|
| struct | _process_details |
| |
| struct | _t_pattern |
| |
| struct | _thread_ctx |
| | A custom structure keeping a fragment of a thread context. More...
|
| |
| class | AreaEntropyStats |
| |
| struct | AreaInfo |
| |
| class | AreaMultiStats |
| |
| class | AreaStats |
| | Base class for the statistics from analyzed buffer. More...
|
| |
| class | AreaStatsCalculator |
| | A class responsible for filling in the statistics with the data from the particular buffer. More...
|
| |
| class | ArtefactScanner |
| | A scanner for detection of artefacts related to PE implants in the process workingset. More...
|
| |
| class | ArtefactScanReport |
| | A report from the artefacts scan, generated by ArtefactScanner. More...
|
| |
| struct | CachedModule |
| |
| struct | ChunkStats |
| | Statistics from a block of data. More...
|
| |
| class | CodeMatcher |
| |
| class | CodeScanner |
| | A scanner for detection of patches in the code. More...
|
| |
| class | CodeScanReport |
| | A report from the code scan, generated by CodeScanner. More...
|
| |
| class | EncryptedMatcher |
| |
| class | HeadersScanner |
| | A scanner for detection of PE header's modifications. More...
|
| |
| class | HeadersScanReport |
| | A report from the headers scan, generated by HeadersScanner. More...
|
| |
| class | HookTargetResolver |
| | Processes the list of the collected patches (preprocessed by PatchAnalyzer), and for those of them that were detected as hooks, it resolves information about to which modules do they lead to. More...
|
| |
| class | IATBlock |
| |
| class | IATScanner |
| | A scanner for detection of IAT hooking. More...
|
| |
| class | IATScanReport |
| | A report from an IAT scan, generated by IATScanner. More...
|
| |
| class | IATThunksSeries |
| |
| struct | IATThunksSeriesPtrCompare |
| |
| class | ImportTableBuffer |
| |
| class | ImpReconstructor |
| |
| class | MalformedHeaderReport |
| |
| class | MappingScanner |
| | A scanner for detection of inconsistencies in mapping. Checks if the mapped file name is different than the module file name. More...
|
| |
| class | MappingScanReport |
| |
| class | MemPageData |
| |
| class | ModuleData |
| | Loads a module from the disk, corresponding to the module in the scanned process' memory. More...
|
| |
| class | ModuleDumpReport |
| |
| class | ModulesCache |
| |
| class | ModuleScanner |
| | A base class for all the scanners operating on module data. More...
|
| |
| class | ModuleScanReport |
| | A base class of all the reports detailing on the output of the performed module's scan. More...
|
| |
| class | ModulesInfo |
| | A container of all the process modules that were scanned. More...
|
| |
| struct | MultiStatsSettings |
| | Settings defining what type of stats should be collected. More...
|
| |
| class | ObfuscatedMatcher |
| |
| class | PARAM_STRING |
| |
| class | PatchAnalyzer |
| | A postprocessor of the detected code patches. Detects if the patch is a hook, and if so, tries to indentify the address where it leads to. More...
|
| |
| class | PatchList |
| |
| class | PeArtefacts |
| | A report about the PE artefact detected in the workingset. More...
|
| |
| class | PeBuffer |
| |
| class | PeReconstructor |
| |
| class | PeSection |
| | Buffers the defined PE section belonging to the module loaded in the scanned process into the local memory. More...
|
| |
| class | ProcessDumpReport |
| | The report aggregating the results of the performed dumps. More...
|
| |
| class | ProcessFeatureScanner |
| | A base class for all the scanners checking appropriate process' features. More...
|
| |
| class | ProcessScanner |
| | The root scanner, responsible for enumerating all the elements to be scanned within a given process, and performing apropriate scans on them. More...
|
| |
| class | ProcessScanReport |
| | The report aggregating the results of the performed scan. More...
|
| |
| class | RemoteModuleData |
| | Buffers the data from the module loaded in the scanned process into the local memory. More...
|
| |
| class | ReportEx |
| | The final report about the actions performed on the process: scanning and dumping. More...
|
| |
| class | ResultsDumper |
| |
| class | RuleMatcher |
| |
| struct | RuleMatchersSet |
| |
| class | ScannedModule |
| | Represents a basic info about the scanned module, such as its base offset, size, and the status. More...
|
| |
| class | SkippedModuleReport |
| |
| struct | StatsSettings |
| | Base class for settings defining what type of stats should be collected. More...
|
| |
| class | t_data_scan_mode |
| |
| class | t_dotnet_policy |
| |
| class | t_dump_mode |
| |
| class | t_iat_scan_mode |
| |
| class | t_imprec_mode |
| |
| class | t_json_level |
| |
| class | t_obfusc_mode |
| |
| class | t_output_filter |
| |
| class | t_params |
| |
| class | t_report |
| |
| class | t_report_type |
| |
| class | t_shellc_mode |
| |
| class | TextMatcher |
| |
| class | ThreadScanner |
| |
| class | ThreadScanReport |
| | A report from the thread scan, generated by ThreadScanner. More...
|
| |
| class | ThunkFoundCallback |
| | A class containing callbacks for functions: find_iat, fill_iat. More...
|
| |
| class | UnreachableModuleReport |
| |
| class | WorkingSetScanner |
| | A scanner for detection of code implants in the process workingset. More...
|
| |
| class | WorkingSetScanReport |
| | A report from the working set scan, generated by WorkingSetScanner. More...
|
| |
|
| | version_to_str (version_val) |
| |
| | init () |
| |
| | PESieve_help () |
| |
| t_report | PESieve_scan (t_params params) |
| |
| (t_report, str, int) | PESieve_scan_ex (t_params params, t_report_type rtype, int buf_size) |
| |
| void | params_fields_to_JSON (pesieve::t_params ¶ms, std::stringstream &outs, size_t level) |
| |
| void | params_to_JSON (pesieve::t_params ¶ms, std::stringstream &stream, size_t start_level) |
| |
| std::string | translate_dump_mode (const DWORD dump_mode) |
| |
| std::string | translate_out_filter (const pesieve::t_output_filter o_filter) |
| |
| std::string | translate_data_mode (const pesieve::t_data_scan_mode &mode) |
| |
| std::string | translate_imprec_mode (const pesieve::t_imprec_mode imprec_mode) |
| |
| std::string | translate_dotnet_policy (const pesieve::t_dotnet_policy &mode) |
| |
| std::string | translate_iat_scan_mode (const pesieve::t_iat_scan_mode mode) |
| |
| std::string | translate_json_level (const pesieve::t_json_level &mode) |
| |
| std::string | translate_shellc_mode (const pesieve::t_shellc_mode &mode) |
| |
| std::string | shellc_mode_mode_to_id (const pesieve::t_shellc_mode &mode) |
| |
| std::string | translate_obfusc_mode (const pesieve::t_obfusc_mode &mode) |
| |
| std::string | obfusc_mode_mode_to_id (const pesieve::t_obfusc_mode &mode) |
| |
| std::string | dump_mode_to_id (const DWORD dump_mode) |
| |
| std::string | imprec_mode_to_id (const pesieve::t_imprec_mode imprec_mode) |
| |
| void | check_access_denied (DWORD processID) |
| |
| bool | is_scanner_compatible (IN HANDLE hProcess) |
| |
| HANDLE | open_process (DWORD processID, bool reflection, bool quiet) |
| |
| pesieve::ProcessDumpReport * | make_dump (IN HANDLE hProcess, IN bool isRefl, IN const pesieve::t_params &args, IN ProcessScanReport &process_report) |
| |
| bool | is_by_patterns (const t_shellc_mode &shellc_mode) |
| |
| std::string | info () |
| | The string with the basic information about the scanner.
|
| |
| ReportEx * | scan_and_dump (IN const pesieve::t_params args) |
| | The main action performed by PE-sieve: scanning the process and dumping the detected material.
|
| |
| size_t | get_longest_func_name (std::map< ULONGLONG, std::set< peconv::ExportedFunc > > &addrToFunc) |
| |
| template<typename FIELD_T > |
| size_t | fill_iat (BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback) |
| |
| template<typename FIELD_T > |
| IATBlock * | find_iat (BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN size_t search_offset, IN ThunkFoundCallback *callback) |
| |
| BYTE * | get_buffer_space_at (IN BYTE *buffer, IN const size_t buffer_size, IN const DWORD buffer_rva, IN const DWORD required_rva, IN const size_t required_size) |
| |
| template<typename FIELD_T > |
| bool | is_valid_import_descriptor (BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IMAGE_IMPORT_DESCRIPTOR *desc) |
| |
| template<typename FIELD_T > |
| size_t | calc_import_table_size (BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IMAGE_IMPORT_DESCRIPTOR *first_desc) |
| |
| template<typename FIELD_T > |
| IMAGE_IMPORT_DESCRIPTOR * | find_first_import_descriptor (BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IMAGE_IMPORT_DESCRIPTOR *found_desc) |
| |
| template<typename FIELD_T > |
| IMAGE_IMPORT_DESCRIPTOR * | find_import_table_tpl (IN BYTE *vBuf, IN size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN DWORD iat_offset, OUT size_t &table_size, IN OPTIONAL size_t search_offset) |
| |
| IMAGE_IMPORT_DESCRIPTOR * | find_import_table (IN bool is64bit, IN BYTE *vBuf, IN size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN DWORD iat_offset, OUT size_t &table_size, IN OPTIONAL size_t search_offset) |
| |
| bool | shift_artefacts (PeArtefacts &artefacts, size_t shift_size) |
| |
| template<typename IMAGE_OPTIONAL_HEADER_T > |
| bool | overwrite_opt_hdr (BYTE *vBuf, size_t vBufSize, IMAGE_OPTIONAL_HEADER_T *opt_hdr_ptr, PeArtefacts &artefacts) |
| |
| std::string | scan_report_to_string (const ProcessScanReport &report) |
| |
| std::string | scan_report_to_json (const ProcessScanReport &process_report, ProcessScanReport::t_report_filter filter, const pesieve::t_json_level &jdetails, size_t start_level=0) |
| |
| std::string | dump_report_to_json (const ProcessDumpReport &process_report, const pesieve::t_json_level &jdetails, size_t start_level=0) |
| |
| std::string | report_to_json (const pesieve::ReportEx &report, const t_report_type rtype, ProcessScanReport::t_report_filter filter, const pesieve::t_json_level &jdetails, size_t start_level=0) |
| |
| std::string | get_payload_ext (const ArtefactScanReport &artefactRepot) |
| |
| std::string | get_dump_mode_name (peconv::t_pe_dump_mode dump_mode) |
| |
| std::string | get_imprec_res_name (const ImpReconstructor::t_imprec_res &res) |
| |
| peconv::t_pe_dump_mode | convert_to_peconv_dump_mode (const pesieve::t_dump_mode dump_mode) |
| |
| bool | make_dump_dir (const std::string &directory) |
| |
| std::string | get_module_file_name (HANDLE processHandle, const ModuleScanReport &mod) |
| |
| bool | is_valid_file_hdr (BYTE *loadedData, size_t loadedSize, BYTE *hdr_ptr, DWORD charact) |
| |
| bool | is_valid_section (BYTE *loadedData, size_t loadedSize, BYTE *hdr_ptr, DWORD charact) |
| |
| BYTE * | first_different (const BYTE *buf_ptr, size_t bif_size, const BYTE padding) |
| |
| bool | is_shown_type (t_scan_status status, ProcessScanReport::t_report_filter filter) |
| |
| bool | validate_param_str (PARAM_STRING &strparam) |
| |
| void | print_scan_time (const char *scanned_element, size_t total_time) |
| |
| bool | is_by_stats (const t_shellc_mode &shellc_mode) |
| |
| bool | match_to_tag (std::ofstream &patch_report, const char delimiter, size_t start_offset, const sig_finder::Match &match) |
| |
| double | getValRatio (IN const AreaMultiStats &stats, BYTE val) |
| |
| size_t | checkRatios (IN const AreaMultiStats &stats, IN std::map< BYTE, double > &ratios) |
| |
| size_t | countFoundStrings (IN const AreaMultiStats &stats, IN std::set< std::string > neededStrings, IN size_t minOccurrence) |
| |
| size_t | init_32_patterns (Node *rootN) |
| |
| size_t | init_64_patterns (Node *rootN) |
| |
| size_t | search_till_pattern (sig_finder::Node &rootN, const BYTE *loadedData, size_t loadedSize) |
| |
1.10.0
