PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
process_reflection.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4
5#define USE_PROCESS_SNAPSHOT
6#define USE_RTL_PROCESS_REFLECTION
7
8namespace pesieve {
9 namespace util {
10
11 // required by RtlCreateProcessReflection:
12 const DWORD reflection_access1 = PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_DUP_HANDLE;
13
14 // required by PssCaptureSnapshot:
15 const DWORD reflection_access2 = PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_DUP_HANDLE | PROCESS_CREATE_PROCESS;
16
17#ifdef USE_PROCESS_SNAPSHOT
18 const DWORD reflection_access = reflection_access2;
19#else
20 const DWORD reflection_access = reflection_access1;
21#endif
22
23 bool can_make_process_reflection();
24 HANDLE make_process_reflection(HANDLE orig_hndl);
25 bool release_process_reflection(HANDLE* reflection_hndl);
26
27 };
28};
pesieve::util::reflection_access1
const DWORD reflection_access1
Definition process_reflection.h:12
pesieve::util::reflection_access2
const DWORD reflection_access2
Definition process_reflection.h:15
pesieve::util::reflection_access
const DWORD reflection_access
Definition process_reflection.h:18
pesieve::util::release_process_reflection
bool release_process_reflection(HANDLE *reflection_hndl)
Definition process_reflection.cpp:336
pesieve::util::DWORD
DWORD(__stdcall *_PssCaptureSnapshot)(HANDLE ProcessHandle
pesieve::util::make_process_reflection
HANDLE make_process_reflection(HANDLE orig_hndl)
Definition process_reflection.cpp:312
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
Generated by doxygen 1.10.0