PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Classes | Typedefs | Enumerations | Functions | Variables
pesieve::util Namespace Reference

Classes

struct  _mem_region_info
 
struct  _thread_info
 
struct  _thread_info_ext
 
struct  _THREAD_LAST_SYSCALL_INFORMATION
 
struct  AutoBuffer
 
struct  BasicBuffer
 
struct  ByteBuffer
 
struct  Mutex
 
struct  MutexLocker
 
struct  PSS_VA_CLONE_INFORMATION
 
struct  T_CLIENT_ID
 
struct  t_refl_args
 
struct  T_RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION
 

Typedefs

typedef struct pesieve::util::_THREAD_LAST_SYSCALL_INFORMATION THREAD_LAST_SYSCALL_INFORMATION
 
typedef struct pesieve::util::_THREAD_LAST_SYSCALL_INFORMATIONPTHREAD_LAST_SYSCALL_INFORMATION
 
typedef struct pesieve::util::_thread_info_ext thread_info_ext
 
typedef struct pesieve::util::_thread_info thread_info
 
typedef struct pesieve::util::_mem_region_info mem_region_info
 

Enumerations

enum  process_integrity_t {
  INTEGRITY_UNKNOWN = -1 , INTEGRITY_LOW = 0 , INTEGRITY_MEDIUM , INTEGRITY_HIGH ,
  INTEGRITY_SYSTEM
}
 
enum  PSS_CAPTURE_FLAGS {
  PSS_CAPTURE_NONE = 0x00000000 , PSS_CAPTURE_VA_CLONE = 0x00000001 , PSS_CAPTURE_RESERVED_00000002 = 0x00000002 , PSS_CAPTURE_HANDLES = 0x00000004 ,
  PSS_CAPTURE_HANDLE_NAME_INFORMATION = 0x00000008 , PSS_CAPTURE_HANDLE_BASIC_INFORMATION = 0x00000010 , PSS_CAPTURE_HANDLE_TYPE_SPECIFIC_INFORMATION = 0x00000020 , PSS_CAPTURE_HANDLE_TRACE = 0x00000040 ,
  PSS_CAPTURE_THREADS = 0x00000080 , PSS_CAPTURE_THREAD_CONTEXT = 0x00000100 , PSS_CAPTURE_THREAD_CONTEXT_EXTENDED = 0x00000200 , PSS_CAPTURE_RESERVED_00000400 = 0x00000400 ,
  PSS_CAPTURE_VA_SPACE = 0x00000800 , PSS_CAPTURE_VA_SPACE_SECTION_INFORMATION = 0x00001000 , PSS_CAPTURE_IPT_TRACE = 0x00002000 , PSS_CREATE_BREAKAWAY_OPTIONAL = 0x04000000 ,
  PSS_CREATE_BREAKAWAY = 0x08000000 , PSS_CREATE_FORCE_BREAKAWAY = 0x10000000 , PSS_CREATE_USE_VM_ALLOCATIONS = 0x20000000 , PSS_CREATE_MEASURE_PERFORMANCE = 0x40000000 ,
  PSS_CREATE_RELEASE_SECTION = 0x80000000
}
 
enum  PSS_QUERY_INFORMATION_CLASS {
  PSS_QUERY_PROCESS_INFORMATION = 0 , PSS_QUERY_VA_CLONE_INFORMATION = 1 , PSS_QUERY_AUXILIARY_PAGES_INFORMATION = 2 , PSS_QUERY_VA_SPACE_INFORMATION = 3 ,
  PSS_QUERY_HANDLE_INFORMATION = 4 , PSS_QUERY_THREAD_INFORMATION = 5 , PSS_QUERY_HANDLE_TRACE_INFORMATION = 6 , PSS_QUERY_PERFORMANCE_COUNTERS = 7
}
 

Functions

size_t calc_offset (MemPageData &memPage, LPVOID field)
 
size_t calc_sec_hdrs_offset (MemPageData &memPage, IMAGE_FILE_HEADER *nt_file_hdr)
 
size_t calc_nt_hdr_offset (MemPageData &memPage, IMAGE_SECTION_HEADER *first_sec, bool is64bit=true)
 
bool validate_hdrs_alignment (MemPageData &memPage, IMAGE_FILE_HEADER *nt_file_hdr, IMAGE_SECTION_HEADER *_sec_hdr)
 
size_t count_section_hdrs (BYTE *loadedData, size_t loadedSize, IMAGE_SECTION_HEADER *hdr_ptr)
 
IMAGE_SECTION_HEADER * get_first_section (BYTE *loadedData, size_t loadedSize, IMAGE_SECTION_HEADER *hdr_ptr)
 
void print_scantime (std::stringstream &stream, size_t timeInMs)
 
BYTE * find_pattern (BYTE *buffer, size_t buf_size, BYTE *pattern_buf, size_t pattern_size, size_t max_iter=0)
 
size_t is_32bit_code (BYTE *loadedData, size_t loadedSize)
 
size_t is_64bit_code (BYTE *loadedData, size_t loadedSize)
 
bool is_code (BYTE *loadedData, size_t loadedSize)
 
bool is_executable (DWORD mapping_type, DWORD protection)
 
bool is_readable (DWORD mapping_type, DWORD protection)
 
bool is_normal_inaccessible (DWORD state, DWORD mapping_type, DWORD protection)
 
bool get_current_color (int descriptor, WORD &color)
 
void print_in_color (int color, const std::string &text, bool is_error=false)
 
bool is_hex (const char *buf, size_t len)
 
bool is_dec (const char *buf, size_t len)
 
std::string & ltrim (std::string &str, const std::string &chars="\t\n\v\f\r ")
 
std::string & rtrim (std::string &str, const std::string &chars="\t\n\v\f\r ")
 
std::string & trim (std::string &str, const std::string &chars="\t\n\v\f\r ")
 
long get_number (const char *buf)
 
bool is_number (const char *buf)
 
bool is_in_list (std::string searched_string, std::set< std::string > &string_list, bool to_lower=true)
 
size_t string_to_list (IN::std::string s, IN char _delim, OUT std::set< std::string > &elements_list, bool to_lower=true)
 
size_t enum_modules (IN HANDLE hProcess, IN OUT HMODULE hMods[], IN const DWORD hModsMax, IN DWORD filters)
 
void init_syspaths ()
 
HANDLE nt_create_file (PCWSTR filePath)
 
std::string nt_retrieve_file_path (HANDLE hFile)
 
bool is_relative (const char *path, size_t path_len)
 
bool is_disk_relative (const char *path, size_t path_len)
 
std::string remap_to_drive_letter (const std::string &full_path)
 
std::string relative_to_absolute_path (std::string path)
 
std::string replace_char (std::string &str, char ch1, char ch2)
 
bool convert_to_wow64_path (char *szModName)
 
std::string convert_to_win32_path (const std::string &path)
 
std::string device_path_to_win32_path (const std::string &full_path)
 
std::string expand_path (const std::string &path)
 
char * get_subpath_ptr (char *modulePath, char *searchedPath)
 
std::string escape_path_separators (std::string path)
 
std::string get_system_drive ()
 
bool dir_exists (const char *path)
 
bool create_dir_recursively (const std::string &path)
 
std::string strip_prefix (std::string path, std::string prefix)
 
 BOOL (CALLBACK *_MiniDumpWriteDump)(HANDLE hProcess
 
bool load_MiniDumpWriteDump ()
 
bool make_minidump (DWORD pid, const std::string &out_file)
 
HMODULE get_or_load_module (const char *name)
 
BOOL set_privilege (HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege)
 
BOOL _get_process_DEP_policy (HANDLE processHandle, DWORD &flags, BOOL &is_permanent)
 
DEP_SYSTEM_POLICY_TYPE _get_system_DEP_policy ()
 
bool set_debug_privilege ()
 
process_integrity_t get_integrity_level (HANDLE hProcess)
 
bool is_DEP_enabled (HANDLE hProcess)
 
 NTSTATUS (NTAPI *_RtlCreateProcessReflection)(HANDLE ProcessHandle
 
 DWORD (__stdcall *_PssCaptureSnapshot)(HANDLE ProcessHandle
 
bool load_PssCaptureFreeSnapshot ()
 
bool load_RtlCreateProcessReflection ()
 
DWORD WINAPI refl_creator (LPVOID lpParam)
 
HANDLE make_process_reflection1 (HANDLE orig_hndl)
 
HPSS make_process_snapshot (HANDLE orig_hndl)
 
bool release_process_snapshot (HANDLE procHndl, HPSS snapshot)
 
HANDLE make_process_reflection2 (HPSS snapshot)
 
bool can_make_process_reflection ()
 
HANDLE make_process_reflection (HANDLE orig_hndl)
 
bool release_process_reflection (HANDLE *reflection_hndl)
 
 BOOL (WINAPI *g_IsWow64Process)(IN HANDLE = nullptr
 
HMODULE get_kernel32_hndl ()
 
BOOL is_process_wow64 (IN HANDLE processHandle, OUT BOOL *isProcWow64)
 
bool is_process_64bit (IN HANDLE process)
 
bool is_current_wow64 ()
 
BOOL wow64_disable_fs_redirection (OUT PVOID *OldValue)
 
BOOL wow64_revert_fs_redirection (IN PVOID OldValue)
 
BOOL wow64_get_thread_context (IN HANDLE hThread, IN OUT PWOW64_CONTEXT lpContext)
 
std::string to_lowercase (std::string)
 
bool is_cstr_equal (char const *a, char const *b, const size_t max_len)
 
bool isSyscallFunc (const std::string &funcName)
 
size_t extract_syscalls (BYTE *pe_buf, size_t pe_size, std::map< DWORD, std::string > &syscallToName, size_t startID=0)
 
size_t extract_from_dll (IN const std::string &path, size_t startSyscallID, OUT std::map< DWORD, std::string > &syscallToName)
 
size_t extract_syscall_table (OUT std::map< DWORD, std::string > &syscallToName)
 
bool query_thread_details (IN DWORD tid, OUT pesieve::util::thread_info &info)
 
bool query_threads_details (IN OUT std::map< DWORD, thread_info > &threads_info)
 
bool fetch_threads_info (IN DWORD pid, OUT std::map< DWORD, thread_info > &threads_info)
 
bool fetch_threads_by_snapshot (IN DWORD pid, OUT std::map< DWORD, thread_info > &threads_info)
 
bool get_next_commited_region (HANDLE processHandle, ULONGLONG start_va, MEMORY_BASIC_INFORMATION &page_info)
 
size_t enum_workingset (HANDLE processHandle, std::set< mem_region_info > &regions)
 
DWORD count_workingset_entries (HANDLE processHandle)
 

Variables

DWORD ProcessId
 
DWORD HANDLE hFile
 
DWORD HANDLE MINIDUMP_TYPE DumpType
 
DWORD HANDLE MINIDUMP_TYPE PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam
 
DWORD HANDLE MINIDUMP_TYPE PMINIDUMP_EXCEPTION_INFORMATION PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam
 
DWORD HANDLE MINIDUMP_TYPE PMINIDUMP_EXCEPTION_INFORMATION PMINIDUMP_USER_STREAM_INFORMATION PMINIDUMP_CALLBACK_INFORMATION CallbackParam = NULL
 
ULONG Flags
 
ULONG PVOID StartRoutine
 
ULONG PVOID PVOID StartContext
 
ULONG PVOID PVOID HANDLE EventHandle
 
ULONG PVOID PVOID HANDLE T_RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATIONReflectionInformation = NULL
 
PSS_CAPTURE_FLAGS CaptureFlags
 
PSS_CAPTURE_FLAGS DWORD ThreadContextFlags
 
PSS_CAPTURE_FLAGS DWORD HPSSSnapshotHandle = NULL
 
PSS_QUERY_INFORMATION_CLASS InformationClass
 
PSS_QUERY_INFORMATION_CLASS void * Buffer
 
PSS_QUERY_INFORMATION_CLASS void DWORD BufferLength = NULL
 
const DWORD reflection_access1 = PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_DUP_HANDLE
 
const DWORD reflection_access2 = PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_DUP_HANDLE | PROCESS_CREATE_PROCESS
 
const DWORD reflection_access = reflection_access2
 
HMODULE g_kernel32Hndl = nullptr
 
OUT PBOOL = nullptr
 
IN OUT PWOW64_CONTEXT lpContext = nullptr
 

Typedef Documentation

◆ mem_region_info

typedef struct pesieve::util::_mem_region_info pesieve::util::mem_region_info

◆ PTHREAD_LAST_SYSCALL_INFORMATION

typedef struct pesieve::util::_THREAD_LAST_SYSCALL_INFORMATION * pesieve::util::PTHREAD_LAST_SYSCALL_INFORMATION

◆ thread_info

typedef struct pesieve::util::_thread_info pesieve::util::thread_info

◆ thread_info_ext

typedef struct pesieve::util::_thread_info_ext pesieve::util::thread_info_ext

◆ THREAD_LAST_SYSCALL_INFORMATION

typedef struct pesieve::util::_THREAD_LAST_SYSCALL_INFORMATION pesieve::util::THREAD_LAST_SYSCALL_INFORMATION

Enumeration Type Documentation

◆ process_integrity_t

enum pesieve::util::process_integrity_t
Enumerator
INTEGRITY_UNKNOWN 
INTEGRITY_LOW 
INTEGRITY_MEDIUM 
INTEGRITY_HIGH 
INTEGRITY_SYSTEM 

Definition at line 8 of file process_privilege.h.

◆ PSS_CAPTURE_FLAGS

enum pesieve::util::PSS_CAPTURE_FLAGS
Enumerator
PSS_CAPTURE_NONE 
PSS_CAPTURE_VA_CLONE 
PSS_CAPTURE_RESERVED_00000002 
PSS_CAPTURE_HANDLES 
PSS_CAPTURE_HANDLE_NAME_INFORMATION 
PSS_CAPTURE_HANDLE_BASIC_INFORMATION 
PSS_CAPTURE_HANDLE_TYPE_SPECIFIC_INFORMATION 
PSS_CAPTURE_HANDLE_TRACE 
PSS_CAPTURE_THREADS 
PSS_CAPTURE_THREAD_CONTEXT 
PSS_CAPTURE_THREAD_CONTEXT_EXTENDED 
PSS_CAPTURE_RESERVED_00000400 
PSS_CAPTURE_VA_SPACE 
PSS_CAPTURE_VA_SPACE_SECTION_INFORMATION 
PSS_CAPTURE_IPT_TRACE 
PSS_CREATE_BREAKAWAY_OPTIONAL 
PSS_CREATE_BREAKAWAY 
PSS_CREATE_FORCE_BREAKAWAY 
PSS_CREATE_USE_VM_ALLOCATIONS 
PSS_CREATE_MEASURE_PERFORMANCE 
PSS_CREATE_RELEASE_SECTION 

Definition at line 51 of file process_reflection.cpp.

◆ PSS_QUERY_INFORMATION_CLASS

enum pesieve::util::PSS_QUERY_INFORMATION_CLASS
Enumerator
PSS_QUERY_PROCESS_INFORMATION 
PSS_QUERY_VA_CLONE_INFORMATION 
PSS_QUERY_AUXILIARY_PAGES_INFORMATION 
PSS_QUERY_VA_SPACE_INFORMATION 
PSS_QUERY_HANDLE_INFORMATION 
PSS_QUERY_THREAD_INFORMATION 
PSS_QUERY_HANDLE_TRACE_INFORMATION 
PSS_QUERY_PERFORMANCE_COUNTERS 

Definition at line 77 of file process_reflection.cpp.

Function Documentation

◆ _get_process_DEP_policy()

BOOL pesieve::util::_get_process_DEP_policy ( HANDLE processHandle,
DWORD & flags,
BOOL & is_permanent )

Definition at line 78 of file process_privilege.cpp.

Here is the call graph for this function:

◆ _get_system_DEP_policy()

DEP_SYSTEM_POLICY_TYPE pesieve::util::_get_system_DEP_policy ( )

Definition at line 91 of file process_privilege.cpp.

Here is the call graph for this function:

◆ BOOL() [1/2]

pesieve::util::BOOL ( CALLBACK * _MiniDumpWriteDump)

◆ BOOL() [2/2]

pesieve::util::BOOL ( WINAPI * g_IsWow64Process) = nullptr

◆ calc_nt_hdr_offset()

size_t pesieve::util::calc_nt_hdr_offset ( MemPageData & memPage,
IMAGE_SECTION_HEADER * first_sec,
bool is64bit = true )

Definition at line 40 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ calc_offset()

size_t pesieve::util::calc_offset ( MemPageData & memPage,
LPVOID field )

Definition at line 14 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ calc_sec_hdrs_offset()

size_t pesieve::util::calc_sec_hdrs_offset ( MemPageData & memPage,
IMAGE_FILE_HEADER * nt_file_hdr )

Definition at line 26 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ can_make_process_reflection()

bool pesieve::util::can_make_process_reflection ( )

Definition at line 297 of file process_reflection.cpp.

Here is the call graph for this function:

◆ convert_to_win32_path()

std::string pesieve::util::convert_to_win32_path ( const std::string & path)

Definition at line 206 of file path_converter.cpp.

Here is the call graph for this function:

◆ convert_to_wow64_path()

bool pesieve::util::convert_to_wow64_path ( char * szModName)

Definition at line 195 of file path_converter.cpp.

Here is the call graph for this function:

◆ count_section_hdrs()

size_t pesieve::util::count_section_hdrs ( BYTE * loadedData,
size_t loadedSize,
IMAGE_SECTION_HEADER * hdr_ptr )

Definition at line 67 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ count_workingset_entries()

DWORD pesieve::util::count_workingset_entries ( HANDLE processHandle)

Definition at line 85 of file workingset_enum.cpp.

Here is the call graph for this function:

◆ create_dir_recursively()

bool pesieve::util::create_dir_recursively ( const std::string & path)

Definition at line 73 of file path_util.cpp.

Here is the call graph for this function:

◆ device_path_to_win32_path()

std::string pesieve::util::device_path_to_win32_path ( const std::string & full_path)

Definition at line 228 of file path_converter.cpp.

Here is the call graph for this function:

◆ dir_exists()

bool pesieve::util::dir_exists ( const char * path)

Definition at line 65 of file path_util.cpp.

Here is the call graph for this function:

◆ DWORD()

pesieve::util::DWORD ( __stdcall * _PssCaptureSnapshot)

◆ enum_modules()

size_t pesieve::util::enum_modules ( IN HANDLE hProcess,
IN OUT HMODULE hMods[],
IN const DWORD hModsMax,
IN DWORD filters )

Definition at line 6 of file modules_enum.cpp.

Here is the call graph for this function:

◆ enum_workingset()

size_t pesieve::util::enum_workingset ( HANDLE processHandle,
std::set< mem_region_info > & regions )

Definition at line 64 of file workingset_enum.cpp.

Here is the call graph for this function:

◆ escape_path_separators()

std::string pesieve::util::escape_path_separators ( std::string path)

Definition at line 27 of file path_util.cpp.

◆ expand_path()

std::string pesieve::util::expand_path ( const std::string & path)

Definition at line 252 of file path_converter.cpp.

Here is the call graph for this function:

◆ extract_from_dll()

size_t pesieve::util::extract_from_dll ( IN const std::string & path,
size_t startSyscallID,
OUT std::map< DWORD, std::string > & syscallToName )

Definition at line 55 of file syscall_extractor.cpp.

Here is the call graph for this function:

◆ extract_syscall_table()

size_t pesieve::util::extract_syscall_table ( OUT std::map< DWORD, std::string > & syscallToName)

Definition at line 82 of file syscall_extractor.cpp.

Here is the call graph for this function:

◆ extract_syscalls()

size_t pesieve::util::extract_syscalls ( BYTE * pe_buf,
size_t pe_size,
std::map< DWORD, std::string > & syscallToName,
size_t startID = 0 )

Definition at line 29 of file syscall_extractor.cpp.

Here is the call graph for this function:

◆ fetch_threads_by_snapshot()

bool pesieve::util::fetch_threads_by_snapshot ( IN DWORD pid,
OUT std::map< DWORD, thread_info > & threads_info )

Definition at line 138 of file threads_util.cpp.

Here is the call graph for this function:

◆ fetch_threads_info()

bool pesieve::util::fetch_threads_info ( IN DWORD pid,
OUT std::map< DWORD, thread_info > & threads_info )

Definition at line 71 of file threads_util.cpp.

Here is the call graph for this function:

◆ find_pattern()

BYTE * pesieve::util::find_pattern ( BYTE * buffer,
size_t buf_size,
BYTE * pattern_buf,
size_t pattern_size,
size_t max_iter = 0 )

Definition at line 10 of file artefacts_util.cpp.

◆ get_current_color()

bool pesieve::util::get_current_color ( int descriptor,
WORD & color )

Definition at line 7 of file console_color.cpp.

Here is the call graph for this function:

◆ get_first_section()

IMAGE_SECTION_HEADER * pesieve::util::get_first_section ( BYTE * loadedData,
size_t loadedSize,
IMAGE_SECTION_HEADER * hdr_ptr )

Definition at line 85 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ get_integrity_level()

pesieve::util::process_integrity_t pesieve::util::get_integrity_level ( HANDLE hProcess)

Definition at line 159 of file process_privilege.cpp.

Here is the call graph for this function:

◆ get_kernel32_hndl()

HMODULE pesieve::util::get_kernel32_hndl ( )

Definition at line 13 of file process_util.cpp.

◆ get_next_commited_region()

bool pesieve::util::get_next_commited_region ( HANDLE processHandle,
ULONGLONG start_va,
MEMORY_BASIC_INFORMATION & page_info )

Definition at line 17 of file workingset_enum.cpp.

Here is the call graph for this function:

◆ get_number()

long pesieve::util::get_number ( const char * buf)

Definition at line 34 of file format_util.cpp.

Here is the call graph for this function:

◆ get_or_load_module()

HMODULE pesieve::util::get_or_load_module ( const char * name)
inline

Definition at line 9 of file process_privilege.cpp.

◆ get_subpath_ptr()

char * pesieve::util::get_subpath_ptr ( char * modulePath,
char * searchedPath )

Definition at line 5 of file path_util.cpp.

◆ get_system_drive()

std::string pesieve::util::get_system_drive ( )

Definition at line 46 of file path_util.cpp.

◆ init_syspaths()

void pesieve::util::init_syspaths ( )

Definition at line 27 of file path_converter.cpp.

◆ is_32bit_code()

size_t pesieve::util::is_32bit_code ( BYTE * loadedData,
size_t loadedSize )

Definition at line 75 of file artefacts_util.cpp.

Here is the call graph for this function:

◆ is_64bit_code()

size_t pesieve::util::is_64bit_code ( BYTE * loadedData,
size_t loadedSize )

Definition at line 84 of file artefacts_util.cpp.

Here is the call graph for this function:

◆ is_code()

bool pesieve::util::is_code ( BYTE * loadedData,
size_t loadedSize )

Definition at line 93 of file artefacts_util.cpp.

Here is the call graph for this function:

◆ is_cstr_equal()

bool pesieve::util::is_cstr_equal ( char const * a,
char const * b,
const size_t max_len )

Definition at line 12 of file strings_util.cpp.

◆ is_current_wow64()

bool pesieve::util::is_current_wow64 ( )

Definition at line 73 of file process_util.cpp.

Here is the call graph for this function:

◆ is_dec()

bool pesieve::util::is_dec ( const char * buf,
size_t len )

Definition at line 22 of file format_util.cpp.

◆ is_DEP_enabled()

bool pesieve::util::is_DEP_enabled ( HANDLE hProcess)

Definition at line 210 of file process_privilege.cpp.

Here is the call graph for this function:

◆ is_disk_relative()

bool pesieve::util::is_disk_relative ( const char * path,
size_t path_len )

Definition at line 111 of file path_converter.cpp.

◆ is_executable()

bool pesieve::util::is_executable ( DWORD mapping_type,
DWORD protection )

Definition at line 109 of file artefacts_util.cpp.

◆ is_hex()

bool pesieve::util::is_hex ( const char * buf,
size_t len )

Definition at line 11 of file format_util.cpp.

◆ is_in_list()

bool pesieve::util::is_in_list ( std::string searched_string,
std::set< std::string > & string_list,
bool to_lower = true )

Definition at line 81 of file format_util.cpp.

◆ is_normal_inaccessible()

bool pesieve::util::is_normal_inaccessible ( DWORD state,
DWORD mapping_type,
DWORD protection )

Definition at line 125 of file artefacts_util.cpp.

◆ is_number()

bool pesieve::util::is_number ( const char * buf)

Definition at line 62 of file format_util.cpp.

Here is the call graph for this function:

◆ is_process_64bit()

bool pesieve::util::is_process_64bit ( IN HANDLE process)

Definition at line 47 of file process_util.cpp.

Here is the call graph for this function:

◆ is_process_wow64()

BOOL pesieve::util::is_process_wow64 ( IN HANDLE processHandle,
OUT BOOL * isProcWow64 )

Definition at line 27 of file process_util.cpp.

Here is the call graph for this function:

◆ is_readable()

bool pesieve::util::is_readable ( DWORD mapping_type,
DWORD protection )

Definition at line 118 of file artefacts_util.cpp.

◆ is_relative()

bool pesieve::util::is_relative ( const char * path,
size_t path_len )

Definition at line 95 of file path_converter.cpp.

◆ isSyscallFunc()

bool pesieve::util::isSyscallFunc ( const std::string & funcName)

Definition at line 11 of file syscall_extractor.cpp.

◆ load_MiniDumpWriteDump()

bool pesieve::util::load_MiniDumpWriteDump ( )

Definition at line 18 of file process_minidump.cpp.

Here is the call graph for this function:

◆ load_PssCaptureFreeSnapshot()

bool pesieve::util::load_PssCaptureFreeSnapshot ( )

Definition at line 108 of file process_reflection.cpp.

Here is the call graph for this function:

◆ load_RtlCreateProcessReflection()

bool pesieve::util::load_RtlCreateProcessReflection ( )

Definition at line 148 of file process_reflection.cpp.

Here is the call graph for this function:

◆ ltrim()

std::string & pesieve::util::ltrim ( std::string & str,
const std::string & chars = "\t\n\v\f\r " )

Definition at line 97 of file format_util.cpp.

◆ make_minidump()

bool pesieve::util::make_minidump ( DWORD pid,
const std::string & out_file )

Definition at line 51 of file process_minidump.cpp.

Here is the call graph for this function:

◆ make_process_reflection()

HANDLE pesieve::util::make_process_reflection ( HANDLE orig_hndl)

Definition at line 312 of file process_reflection.cpp.

Here is the call graph for this function:

◆ make_process_reflection1()

HANDLE pesieve::util::make_process_reflection1 ( HANDLE orig_hndl)

Definition at line 196 of file process_reflection.cpp.

Here is the call graph for this function:

◆ make_process_reflection2()

HANDLE pesieve::util::make_process_reflection2 ( HPSS snapshot)

Definition at line 279 of file process_reflection.cpp.

Here is the call graph for this function:

◆ make_process_snapshot()

HPSS pesieve::util::make_process_snapshot ( HANDLE orig_hndl)

Definition at line 234 of file process_reflection.cpp.

Here is the call graph for this function:

◆ nt_create_file()

HANDLE pesieve::util::nt_create_file ( PCWSTR filePath)

Definition at line 39 of file path_converter.cpp.

Here is the call graph for this function:

◆ nt_retrieve_file_path()

std::string pesieve::util::nt_retrieve_file_path ( HANDLE hFile)

Definition at line 73 of file path_converter.cpp.

Here is the call graph for this function:

◆ NTSTATUS()

pesieve::util::NTSTATUS ( NTAPI * _RtlCreateProcessReflection)

◆ print_in_color()

void pesieve::util::print_in_color ( int color,
const std::string & text,
bool is_error = false )

Definition at line 18 of file console_color.cpp.

Here is the call graph for this function:

◆ print_scantime()

void pesieve::util::print_scantime ( std::stringstream & stream,
size_t timeInMs )

Definition at line 44 of file scanner.cpp.

◆ query_thread_details()

bool pesieve::util::query_thread_details ( IN DWORD tid,
OUT pesieve::util::thread_info & info )

Definition at line 24 of file threads_util.cpp.

Here is the call graph for this function:

◆ query_threads_details()

bool pesieve::util::query_threads_details ( IN OUT std::map< DWORD, thread_info > & threads_info)

◆ refl_creator()

DWORD WINAPI pesieve::util::refl_creator ( LPVOID lpParam)

Definition at line 178 of file process_reflection.cpp.

Here is the call graph for this function:

◆ relative_to_absolute_path()

std::string pesieve::util::relative_to_absolute_path ( std::string path)

Definition at line 173 of file path_converter.cpp.

Here is the call graph for this function:

◆ release_process_reflection()

bool pesieve::util::release_process_reflection ( HANDLE * reflection_hndl)

Definition at line 336 of file process_reflection.cpp.

Here is the call graph for this function:

◆ release_process_snapshot()

bool pesieve::util::release_process_snapshot ( HANDLE procHndl,
HPSS snapshot )

Definition at line 267 of file process_reflection.cpp.

Here is the call graph for this function:

◆ remap_to_drive_letter()

std::string pesieve::util::remap_to_drive_letter ( const std::string & full_path)

Definition at line 128 of file path_converter.cpp.

Here is the call graph for this function:

◆ replace_char()

std::string pesieve::util::replace_char ( std::string & str,
char ch1,
char ch2 )

Definition at line 185 of file path_converter.cpp.

◆ rtrim()

std::string & pesieve::util::rtrim ( std::string & str,
const std::string & chars = "\t\n\v\f\r " )

Definition at line 103 of file format_util.cpp.

◆ set_debug_privilege()

bool pesieve::util::set_debug_privilege ( )

Definition at line 107 of file process_privilege.cpp.

Here is the call graph for this function:

◆ set_privilege()

BOOL pesieve::util::set_privilege ( HANDLE hToken,
LPCTSTR Privilege,
BOOL bEnablePrivilege )

Definition at line 21 of file process_privilege.cpp.

Here is the call graph for this function:

◆ string_to_list()

size_t pesieve::util::string_to_list ( IN::std::string s,
IN char _delim,
OUT std::set< std::string > & elements_list,
bool to_lower = true )

◆ strip_prefix()

std::string pesieve::util::strip_prefix ( std::string path,
std::string prefix )

Definition at line 94 of file path_util.cpp.

Here is the call graph for this function:

◆ to_lowercase()

std::string pesieve::util::to_lowercase ( std::string str)

Definition at line 6 of file strings_util.cpp.

◆ trim()

std::string & pesieve::util::trim ( std::string & str,
const std::string & chars = "\t\n\v\f\r " )

Definition at line 109 of file format_util.cpp.

Here is the call graph for this function:

◆ validate_hdrs_alignment()

bool pesieve::util::validate_hdrs_alignment ( MemPageData & memPage,
IMAGE_FILE_HEADER * nt_file_hdr,
IMAGE_SECTION_HEADER * _sec_hdr )

Definition at line 52 of file artefact_scanner.cpp.

Here is the call graph for this function:

◆ wow64_disable_fs_redirection()

BOOL pesieve::util::wow64_disable_fs_redirection ( OUT PVOID * OldValue)

Definition at line 104 of file process_util.cpp.

Here is the call graph for this function:

◆ wow64_get_thread_context()

BOOL pesieve::util::wow64_get_thread_context ( IN HANDLE hThread,
IN OUT PWOW64_CONTEXT lpContext )

Definition at line 86 of file process_util.cpp.

Here is the call graph for this function:

◆ wow64_revert_fs_redirection()

BOOL pesieve::util::wow64_revert_fs_redirection ( IN PVOID OldValue)

Definition at line 121 of file process_util.cpp.

Here is the call graph for this function:

Variable Documentation

◆ Buffer

PSS_QUERY_INFORMATION_CLASS void* pesieve::util::Buffer

Definition at line 104 of file process_reflection.cpp.

◆ BufferLength

PSS_QUERY_INFORMATION_CLASS void DWORD pesieve::util::BufferLength = NULL

Definition at line 105 of file process_reflection.cpp.

◆ CallbackParam

DWORD HANDLE MINIDUMP_TYPE PMINIDUMP_EXCEPTION_INFORMATION PMINIDUMP_USER_STREAM_INFORMATION PMINIDUMP_CALLBACK_INFORMATION pesieve::util::CallbackParam = NULL

Definition at line 15 of file process_minidump.cpp.

◆ CaptureFlags

PSS_CAPTURE_FLAGS pesieve::util::CaptureFlags

Definition at line 91 of file process_reflection.cpp.

◆ DumpType

DWORD HANDLE MINIDUMP_TYPE pesieve::util::DumpType

Definition at line 12 of file process_minidump.cpp.

◆ EventHandle

ULONG PVOID PVOID HANDLE pesieve::util::EventHandle

Definition at line 45 of file process_reflection.cpp.

◆ ExceptionParam

DWORD HANDLE MINIDUMP_TYPE PMINIDUMP_EXCEPTION_INFORMATION pesieve::util::ExceptionParam

Definition at line 13 of file process_minidump.cpp.

◆ Flags

ULONG pesieve::util::Flags

Definition at line 42 of file process_reflection.cpp.

◆ g_kernel32Hndl

HMODULE pesieve::util::g_kernel32Hndl = nullptr

Definition at line 6 of file process_util.cpp.

◆ hFile

DWORD HANDLE pesieve::util::hFile

Definition at line 11 of file process_minidump.cpp.

◆ InformationClass

PSS_QUERY_INFORMATION_CLASS pesieve::util::InformationClass

Definition at line 103 of file process_reflection.cpp.

◆ lpContext

IN OUT PWOW64_CONTEXT pesieve::util::lpContext = nullptr

Definition at line 11 of file process_util.cpp.

◆ PBOOL

OUT pesieve::util::PBOOL = nullptr

Definition at line 8 of file process_util.cpp.

◆ ProcessId

DWORD pesieve::util::ProcessId

Definition at line 10 of file process_minidump.cpp.

◆ reflection_access

const DWORD pesieve::util::reflection_access = reflection_access2

Definition at line 18 of file process_reflection.h.

◆ reflection_access1

const DWORD pesieve::util::reflection_access1 = PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_DUP_HANDLE

Definition at line 12 of file process_reflection.h.

◆ reflection_access2

const DWORD pesieve::util::reflection_access2 = PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_DUP_HANDLE | PROCESS_CREATE_PROCESS

Definition at line 15 of file process_reflection.h.

◆ ReflectionInformation

ULONG PVOID PVOID HANDLE T_RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION* pesieve::util::ReflectionInformation = NULL

Definition at line 46 of file process_reflection.cpp.

◆ SnapshotHandle

HPSS pesieve::util::SnapshotHandle = NULL

Definition at line 93 of file process_reflection.cpp.

◆ StartContext

ULONG PVOID PVOID pesieve::util::StartContext

Definition at line 44 of file process_reflection.cpp.

◆ StartRoutine

ULONG PVOID pesieve::util::StartRoutine

Definition at line 43 of file process_reflection.cpp.

◆ ThreadContextFlags

PSS_CAPTURE_FLAGS DWORD pesieve::util::ThreadContextFlags

Definition at line 92 of file process_reflection.cpp.

◆ UserStreamParam

DWORD HANDLE MINIDUMP_TYPE PMINIDUMP_EXCEPTION_INFORMATION PMINIDUMP_USER_STREAM_INFORMATION pesieve::util::UserStreamParam

Definition at line 14 of file process_minidump.cpp.

Generated by doxygen 1.12.0