The types used by PE-sieve API. More...

#include <windows.h>

Classes
struct	_PARAM_STRING
	A wrapper for a dynamically allocated string. More...
struct	params
	Input parameters for PE-sieve, defining the configuration. More...
struct	report
	Final summary about the scanned process. More...

Macros
#define	PARAM_LIST_SEPARATOR ';'

Typedefs
typedef char	bool
typedef struct _PARAM_STRING	PARAM_STRING
	A wrapper for a dynamically allocated string.
typedef struct params	t_params
	Input parameters for PE-sieve, defining the configuration.
typedef struct report	t_report
	Final summary about the scanned process.

Enumerations
enum	t_output_filter { OUT_FULL = 0 , OUT_NO_DUMPS , OUT_NO_DIR , OUT_FILTERS_COUNT }
enum	t_results_filter { SHOW_NONE = 0 , SHOW_ERRORS = 1 , SHOW_NOT_SUSPICIOUS = 2 , SHOW_SUSPICIOUS = 4 , SHOW_SUSPICIOUS_AND_ERRORS = SHOW_ERRORS \| SHOW_SUSPICIOUS , SHOW_SUCCESSFUL_ONLY = SHOW_NOT_SUSPICIOUS \| SHOW_SUSPICIOUS , SHOW_ALL = SHOW_ERRORS \| SHOW_NOT_SUSPICIOUS \| SHOW_SUSPICIOUS }
	the flags defining what will be reported More...
enum	t_shellc_mode { SHELLC_NONE = 0 , SHELLC_PATTERNS , SHELLC_STATS , SHELLC_PATTERNS_OR_STATS , SHELLC_PATTERNS_AND_STATS , SHELLC_COUNT }
enum	t_obfusc_mode { OBFUSC_NONE = 0 , OBFUSC_STRONG_ENC , OBFUSC_WEAK_ENC , OBFUSC_ANY , OBFUSC_COUNT }
enum	t_imprec_mode { PE_IMPREC_NONE = 0 , PE_IMPREC_AUTO , PE_IMPREC_UNERASE , PE_IMPREC_REBUILD0 , PE_IMPREC_REBUILD1 , PE_IMPREC_REBUILD2 , PE_IMPREC_MODES_COUNT }
enum	t_dump_mode { PE_DUMP_AUTO = 0 , PE_DUMP_VIRTUAL , PE_DUMP_UNMAP , PE_DUMP_REALIGN , PE_DUMP_MODES_COUNT }
enum	t_iat_scan_mode { PE_IATS_NONE = 0 , PE_IATS_CLEAN_SYS_FILTERED , PE_IATS_ALL_SYS_FILTERED , PE_IATS_UNFILTERED , PE_IATS_MODES_COUNT }
enum	t_dotnet_policy { PE_DNET_NONE = 0 , PE_DNET_SKIP_MAPPING = 1 , PE_DNET_SKIP_SHC , PE_DNET_SKIP_HOOKS , PE_DNET_SKIP_ALL , PE_DNET_COUNT }
enum	t_data_scan_mode { PE_DATA_NO_SCAN = 0 , PE_DATA_SCAN_DOTNET , PE_DATA_SCAN_NO_DEP , PE_DATA_SCAN_ALWAYS , PE_DATA_SCAN_INACCESSIBLE , PE_DATA_SCAN_INACCESSIBLE_ONLY , PE_DATA_COUNT }
enum	t_json_level { JSON_BASIC = 0 , JSON_DETAILS = 1 , JSON_DETAILS2 , JSON_LVL_COUNT }
enum	t_report_type { REPORT_NONE = 0 , REPORT_SCANNED , REPORT_DUMPED , REPORT_ALL }

Variables
const DWORD	ERROR_SCAN_FAILURE = (-1)
	the status returned if scanning has failed

Detailed Description

The types used by PE-sieve API.

Definition in file pe_sieve_types.h.

Macro Definition Documentation

◆ PARAM_LIST_SEPARATOR

#define PARAM_LIST_SEPARATOR ';'

Definition at line 10 of file pe_sieve_types.h.

Typedef Documentation

◆ bool

typedef char bool

Definition at line 13 of file pe_sieve_types.h.

◆ PARAM_STRING

typedef struct _PARAM_STRING PARAM_STRING

A wrapper for a dynamically allocated string.

◆ t_params

typedef struct params t_params

Input parameters for PE-sieve, defining the configuration.

◆ t_report

typedef struct report t_report

Final summary about the scanned process.

Enumeration Type Documentation

◆ t_data_scan_mode

enum t_data_scan_mode

Enumerator
PE_DATA_NO_SCAN	do not scan non-executable pages
PE_DATA_SCAN_DOTNET	scan data in .NET applications
PE_DATA_SCAN_NO_DEP	scan data if no DEP or in .NET applications
PE_DATA_SCAN_ALWAYS	scan data unconditionally
PE_DATA_SCAN_INACCESSIBLE	scan data unconditionally, and inaccessible pages (if running in reflection mode)
PE_DATA_SCAN_INACCESSIBLE_ONLY	scan inaccessible pages (if running in reflection mode)
PE_DATA_COUNT

Definition at line 93 of file pe_sieve_types.h.

◆ t_dotnet_policy

enum t_dotnet_policy

Enumerator
PE_DNET_NONE	none: treat managed processes same as native
PE_DNET_SKIP_MAPPING	skip mapping mismatch (in .NET modules only)
PE_DNET_SKIP_SHC	skip shellcodes (in all modules within the managed process)
PE_DNET_SKIP_HOOKS	skip hooked modules (in all modules within the managed process)
PE_DNET_SKIP_ALL	skip all above indicators (mapping, shellcodes, hooks) in modules within the managed process
PE_DNET_COUNT

Definition at line 84 of file pe_sieve_types.h.

◆ t_dump_mode

enum t_dump_mode

Enumerator
PE_DUMP_AUTO	autodetect which dump mode is the most suitable for the given input
PE_DUMP_VIRTUAL	dump as it is in the memory (virtual)
PE_DUMP_UNMAP	convert to the raw format: using raw sections' headers
PE_DUMP_REALIGN	convert to the raw format: by realigning raw sections' headers to be the same as virtual (useful if the PE was unpacked in memory)
PE_DUMP_MODES_COUNT

Definition at line 68 of file pe_sieve_types.h.

◆ t_iat_scan_mode

enum t_iat_scan_mode

Enumerator
PE_IATS_NONE	do not scan IAT
PE_IATS_CLEAN_SYS_FILTERED	scan IAT, filter hooks if they lead to unpatched system module
PE_IATS_ALL_SYS_FILTERED	scan IAT, filter hooks if they lead to any system module
PE_IATS_UNFILTERED	scan IAT, unfiltered
PE_IATS_MODES_COUNT

Definition at line 76 of file pe_sieve_types.h.

◆ t_imprec_mode

enum t_imprec_mode

Enumerator
PE_IMPREC_NONE	do not try to recover imports
PE_IMPREC_AUTO	try to autodetect the most suitable mode
PE_IMPREC_UNERASE	recover erased parts of the partialy damaged import table
PE_IMPREC_REBUILD0	build the import table from the scratch, basing on the found IAT(s): use only terminated blocks (restrictive mode)
PE_IMPREC_REBUILD1	build the import table from the scratch, basing on the found IAT(s): use terminated blocks, or blocks with more than 1 thunk
PE_IMPREC_REBUILD2	build the import table from the scratch, basing on the found IAT(s): use all found blocks (aggressive mode)
PE_IMPREC_MODES_COUNT

Definition at line 58 of file pe_sieve_types.h.

◆ t_json_level

enum t_json_level

Enumerator
JSON_BASIC	basic
JSON_DETAILS	include the basic list patches in the main JSON report
JSON_DETAILS2	include the extended list patches in the main JSON report
JSON_LVL_COUNT

Definition at line 103 of file pe_sieve_types.h.

◆ t_obfusc_mode

enum t_obfusc_mode

Enumerator
OBFUSC_NONE	do not detect obfuscated contents
OBFUSC_STRONG_ENC	detect areas possibly encrypted with strong encryption
OBFUSC_WEAK_ENC	detect areas possibly encrypted with weak encryption (lower entropy, possible XOR patterns)
OBFUSC_ANY	detect both: possible strong or weak encryption
OBFUSC_COUNT

Definition at line 50 of file pe_sieve_types.h.

◆ t_output_filter

enum t_output_filter

Enumerator
OUT_FULL	no filter: dump everything (default)
OUT_NO_DUMPS	don't dump the modified PEs, but save the report
OUT_NO_DIR	don't dump any files
OUT_FILTERS_COUNT

Definition at line 23 of file pe_sieve_types.h.

◆ t_report_type

enum t_report_type

Enumerator
REPORT_NONE	do not output a report
REPORT_SCANNED	output the scan report
REPORT_DUMPED	output the dumps report
REPORT_ALL	output all available reports

Definition at line 110 of file pe_sieve_types.h.

◆ t_results_filter

enum t_results_filter

the flags defining what will be reported

Enumerator
SHOW_NONE	do not report any module
SHOW_ERRORS	report only scan errors
SHOW_NOT_SUSPICIOUS	report only not suspicious
SHOW_SUSPICIOUS	report only suspicious
SHOW_SUSPICIOUS_AND_ERRORS
SHOW_SUCCESSFUL_ONLY
SHOW_ALL

Definition at line 31 of file pe_sieve_types.h.

◆ t_shellc_mode

enum t_shellc_mode

Enumerator
SHELLC_NONE	do not detect shellcode
SHELLC_PATTERNS	detect shellcodes by patterns
SHELLC_STATS	detect shellcodes by stats
SHELLC_PATTERNS_OR_STATS	detect shellcodes by patterns or stats (any match)
SHELLC_PATTERNS_AND_STATS	detect shellcodes by patterns and stats (both match)
SHELLC_COUNT

Definition at line 41 of file pe_sieve_types.h.

Variable Documentation

◆ ERROR_SCAN_FAILURE

const DWORD ERROR_SCAN_FAILURE = (-1)

the status returned if scanning has failed

Definition at line 21 of file pe_sieve_types.h.

Classes

Macros

Typedefs

Enumerations

Variables