file pe_sieve.cpp.

◆ is_by_stats()

bool pesieve::is_by_stats ( const t_shellc_mode & shellc_mode )

inline

Definition at line 19 of file workingset_scanner.cpp.

◆ is_running()

bool pesieve::is_running ( HANDLE processHandle )

Definition at line 67 of file scanner.cpp.

Here is the call graph for this function:

◆ is_scanner_compatible()

bool pesieve::is_scanner_compatible ( IN HANDLE hProcess )

Definition at line 50 of file pe_sieve.cpp.

Here is the call graph for this function:

◆ is_shown_type()

bool pesieve::is_shown_type	(	t_scan_status	status,
		t_results_filter	filter )

Definition at line 19 of file scan_report.cpp.

◆ is_thread_running()

bool pesieve::is_thread_running ( HANDLE hThread )

Definition at line 41 of file thread_scanner.cpp.

◆ is_valid_file_hdr()

bool pesieve::is_valid_file_hdr	(	BYTE *	loadedData,
		size_t	loadedSize,
		BYTE *	hdr_ptr,
		DWORD	charact )

Definition at line 454 of file artefact_scanner.cpp.

◆ is_valid_import_descriptor()

template<typename FIELD_T >

bool pesieve::is_valid_import_descriptor	(	BYTE *	vBuf,
		size_t	vBufSize,
		IN const peconv::ExportsMapper *	exportsMap,
		IMAGE_IMPORT_DESCRIPTOR *	desc )

Definition at line 7 of file import_table_finder.h.

◆ is_valid_section()

bool pesieve::is_valid_section	(	BYTE *	loadedData,
		size_t	loadedSize,
		BYTE *	hdr_ptr,
		DWORD	charact )

Definition at line 102 of file artefact_scanner.cpp.

◆ make_dump()

pesieve::ProcessDumpReport * pesieve::make_dump	(	IN HANDLE	hProcess,
		IN bool	isRefl,
		IN const pesieve::t_params &	args,
		IN ProcessScanReport &	process_report )

Definition at line 118 of file pe_sieve.cpp.

Here is the call graph for this function:

◆ make_dump_dir()

bool pesieve::make_dump_dir ( const std::string & directory )

Definition at line 89 of file results_dumper.cpp.

Here is the call graph for this function:

◆ match_to_tag()

bool pesieve::match_to_tag	(	std::ofstream &	patch_report,
		const char	delimiter,
		size_t	start_offset,
		const sig_finder::Match &	match )

inline

Definition at line 30 of file workingset_scanner.cpp.

◆ obfusc_mode_mode_to_id()

std::string pesieve::obfusc_mode_mode_to_id ( const pesieve::t_obfusc_mode & mode )

Definition at line 212 of file pe_sieve_params_info.cpp.

◆ open_process()

HANDLE pesieve::open_process	(	DWORD	processID,
		bool	reflection,
		bool	quiet )

Definition at line 65 of file pe_sieve.cpp.

Here is the call graph for this function:

◆ overwrite_opt_hdr()

template<typename IMAGE_OPTIONAL_HEADER_T >

bool pesieve::overwrite_opt_hdr	(	BYTE *	vBuf,
		size_t	vBufSize,
		IMAGE_OPTIONAL_HEADER_T *	opt_hdr_ptr,
		PeArtefacts &	artefacts )

Definition at line 14 of file pe_reconstructor.h.

◆ params_fields_to_JSON()

void pesieve::params_fields_to_JSON	(	pesieve::t_params &	params,
		std::stringstream &	outs,
		size_t	level )

Definition at line 5 of file params_dump.cpp.

◆ params_to_JSON()

void pesieve::params_to_JSON	(	pesieve::t_params &	params,
		std::stringstream &	stream,
		size_t	start_level )

Definition at line 54 of file params_dump.cpp.

Here is the call graph for this function:

◆ PESieve_help()

pesieve.PESieve_help ( void )

Definition at line 168 of file pesieve.py.

Here is the call graph for this function:

◆ PESieve_scan()

t_report pesieve.PESieve_scan ( t_params params )

Definition at line 173 of file pesieve.py.

Here is the call graph for this function:

◆ PESieve_scan_ex()

(t_report, str, int) pesieve.PESieve_scan_ex	(	t_params	params,
		t_report_type	rtype,
		int	buf_size )

Definition at line 186 of file pesieve.py.

Here is the call graph for this function:

◆ print_scan_time()

void pesieve::print_scan_time	(	const char *	scanned_element,
		size_t	total_time )

Definition at line 59 of file scanner.cpp.

Here is the call graph for this function:

◆ report_to_json()

std::string pesieve::report_to_json	(	const ReportEx &	report,
		const t_report_type	rtype,
		t_results_filter	filter,
		const pesieve::t_json_level &	jdetails,
		size_t	start_level = 0 )

Definition at line 106 of file report_formatter.cpp.

Here is the call graph for this function:

◆ results_filter_to_id()

std::string pesieve::results_filter_to_id ( const DWORD r_filter )

Definition at line 63 of file pe_sieve_params_info.cpp.

◆ scan_and_dump()

pesieve::ReportEx * pesieve::scan_and_dump ( IN const pesieve::t_params args )

The main action performed by PE-sieve: scanning the process and dumping the detected material.

Parameters

args	: the configuration of the scan (defined as t_params)

Returns: A pointer to the generated report (of type ReportEx)

Definition at line 198 of file pe_sieve.cpp.

Here is the call graph for this function:

◆ scan_report_to_json()

std::string pesieve::scan_report_to_json	(	const ProcessScanReport &	process_report,
		t_results_filter	filter,
		const pesieve::t_json_level &	jdetails,
		size_t	start_level = 0 )

Definition at line 67 of file report_formatter.cpp.

Here is the call graph for this function:

◆ scan_report_to_string()

std::string pesieve::scan_report_to_string ( const ProcessScanReport & report )

Definition at line 7 of file report_formatter.cpp.

Here is the call graph for this function:

◆ search_till_pattern()

size_t pesieve::search_till_pattern	(	sig_finder::Node &	rootN,
		const BYTE *	loadedData,
		size_t	loadedSize )

inline

Definition at line 64 of file artefacts_util.cpp.

◆ shellc_mode_mode_to_id()

std::string pesieve::shellc_mode_mode_to_id ( const pesieve::t_shellc_mode & mode )

Definition at line 165 of file pe_sieve_params_info.cpp.

◆ shift_artefacts()

bool pesieve::shift_artefacts	(	PeArtefacts &	artefacts,
		size_t	shift_size )

inline

Definition at line 8 of file pe_reconstructor.cpp.

◆ translate_data_mode()

std::string pesieve::translate_data_mode ( const pesieve::t_data_scan_mode & mode )

Definition at line 133 of file pe_sieve_params_info.cpp.

◆ translate_dotnet_policy()

std::string pesieve::translate_dotnet_policy ( const pesieve::t_dotnet_policy & mode )

Definition at line 116 of file pe_sieve_params_info.cpp.

◆ translate_dump_mode()

std::string pesieve::translate_dump_mode ( const DWORD dump_mode )

Definition at line 7 of file pe_sieve_params_info.cpp.

◆ translate_iat_scan_mode()

std::string pesieve::translate_iat_scan_mode ( const pesieve::t_iat_scan_mode mode )

Definition at line 226 of file pe_sieve_params_info.cpp.

◆ translate_imprec_mode()

std::string pesieve::translate_imprec_mode ( const pesieve::t_imprec_mode imprec_mode )

Definition at line 76 of file pe_sieve_params_info.cpp.

◆ translate_json_level()

std::string pesieve::translate_json_level ( const pesieve::t_json_level & mode )

Definition at line 152 of file pe_sieve_params_info.cpp.

◆ translate_obfusc_mode()

std::string pesieve::translate_obfusc_mode ( const pesieve::t_obfusc_mode & mode )

Definition at line 197 of file pe_sieve_params_info.cpp.

◆ translate_out_filter()

std::string pesieve::translate_out_filter ( const pesieve::t_output_filter o_filter )

Definition at line 37 of file pe_sieve_params_info.cpp.

◆ translate_results_filter()

std::string pesieve::translate_results_filter ( const pesieve::t_results_filter r_filter )

Definition at line 50 of file pe_sieve_params_info.cpp.

◆ translate_shellc_mode()

std::string pesieve::translate_shellc_mode ( const pesieve::t_shellc_mode & mode )

Definition at line 180 of file pe_sieve_params_info.cpp.

◆ validate_param_str()

bool pesieve::validate_param_str ( PARAM_STRING & strparam )

Definition at line 31 of file scanner.cpp.

◆ version_to_str()

pesieve.version_to_str ( version_val )

Definition at line 12 of file pesieve.py.

Variable Documentation

◆ ERROR_COLOR

const WORD pesieve.ERROR_COLOR = 0x0c

Definition at line 5 of file color_scheme.h.

◆ ERROR_SCAN_FAILURE

int pesieve.ERROR_SCAN_FAILURE = -1

Definition at line 9 of file pesieve.py.

◆ g_HardcodedPatternsMutex

pesieve::util::Mutex pesieve.g_HardcodedPatternsMutex

Definition at line 24 of file artefacts_util.cpp.

◆ HardcodedPatterns

std::set<DWORD> pesieve.HardcodedPatterns

Definition at line 23 of file artefacts_util.cpp.

◆ HILIGHTED_COLOR

const WORD pesieve.HILIGHTED_COLOR = 0x0f

Definition at line 7 of file color_scheme.h.

◆ lib

pesieve.lib = None

Definition at line 144 of file pesieve.py.

◆ MAX_PATH

int pesieve.MAX_PATH = 260

Definition at line 10 of file pesieve.py.

◆ patterns32

t_pattern pesieve.patterns32[]

Initial value:

= {
        { prolog32_pattern,   sizeof(prolog32_pattern) },
        { prolog32_2_pattern, sizeof(prolog32_2_pattern) },
        { prolog32_3_pattern, sizeof(prolog32_3_pattern) }
    }

Definition at line 26 of file code_patterns.h.

◆ patterns64

t_pattern pesieve.patterns64[]

Initial value:

= {
        { prolog64_pattern,   sizeof(prolog64_pattern) },
        { prolog64_2_pattern, sizeof(prolog64_2_pattern) },
        { prolog64_3_pattern, sizeof(prolog64_3_pattern) },
        { prolog64_4_pattern, sizeof(prolog64_4_pattern) },
        { prolog64_5_pattern, sizeof(prolog64_5_pattern) },
        { prolog64_6_pattern, sizeof(prolog64_6_pattern) },
        { prolog64_7_pattern, sizeof(prolog64_7_pattern) }
    }

Definition at line 70 of file code_patterns.h.

◆ PESIEVE_MAX_VER

int pesieve.PESIEVE_MAX_VER = 0x030800

Definition at line 7 of file pesieve.py.

◆ PESIEVE_MIN_VER

int pesieve.PESIEVE_MIN_VER = 0x030800

Definition at line 6 of file pesieve.py.

◆ PESIEVE_URL

const char pesieve.PESIEVE_URL[] = "https://github.com/hasherezade/pe-sieve"

Definition at line 21 of file pe_sieve.h.

◆ PESieve_version

pesieve.PESieve_version = None

Definition at line 145 of file pesieve.py.

◆ prolog32_2_pattern

BYTE pesieve.prolog32_2_pattern[]

Initial value:

= {
        0x55, 
        0x89, 0xE5 
    }

Definition at line 16 of file code_patterns.h.

◆ prolog32_3_pattern

BYTE pesieve.prolog32_3_pattern[]

Initial value:

= {
        0x60, 
        0x89, 0xE5 
    }

Definition at line 21 of file code_patterns.h.

◆ prolog32_pattern

BYTE pesieve.prolog32_pattern[]

Initial value:

= {
        0x55, 
        0x8b, 0xEC 
    }

Definition at line 11 of file code_patterns.h.

◆ prolog64_2_pattern

BYTE pesieve.prolog64_2_pattern[]

Initial value:

= {
        0x55,            
        0x48, 0x8B, 0xEC 
    }

Definition at line 36 of file code_patterns.h.

◆ prolog64_3_pattern

BYTE pesieve.prolog64_3_pattern[]

Initial value:

= {
        0x40, 0x55,      
        0x48, 0x83, 0xEC 
    }

Definition at line 40 of file code_patterns.h.

◆ prolog64_4_pattern

BYTE pesieve.prolog64_4_pattern[]

Initial value:

= {
        0x53,            
        0x48, 0x81, 0xEC 
    }

Definition at line 44 of file code_patterns.h.

◆ prolog64_5_pattern

BYTE pesieve.prolog64_5_pattern[]

Initial value:

= {
        0x48, 0x83, 0xE4, 0xF0 
    }

Definition at line 48 of file code_patterns.h.

◆ prolog64_6_pattern

BYTE pesieve.prolog64_6_pattern[]

Initial value:

= {
        0x57,            
        0x48, 0x89, 0xE7 
    }

Definition at line 51 of file code_patterns.h.

◆ prolog64_7_pattern

BYTE pesieve.prolog64_7_pattern[]

Initial value:

= {
         0x48, 0x8B, 0xC4, 
         0x48, 0x89, 0x58, 0x08, 
         0x4C, 0x89, 0x48, 0x20, 
         0x4C, 0x89, 0x40, 0x18, 
         0x48, 0x89, 0x50, 0x10, 
         0x55, 
         0x56, 
         0x57, 
         0x41, 0x54, 
         0x41, 0x55, 
         0x41, 0x56, 
         0x41, 0x57 
    }

Definition at line 55 of file code_patterns.h.

◆ prolog64_pattern

BYTE pesieve.prolog64_pattern[]

Initial value:

= {
        0x40, 0x53,       
        0x48, 0x83, 0xEC 
    }

Definition at line 32 of file code_patterns.h.

◆ WARNING_COLOR

const WORD pesieve.WARNING_COLOR = 0x0c

Definition at line 6 of file color_scheme.h.

Namespaces

Classes

Typedefs

Enumerations

Functions

Variables

Typedef Documentation

◆ ctx_details

◆ IATThunksSeriesSet

◆ process_details

◆ t_pattern

◆ t_scan_status

Enumeration Type Documentation

◆ module_scan_status

◆ t_patch_type

Function Documentation

◆ calc_import_table_size()

◆ check_access_denied()

◆ checkRatios()

◆ convert_to_peconv_dump_mode()

◆ countFoundStrings()

◆ dump_mode_to_id()

◆ dump_report_to_json()

◆ err_report_to_json()

◆ fill_iat()

◆ find_first_import_descriptor()

◆ find_iat()

◆ find_import_table()

◆ find_import_table_tpl()

◆ first_different()

◆ get_buffer_space_at()

◆ get_dump_mode_name()

◆ get_imprec_res_name()

◆ get_longest_func_name()

◆ get_module_file_name()

◆ get_payload_ext()

◆ getValRatio()

◆ imprec_mode_to_id()

◆ info()

◆ init()

◆ init_32_patterns()

◆ init_64_patterns()

◆ is_by_patterns()

◆ is_by_stats()

◆ is_running()

◆ is_scanner_compatible()

◆ is_shown_type()

◆ is_thread_running()

◆ is_valid_file_hdr()

◆ is_valid_import_descriptor()

◆ is_valid_section()

◆ make_dump()

◆ make_dump_dir()

◆ match_to_tag()

◆ obfusc_mode_mode_to_id()

◆ open_process()

◆ overwrite_opt_hdr()

◆ params_fields_to_JSON()

◆ params_to_JSON()

◆ PESieve_help()

◆ PESieve_scan()

◆ PESieve_scan_ex()

◆ print_scan_time()

◆ report_to_json()

◆ results_filter_to_id()

◆ scan_and_dump()

◆ scan_report_to_json()

◆ scan_report_to_string()

◆ search_till_pattern()

◆ shellc_mode_mode_to_id()

◆ shift_artefacts()

◆ translate_data_mode()

◆ translate_dotnet_policy()

◆ translate_dump_mode()

◆ translate_iat_scan_mode()

◆ translate_imprec_mode()

◆ translate_json_level()

◆ translate_obfusc_mode()

◆ translate_out_filter()

◆ translate_results_filter()