10#define PARAM_LIST_SEPARATOR ';'
@ PE_DATA_SCAN_DOTNET
scan data in .NET applications
@ PE_DATA_SCAN_INACCESSIBLE_ONLY
scan inaccessible pages (if running in reflection mode)
@ PE_DATA_SCAN_INACCESSIBLE
scan data unconditionally, and inaccessible pages (if running in reflection mode)
@ PE_DATA_SCAN_NO_DEP
scan data if no DEP or in .NET applications
@ PE_DATA_NO_SCAN
do not scan non-executable pages
@ PE_DATA_SCAN_ALWAYS
scan data unconditionally
@ PE_DUMP_VIRTUAL
dump as it is in the memory (virtual)
@ PE_DUMP_UNMAP
convert to the raw format: using raw sections' headers
@ PE_DUMP_REALIGN
convert to the raw format: by realigning raw sections' headers to be the same as virtual (useful if t...
@ PE_DUMP_AUTO
autodetect which dump mode is the most suitable for the given input
@ PE_IATS_CLEAN_SYS_FILTERED
scan IAT, filter hooks if they lead to unpatched system module
@ PE_IATS_NONE
do not scan IAT
@ PE_IATS_UNFILTERED
scan IAT, unfiltered
@ PE_IATS_ALL_SYS_FILTERED
scan IAT, filter hooks if they lead to any system module
@ OUT_FULL
no filter: dump everything (default)
@ OUT_NO_DUMPS
don't dump the modified PEs, but save the report
@ OUT_NO_DIR
don't dump any files
@ PE_DNET_SKIP_ALL
skip all above indicators (mapping, shellcodes, hooks) in modules within the managed process
@ PE_DNET_SKIP_SHC
skip shellcodes (in all modules within the managed process)
@ PE_DNET_SKIP_MAPPING
skip mapping mismatch (in .NET modules only)
@ PE_DNET_NONE
none: treat managed processes same as native
@ PE_DNET_SKIP_HOOKS
skip hooked modules (in all modules within the managed process)
@ REPORT_ALL
output all available reports
@ REPORT_DUMPED
output the dumps report
@ REPORT_NONE
do not output a report
@ REPORT_SCANNED
output the scan report
@ PE_IMPREC_NONE
do not try to recover imports
@ PE_IMPREC_AUTO
try to autodetect the most suitable mode
@ PE_IMPREC_REBUILD0
build the import table from the scratch, basing on the found IAT(s): use only terminated blocks (rest...
@ PE_IMPREC_UNERASE
recover erased parts of the partialy damaged import table
@ PE_IMPREC_REBUILD2
build the import table from the scratch, basing on the found IAT(s): use all found blocks (aggressive...
@ PE_IMPREC_REBUILD1
build the import table from the scratch, basing on the found IAT(s): use terminated blocks,...
@ JSON_DETAILS
include the basic list patches in the main JSON report
@ JSON_DETAILS2
include the extended list patches in the main JSON report
A wrapper for a dynamically allocated string.
Input parameters for PE-sieve, defining the configuration.
t_dump_mode dump_mode
in which mode the detected PE implants should be dumped
t_dotnet_policy dotnet_policy
policy for scanning .NET modules
bool no_hooks
don't scan for hooks
t_output_filter out_filter
level of details of the created output material
bool json_output
display the final summary as the JSON report
DWORD pid
the PID of the process to be scanned
bool shellcode
detect shellcode implants
bool use_cache
enable cache for the scanned modules
t_imprec_mode imprec_mode
import recovery mode
t_iat_scan_mode iat
detect IAT hooking
t_json_level json_lvl
level of the details of the JSON report
bool make_reflection
operate on a process reflection rather than on the live process (this allows i.e. to force-read inacc...
bool minidump
make minidump of full process
t_data_scan_mode data
should scan non-executable pages?
bool quiet
do not print log on the stdout
PARAM_STRING modules_ignored
a list of modules that will not be scanned, separated by PARAM_LIST_SEPARATOR
Final summary about the scanned process.
DWORD other
other indicators
DWORD hdr_mod
PE header is modified (but not replaced)
DWORD errors
the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE,...
DWORD implanted
all implants: shellcodes + PEs
DWORD scanned
number of all scanned modules
DWORD implanted_shc
implanted shellcodes
DWORD suspicious
general summary of suspicious
DWORD pid
pid of the process that was scanned
DWORD replaced
PE file replaced in memory (probably hollowed)
DWORD skipped
some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this...
DWORD unreachable_file
cannot read the file corresponding to the module in memory
bool is_managed
is process managed (.NET)
DWORD implanted_pe
the full PE was probably loaded manually
bool is_64bit
is process 64 bit
DWORD iat_hooked
detected IAT hooks
bool is_reflection
was the scan performed on process reflection
DWORD patched
detected modifications in the code
1.9.6