PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
patch_analyzer.h
Go to the documentation of this file.
1#pragma once
2
3#include "module_data.h"
4#include "patch_list.h"
5
6namespace pesieve {
7
55
56}; //namespace pesieve
57
pesieve::ModuleData
Loads a module from the disk, corresponding to the module in the scanned process' memory.
Definition module_data.h:15
pesieve::ModuleData::loadRelocatedFields
bool loadRelocatedFields(std::set< DWORD > &fields_rvas)
Definition module_data.cpp:73
pesieve::PatchAnalyzer
A postprocessor of the detected code patches. Detects if the patch is a hook, and if so,...
Definition patch_analyzer.h:10
pesieve::PatchAnalyzer::_analyze
size_t _analyze(PatchList::Patch &patch, PBYTE patch_ptr, ULONGLONG patch_va)
Definition patch_analyzer.cpp:150
pesieve::PatchAnalyzer::parseShortJmp
size_t parseShortJmp(PatchList::Patch &patch, PBYTE patch_ptr, ULONGLONG patch_va)
Definition patch_analyzer.cpp:13
pesieve::PatchAnalyzer::_analyzeRelocated
size_t _analyzeRelocated(PatchList::Patch &patch, BYTE *patch_ptr)
Definition patch_analyzer.cpp:180
pesieve::PatchAnalyzer::PatchAnalyzer
PatchAnalyzer(ModuleData &_moduleData, DWORD _sectionRVA, PBYTE patched_code, size_t code_size)
Definition patch_analyzer.h:21
pesieve::PatchAnalyzer::relocs
std::set< DWORD > relocs
Definition patch_analyzer.h:53
pesieve::PatchAnalyzer::parseJmpViaAddr
size_t parseJmpViaAddr(PatchList::Patch &patch, PBYTE patch_ptr, ULONGLONG patch_va)
Definition patch_analyzer.cpp:39
pesieve::PatchAnalyzer::parseJmp
size_t parseJmp(PatchList::Patch &patch, PBYTE patch_ptr, ULONGLONG patch_va)
Definition patch_analyzer.cpp:26
pesieve::PatchAnalyzer::getJmpDestAddr
ULONGLONG getJmpDestAddr(ULONGLONG currVA, int instrLen, DELTA_T lVal)
Definition patch_analyzer.cpp:6
pesieve::PatchAnalyzer::parseMovJmp
size_t parseMovJmp(PatchList::Patch &patch, PBYTE patch_ptr, bool is_long)
Definition patch_analyzer.cpp:55
pesieve::PatchAnalyzer::parsePushRet
size_t parsePushRet(PatchList::Patch &patch, PBYTE patch_ptr)
Definition patch_analyzer.cpp:116
pesieve::PatchAnalyzer::analyze
size_t analyze(PatchList::Patch &patch)
Definition patch_analyzer.cpp:195
module_data.h
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
patch_list.h
Generated by doxygen 1.10.0