The types used by PE-sieve API.
More...
#include <windows.h>
Go to the source code of this file.
|
| enum | t_output_filter { OUT_FULL = 0
, OUT_NO_DUMPS
, OUT_NO_DIR
, OUT_FILTERS_COUNT
} |
| |
| enum | t_results_filter {
SHOW_NONE = 0
, SHOW_ERRORS = 1
, SHOW_NOT_SUSPICIOUS = 2
, SHOW_SUSPICIOUS = 4
,
SHOW_SUSPICIOUS_AND_ERRORS = SHOW_ERRORS | SHOW_SUSPICIOUS
, SHOW_SUCCESSFUL_ONLY = SHOW_NOT_SUSPICIOUS | SHOW_SUSPICIOUS
, SHOW_ALL = SHOW_ERRORS | SHOW_NOT_SUSPICIOUS | SHOW_SUSPICIOUS
} |
| | the flags defining what will be reported More...
|
| |
| enum | t_shellc_mode {
SHELLC_NONE = 0
, SHELLC_PATTERNS
, SHELLC_STATS
, SHELLC_PATTERNS_OR_STATS
,
SHELLC_PATTERNS_AND_STATS
, SHELLC_COUNT
} |
| |
| enum | t_obfusc_mode {
OBFUSC_NONE = 0
, OBFUSC_STRONG_ENC
, OBFUSC_WEAK_ENC
, OBFUSC_ANY
,
OBFUSC_COUNT
} |
| |
| enum | t_imprec_mode {
PE_IMPREC_NONE = 0
, PE_IMPREC_AUTO
, PE_IMPREC_UNERASE
, PE_IMPREC_REBUILD0
,
PE_IMPREC_REBUILD1
, PE_IMPREC_REBUILD2
, PE_IMPREC_MODES_COUNT
} |
| |
| enum | t_dump_mode {
PE_DUMP_AUTO = 0
, PE_DUMP_VIRTUAL
, PE_DUMP_UNMAP
, PE_DUMP_REALIGN
,
PE_DUMP_MODES_COUNT
} |
| |
| enum | t_iat_scan_mode {
PE_IATS_NONE = 0
, PE_IATS_CLEAN_SYS_FILTERED
, PE_IATS_ALL_SYS_FILTERED
, PE_IATS_UNFILTERED
,
PE_IATS_MODES_COUNT
} |
| |
| enum | t_dotnet_policy {
PE_DNET_NONE = 0
, PE_DNET_SKIP_MAPPING = 1
, PE_DNET_SKIP_SHC
, PE_DNET_SKIP_HOOKS
,
PE_DNET_SKIP_ALL
, PE_DNET_COUNT
} |
| |
| enum | t_data_scan_mode {
PE_DATA_NO_SCAN = 0
, PE_DATA_SCAN_DOTNET
, PE_DATA_SCAN_NO_DEP
, PE_DATA_SCAN_ALWAYS
,
PE_DATA_SCAN_INACCESSIBLE
, PE_DATA_SCAN_INACCESSIBLE_ONLY
, PE_DATA_COUNT
} |
| |
| enum | t_json_level { JSON_BASIC = 0
, JSON_DETAILS = 1
, JSON_DETAILS2
, JSON_LVL_COUNT
} |
| |
| enum | t_report_type { REPORT_NONE = 0
, REPORT_SCANNED
, REPORT_DUMPED
, REPORT_ALL
} |
| |
The types used by PE-sieve API.
Definition in file pe_sieve_types.h.
◆ PARAM_LIST_SEPARATOR
| #define PARAM_LIST_SEPARATOR ';' |
◆ bool
◆ PARAM_STRING
A wrapper for a dynamically allocated string.
◆ t_params
Input parameters for PE-sieve, defining the configuration.
◆ t_report
Final summary about the scanned process.
◆ t_data_scan_mode
| Enumerator |
|---|
| PE_DATA_NO_SCAN | do not scan non-executable pages
|
| PE_DATA_SCAN_DOTNET | scan data in .NET applications
|
| PE_DATA_SCAN_NO_DEP | scan data if no DEP or in .NET applications
|
| PE_DATA_SCAN_ALWAYS | scan data unconditionally
|
| PE_DATA_SCAN_INACCESSIBLE | scan data unconditionally, and inaccessible pages (if running in reflection mode)
|
| PE_DATA_SCAN_INACCESSIBLE_ONLY | scan inaccessible pages (if running in reflection mode)
|
| PE_DATA_COUNT | |
Definition at line 93 of file pe_sieve_types.h.
◆ t_dotnet_policy
| Enumerator |
|---|
| PE_DNET_NONE | none: treat managed processes same as native
|
| PE_DNET_SKIP_MAPPING | skip mapping mismatch (in .NET modules only)
|
| PE_DNET_SKIP_SHC | skip shellcodes (in all modules within the managed process)
|
| PE_DNET_SKIP_HOOKS | skip hooked modules (in all modules within the managed process)
|
| PE_DNET_SKIP_ALL | skip all above indicators (mapping, shellcodes, hooks) in modules within the managed process
|
| PE_DNET_COUNT | |
Definition at line 84 of file pe_sieve_types.h.
◆ t_dump_mode
| Enumerator |
|---|
| PE_DUMP_AUTO | autodetect which dump mode is the most suitable for the given input
|
| PE_DUMP_VIRTUAL | dump as it is in the memory (virtual)
|
| PE_DUMP_UNMAP | convert to the raw format: using raw sections' headers
|
| PE_DUMP_REALIGN | convert to the raw format: by realigning raw sections' headers to be the same as virtual (useful if the PE was unpacked in memory)
|
| PE_DUMP_MODES_COUNT | |
Definition at line 68 of file pe_sieve_types.h.
◆ t_iat_scan_mode
| Enumerator |
|---|
| PE_IATS_NONE | do not scan IAT
|
| PE_IATS_CLEAN_SYS_FILTERED | scan IAT, filter hooks if they lead to unpatched system module
|
| PE_IATS_ALL_SYS_FILTERED | scan IAT, filter hooks if they lead to any system module
|
| PE_IATS_UNFILTERED | scan IAT, unfiltered
|
| PE_IATS_MODES_COUNT | |
Definition at line 76 of file pe_sieve_types.h.
◆ t_imprec_mode
| Enumerator |
|---|
| PE_IMPREC_NONE | do not try to recover imports
|
| PE_IMPREC_AUTO | try to autodetect the most suitable mode
|
| PE_IMPREC_UNERASE | recover erased parts of the partialy damaged import table
|
| PE_IMPREC_REBUILD0 | build the import table from the scratch, basing on the found IAT(s): use only terminated blocks (restrictive mode)
|
| PE_IMPREC_REBUILD1 | build the import table from the scratch, basing on the found IAT(s): use terminated blocks, or blocks with more than 1 thunk
|
| PE_IMPREC_REBUILD2 | build the import table from the scratch, basing on the found IAT(s): use all found blocks (aggressive mode)
|
| PE_IMPREC_MODES_COUNT | |
Definition at line 58 of file pe_sieve_types.h.
◆ t_json_level
| Enumerator |
|---|
| JSON_BASIC | basic
|
| JSON_DETAILS | include the basic list patches in the main JSON report
|
| JSON_DETAILS2 | include the extended list patches in the main JSON report
|
| JSON_LVL_COUNT | |
Definition at line 103 of file pe_sieve_types.h.
◆ t_obfusc_mode
| Enumerator |
|---|
| OBFUSC_NONE | do not detect obfuscated contents
|
| OBFUSC_STRONG_ENC | detect areas possibly encrypted with strong encryption
|
| OBFUSC_WEAK_ENC | detect areas possibly encrypted with weak encryption (lower entropy, possible XOR patterns)
|
| OBFUSC_ANY | detect both: possible strong or weak encryption
|
| OBFUSC_COUNT | |
Definition at line 50 of file pe_sieve_types.h.
◆ t_output_filter
| Enumerator |
|---|
| OUT_FULL | no filter: dump everything (default)
|
| OUT_NO_DUMPS | don't dump the modified PEs, but save the report
|
| OUT_NO_DIR | don't dump any files
|
| OUT_FILTERS_COUNT | |
Definition at line 23 of file pe_sieve_types.h.
◆ t_report_type
| Enumerator |
|---|
| REPORT_NONE | do not output a report
|
| REPORT_SCANNED | output the scan report
|
| REPORT_DUMPED | output the dumps report
|
| REPORT_ALL | output all available reports
|
Definition at line 110 of file pe_sieve_types.h.
◆ t_results_filter
the flags defining what will be reported
| Enumerator |
|---|
| SHOW_NONE | do not report any module
|
| SHOW_ERRORS | report only scan errors
|
| SHOW_NOT_SUSPICIOUS | report only not suspicious
|
| SHOW_SUSPICIOUS | report only suspicious
|
| SHOW_SUSPICIOUS_AND_ERRORS | |
| SHOW_SUCCESSFUL_ONLY | |
| SHOW_ALL | |
Definition at line 31 of file pe_sieve_types.h.
◆ t_shellc_mode
| Enumerator |
|---|
| SHELLC_NONE | do not detect shellcode
|
| SHELLC_PATTERNS | detect shellcodes by patterns
|
| SHELLC_STATS | detect shellcodes by stats
|
| SHELLC_PATTERNS_OR_STATS | detect shellcodes by patterns or stats (any match)
|
| SHELLC_PATTERNS_AND_STATS | detect shellcodes by patterns and stats (both match)
|
| SHELLC_COUNT | |
Definition at line 41 of file pe_sieve_types.h.
◆ ERROR_SCAN_FAILURE
| const DWORD ERROR_SCAN_FAILURE = (-1) |
the status returned if scanning has failed
Definition at line 21 of file pe_sieve_types.h.
1.13.2