PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
process_reflection.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4
5#define USE_PROCESS_SNAPSHOT
6#define USE_RTL_PROCESS_REFLECTION
7
8namespace pesieve {
9 namespace util {
10
11 struct ProcessRefl
12 {
13 public:
14 ProcessRefl(HANDLE _hReflHndl, HANDLE _snapshot = NULL)
15 : hReflHndl(_hReflHndl), snapshot(_snapshot)
16 {
17 }
18
19 virtual ~ProcessRefl();
20
21 bool releaseReflectedHndl();
22
23 HANDLE hReflHndl;
24 HANDLE snapshot;
25 };
26
27 // required by RtlCreateProcessReflection:
28 const DWORD reflection_access1 = PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_DUP_HANDLE;
29
30 // required by PssCaptureSnapshot:
31 const DWORD reflection_access2 = PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_DUP_HANDLE | PROCESS_CREATE_PROCESS;
32
33#ifdef USE_PROCESS_SNAPSHOT
34 const DWORD reflection_access = reflection_access2;
35#else
36 const DWORD reflection_access = reflection_access1;
37#endif
38
39 bool can_make_process_reflection();
40 ProcessRefl* make_process_reflection(HANDLE orig_hndl);
41 };
42};
pesieve::util::make_process_reflection
ProcessRefl * make_process_reflection(HANDLE orig_hndl)
Definition process_reflection.cpp:305
pesieve::util::reflection_access1
const DWORD reflection_access1
Definition process_reflection.h:28
pesieve::util::reflection_access2
const DWORD reflection_access2
Definition process_reflection.h:31
pesieve::util::reflection_access
const DWORD reflection_access
Definition process_reflection.h:34
pesieve::util::DWORD
DWORD(__stdcall *_PssCaptureSnapshot)(HANDLE ProcessHandle
pesieve::util::ProcessRefl::ProcessRefl
ProcessRefl(HANDLE _hReflHndl, HANDLE _snapshot=NULL)
Definition process_reflection.h:14
Generated by doxygen 1.17.0