PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
scanner.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4#include <string>
5#include <map>
6
7#include <peconv.h>
8#include "scan_report.h"
9#include "module_data.h"
10#include "../utils/process_symbols.h"
11
12namespace pesieve {
13
15 class ProcessScanner {
16 public:
17
24 ProcessScanner(HANDLE procHndl, bool is_reflection, pesieve::t_params _args);
25
26 ~ProcessScanner()
27 {
28 }
29
31
34 ProcessScanReport* scanRemote(); //throws exceptions
35
36 static t_scan_status scanForHollows(HANDLE hProcess, ModuleData& modData, RemoteModuleData &remoteModData, ProcessScanReport& process_report);
37 static t_scan_status scanForHooks(HANDLE hProcess, ModuleData& modData, RemoteModuleData &remoteModData, ProcessScanReport& process_report, bool scan_data, bool scan_inaccessible);
38 static t_scan_status scanForIATHooks(HANDLE hProcess, ModuleData& modData, RemoteModuleData &remoteModData, ProcessScanReport& process_report, t_iat_scan_mode filter);
39
40 protected:
41 size_t scanModules(ProcessScanReport &pReport); //throws exceptions
42 size_t scanModulesIATs(ProcessScanReport &pReport); //throws exceptions
43 size_t scanThreads(ProcessScanReport& pReport); //throws exceptions
44 size_t scanWorkingSet(ProcessScanReport &pReport); //throws exceptions
45
46 ModuleScanReport* scanForMappingMismatch(ModuleData& modData, ProcessScanReport& process_report);
47
48 bool resolveHooksTargets(ProcessScanReport& process_report);
49 bool filterDotNetReport(ProcessScanReport& process_report);
50
51 HANDLE processHandle;
52 bool isDEP;
53 const bool isReflection;
54 ProcessSymbolsManager symbols;
55 pesieve::t_params args;
56
57 std::set<std::string> ignoredModules;
58 };
59
60}; //namespace pesieve
pesieve::ModuleData
Loads a module from the disk, corresponding to the module in the scanned process' memory.
Definition module_data.h:15
pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:56
pesieve::ProcessScanReport
The report aggregating the results of the performed scan.
Definition scan_report.h:19
pesieve::ProcessScanner::scanWorkingSet
size_t scanWorkingSet(ProcessScanReport &pReport)
Definition scanner.cpp:298
pesieve::ProcessScanner::scanModules
size_t scanModules(ProcessScanReport &pReport)
Definition scanner.cpp:350
pesieve::ProcessScanner::isReflection
const bool isReflection
Definition scanner.h:53
pesieve::ProcessScanner::scanThreads
size_t scanThreads(ProcessScanReport &pReport)
Definition scanner.cpp:484
pesieve::ProcessScanner::ProcessScanner
ProcessScanner(HANDLE procHndl, bool is_reflection, pesieve::t_params _args)
Definition scanner.cpp:82
pesieve::ProcessScanner::scanForHooks
static t_scan_status scanForHooks(HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report, bool scan_data, bool scan_inaccessible)
Definition scanner.cpp:148
pesieve::ProcessScanner::scanModulesIATs
size_t scanModulesIATs(ProcessScanReport &pReport)
Definition scanner.cpp:438
pesieve::ProcessScanner::args
pesieve::t_params args
Definition scanner.h:55
pesieve::ProcessScanner::scanForHollows
static t_scan_status scanForHollows(HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report)
Definition scanner.cpp:92
pesieve::ProcessScanner::resolveHooksTargets
bool resolveHooksTargets(ProcessScanReport &process_report)
Definition scanner.cpp:164
pesieve::ProcessScanner::filterDotNetReport
bool filterDotNetReport(ProcessScanReport &process_report)
Definition scanner.cpp:193
pesieve::ProcessScanner::scanForMappingMismatch
ModuleScanReport * scanForMappingMismatch(ModuleData &modData, ProcessScanReport &process_report)
Definition scanner.cpp:341
pesieve::ProcessScanner::symbols
ProcessSymbolsManager symbols
Definition scanner.h:54
pesieve::ProcessScanner::scanForIATHooks
static t_scan_status scanForIATHooks(HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report, t_iat_scan_mode filter)
Definition scanner.cpp:124
pesieve::ProcessScanner::scanRemote
ProcessScanReport * scanRemote()
The main function of ProcessScanner, deploying the scan. Throws exceptions in case of a failure.
Definition scanner.cpp:230
pesieve::ProcessScanner::ignoredModules
std::set< std::string > ignoredModules
Definition scanner.h:57
pesieve::RemoteModuleData
Buffers the data from the module loaded in the scanned process into the local memory.
Definition module_data.h:121
pesieve.t_iat_scan_mode
Definition pesieve.py:58
pesieve.t_params
Definition pesieve.py:109
module_data.h
pesieve::t_scan_status
enum pesieve::module_scan_status t_scan_status
process_symbols.h
scan_report.h
Generated by doxygen 1.13.2