PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
utils
process_reflection.h
Go to the documentation of this file.
1
#pragma once
2
3
#include <windows.h>
4
5
#define USE_PROCESS_SNAPSHOT
6
#define USE_RTL_PROCESS_REFLECTION
7
8
namespace
pesieve
{
9
namespace
util {
10
11
// required by RtlCreateProcessReflection:
12
const
DWORD
reflection_access1
=
PROCESS_CREATE_THREAD
|
PROCESS_VM_OPERATION
|
PROCESS_DUP_HANDLE
;
13
14
// required by PssCaptureSnapshot:
15
const
DWORD
reflection_access2
=
PROCESS_CREATE_THREAD
|
PROCESS_VM_OPERATION
|
PROCESS_DUP_HANDLE
|
PROCESS_CREATE_PROCESS
;
16
17
#ifdef USE_PROCESS_SNAPSHOT
18
const
DWORD
reflection_access
=
reflection_access2
;
19
#else
20
const
DWORD
reflection_access
=
reflection_access1
;
21
#endif
22
23
bool
can_make_process_reflection
();
24
HANDLE
make_process_reflection
(
HANDLE
orig_hndl);
25
bool
release_process_reflection
(
HANDLE
*
reflection_hndl
);
26
27
};
28
};
pesieve::util::reflection_access1
const DWORD reflection_access1
Definition
process_reflection.h:12
pesieve::util::can_make_process_reflection
bool can_make_process_reflection()
Definition
process_reflection.cpp:297
pesieve::util::reflection_access2
const DWORD reflection_access2
Definition
process_reflection.h:15
pesieve::util::reflection_access
const DWORD reflection_access
Definition
process_reflection.h:18
pesieve::util::release_process_reflection
bool release_process_reflection(HANDLE *reflection_hndl)
Definition
process_reflection.cpp:336
pesieve::util::DWORD
DWORD(__stdcall *_PssCaptureSnapshot)(HANDLE ProcessHandle
pesieve::util::make_process_reflection
HANDLE make_process_reflection(HANDLE orig_hndl)
Definition
process_reflection.cpp:312
pesieve
Definition
pesieve.py:1
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition
iat_finder.h:31
Generated by
1.10.0