pe-sieve/scanner_8h_source.html

#pragma once


#include <windows.h>

#include <string>

#include <map>


#include <peconv.h>

#include "scan_report.h"

#include "module_data.h"

#include "../utils/process_symbols.h"


namespace pesieve {


    class ProcessScanner {

    public:


        ProcessScanner(HANDLE procHndl, bool is_reflection, pesieve::t_params _args);


        ~ProcessScanner()

        {

        }


        ProcessScanReport* scanRemote(); //throws exceptions


        static t_scan_status scanForHollows(HANDLE hProcess, ModuleData& modData, RemoteModuleData &remoteModData, ProcessScanReport& process_report);

        static t_scan_status scanForHooks(HANDLE hProcess, ModuleData& modData, RemoteModuleData &remoteModData, ProcessScanReport& process_report, bool scan_data, bool scan_inaccessible);

        static t_scan_status scanForIATHooks(HANDLE hProcess, ModuleData& modData, RemoteModuleData &remoteModData, ProcessScanReport& process_report, t_iat_scan_mode filter);


    protected:

        size_t scanModules(ProcessScanReport &pReport); //throws exceptions

        size_t scanModulesIATs(ProcessScanReport &pReport); //throws exceptions

        size_t scanThreads(ProcessScanReport& pReport); //throws exceptions

        size_t scanWorkingSet(ProcessScanReport &pReport);  //throws exceptions


        ModuleScanReport* scanForMappingMismatch(ModuleData& modData, ProcessScanReport& process_report);


        bool resolveHooksTargets(ProcessScanReport& process_report);

        bool filterDotNetReport(ProcessScanReport& process_report);


        HANDLE processHandle;

        bool isDEP;

        const bool isReflection;

        ProcessSymbolsManager symbols;

        pesieve::t_params args;


        std::set<std::string> ignoredModules;

    };


}; //namespace pesieve

ProcessSymbolsManager
Definition process_symbols.h:8

pesieve::ModuleData
Loads a module from the disk, corresponding to the module in the scanned process' memory.
Definition module_data.h:15

pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26

pesieve::ProcessScanReport
The report aggregating the results of the performed scan.
Definition scan_report.h:19

pesieve::ProcessScanner
The root scanner, responsible for enumerating all the elements to be scanned within a given process,...
Definition scanner.h:15

pesieve::ProcessScanner::~ProcessScanner
~ProcessScanner()
Definition scanner.h:26

pesieve::ProcessScanner::scanWorkingSet
size_t scanWorkingSet(ProcessScanReport &pReport)
Definition scanner.cpp:298

pesieve::ProcessScanner::scanModules
size_t scanModules(ProcessScanReport &pReport)
Definition scanner.cpp:350

pesieve::ProcessScanner::isReflection
const bool isReflection
Definition scanner.h:53

pesieve::ProcessScanner::scanThreads
size_t scanThreads(ProcessScanReport &pReport)
Definition scanner.cpp:484

pesieve::ProcessScanner::ProcessScanner
ProcessScanner(HANDLE procHndl, bool is_reflection, pesieve::t_params _args)
Definition scanner.cpp:82

pesieve::ProcessScanner::isDEP
bool isDEP
Definition scanner.h:52

pesieve::ProcessScanner::scanForHooks
static t_scan_status scanForHooks(HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report, bool scan_data, bool scan_inaccessible)
Definition scanner.cpp:148

pesieve::ProcessScanner::processHandle
HANDLE processHandle
Definition scanner.h:51

pesieve::ProcessScanner::scanModulesIATs
size_t scanModulesIATs(ProcessScanReport &pReport)
Definition scanner.cpp:438

pesieve::ProcessScanner::args
pesieve::t_params args
Definition scanner.h:55

pesieve::ProcessScanner::scanForHollows
static t_scan_status scanForHollows(HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report)
Definition scanner.cpp:92

pesieve::ProcessScanner::resolveHooksTargets
bool resolveHooksTargets(ProcessScanReport &process_report)
Definition scanner.cpp:164

pesieve::ProcessScanner::filterDotNetReport
bool filterDotNetReport(ProcessScanReport &process_report)
Definition scanner.cpp:193

pesieve::ProcessScanner::scanForMappingMismatch
ModuleScanReport * scanForMappingMismatch(ModuleData &modData, ProcessScanReport &process_report)
Definition scanner.cpp:341

pesieve::ProcessScanner::symbols
ProcessSymbolsManager symbols
Definition scanner.h:54

pesieve::ProcessScanner::scanForIATHooks
static t_scan_status scanForIATHooks(HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report, t_iat_scan_mode filter)
Definition scanner.cpp:124

pesieve::ProcessScanner::scanRemote
ProcessScanReport * scanRemote()
The main function of ProcessScanner, deploying the scan. Throws exceptions in case of a failure.
Definition scanner.cpp:230

pesieve::ProcessScanner::ignoredModules
std::set< std::string > ignoredModules
Definition scanner.h:57

pesieve::RemoteModuleData
Buffers the data from the module loaded in the scanned process into the local memory.
Definition module_data.h:121

pesieve.t_iat_scan_mode
Definition pesieve.py:58

pesieve.t_params
Definition pesieve.py:100

module_data.h

pesieve
Definition pesieve.py:1

pesieve::t_scan_status
enum pesieve::module_scan_status t_scan_status

process_symbols.h

scan_report.h