PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
scanner.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4#include <string>
5#include <map>
6
7#include <peconv.h>
8#include "scan_report.h"
9#include "module_data.h"
10
11namespace pesieve {
12
57
58}; //namespace pesieve
pesieve::ModuleData
Loads a module from the disk, corresponding to the module in the scanned process' memory.
Definition module_data.h:15
pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26
pesieve::ProcessScanReport
The report aggregating the results of the performed scan.
Definition scan_report.h:19
pesieve::ProcessScanner
The root scanner, responsible for enumerating all the elements to be scanned within a given process,...
Definition scanner.h:14
pesieve::ProcessScanner::scanWorkingSet
size_t scanWorkingSet(ProcessScanReport &pReport)
Definition scanner.cpp:284
pesieve::ProcessScanner::scanModules
size_t scanModules(ProcessScanReport &pReport)
Definition scanner.cpp:336
pesieve::ProcessScanner::isReflection
const bool isReflection
Definition scanner.h:52
pesieve::ProcessScanner::scanThreads
size_t scanThreads(ProcessScanReport &pReport)
Definition scanner.cpp:471
pesieve::ProcessScanner::ProcessScanner
ProcessScanner(HANDLE procHndl, bool is_reflection, pesieve::t_params _args)
Definition scanner.cpp:69
pesieve::ProcessScanner::scanForHooks
static t_scan_status scanForHooks(HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report, bool scan_data, bool scan_inaccessible)
Definition scanner.cpp:134
pesieve::ProcessScanner::scanModulesIATs
size_t scanModulesIATs(ProcessScanReport &pReport)
Definition scanner.cpp:424
pesieve::ProcessScanner::args
pesieve::t_params args
Definition scanner.h:53
pesieve::ProcessScanner::scanForHollows
static t_scan_status scanForHollows(HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report)
Definition scanner.cpp:78
pesieve::ProcessScanner::resolveHooksTargets
bool resolveHooksTargets(ProcessScanReport &process_report)
Definition scanner.cpp:150
pesieve::ProcessScanner::filterDotNetReport
bool filterDotNetReport(ProcessScanReport &process_report)
Definition scanner.cpp:179
pesieve::ProcessScanner::scanForMappingMismatch
ModuleScanReport * scanForMappingMismatch(ModuleData &modData, ProcessScanReport &process_report)
Definition scanner.cpp:327
pesieve::ProcessScanner::scanForIATHooks
static t_scan_status scanForIATHooks(HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report, t_iat_scan_mode filter)
Definition scanner.cpp:110
pesieve::ProcessScanner::scanRemote
ProcessScanReport * scanRemote()
The main function of ProcessScanner, deploying the scan. Throws exceptions in case of a failure.
Definition scanner.cpp:216
pesieve::ProcessScanner::ignoredModules
std::set< std::string > ignoredModules
Definition scanner.h:55
pesieve::RemoteModuleData
Buffers the data from the module loaded in the scanned process into the local memory.
Definition module_data.h:123
pesieve.t_iat_scan_mode
Definition pesieve.py:58
pesieve.t_params
Definition pesieve.py:100
module_data.h
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
pesieve::t_scan_status
enum pesieve::module_scan_status t_scan_status
scan_report.h
Generated by doxygen 1.10.0