 |
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
Loading...
Searching...
No Matches
|
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
Input parameters for PE-sieve, defining the configuration. More...
#include <pe_sieve_types.h>
Public Attributes | |
| DWORD | pid |
| the PID of the process to be scanned | |
| t_dotnet_policy | dotnet_policy |
| policy for scanning .NET modules | |
| t_imprec_mode | imprec_mode |
| import recovery mode | |
| bool | quiet |
| do not print log on the stdout | |
| t_output_filter | out_filter |
| level of details of the created output material | |
| bool | no_hooks |
| don't scan for hooks | |
| t_shellc_mode | shellcode |
| detect shellcode implants | |
| t_obfusc_mode | obfuscated |
| detect encrypted or obfuscated content (possible encrypted shellcodes) | |
| bool | threads |
| scan threads | |
| t_iat_scan_mode | iat |
| detect IAT hooking | |
| t_data_scan_mode | data |
| should scan non-executable pages? | |
| bool | minidump |
| make minidump of full process | |
| bool | rebase |
| rebase the module to its original base (if known) | |
| t_dump_mode | dump_mode |
| in which mode the detected PE implants should be dumped | |
| bool | json_output |
| display the final summary as the JSON report | |
| bool | make_reflection |
| operate on a process reflection rather than on the live process (this allows i.e. to force-read inaccessible pages) | |
| bool | use_cache |
| enable cache for the scanned modules | |
| t_json_level | json_lvl |
| level of the details of the JSON report | |
| t_results_filter | results_filter |
| what type of results should be included in the report | |
| char | output_dir [MAX_PATH+1] |
| the root directory where the output should be saved (default: current directory) | |
| PARAM_STRING | modules_ignored |
| a list of modules that will not be scanned, separated by PARAM_LIST_SEPARATOR | |
| PARAM_STRING | pattern_file |
| a file with additional patterns for code recognition | |
Input parameters for PE-sieve, defining the configuration.
Definition at line 124 of file pe_sieve_types.h.
| t_data_scan_mode params::data |
should scan non-executable pages?
Definition at line 135 of file pe_sieve_types.h.
| t_dotnet_policy params::dotnet_policy |
policy for scanning .NET modules
Definition at line 126 of file pe_sieve_types.h.
| t_dump_mode params::dump_mode |
in which mode the detected PE implants should be dumped
Definition at line 138 of file pe_sieve_types.h.
| t_iat_scan_mode params::iat |
detect IAT hooking
Definition at line 134 of file pe_sieve_types.h.
| t_imprec_mode params::imprec_mode |
import recovery mode
Definition at line 127 of file pe_sieve_types.h.
| t_json_level params::json_lvl |
level of the details of the JSON report
Definition at line 142 of file pe_sieve_types.h.
| bool params::json_output |
display the final summary as the JSON report
Definition at line 139 of file pe_sieve_types.h.
| bool params::make_reflection |
operate on a process reflection rather than on the live process (this allows i.e. to force-read inaccessible pages)
Definition at line 140 of file pe_sieve_types.h.
| bool params::minidump |
make minidump of full process
Definition at line 136 of file pe_sieve_types.h.
| PARAM_STRING params::modules_ignored |
a list of modules that will not be scanned, separated by PARAM_LIST_SEPARATOR
Definition at line 145 of file pe_sieve_types.h.
| bool params::no_hooks |
don't scan for hooks
Definition at line 130 of file pe_sieve_types.h.
| t_obfusc_mode params::obfuscated |
detect encrypted or obfuscated content (possible encrypted shellcodes)
Definition at line 132 of file pe_sieve_types.h.
| t_output_filter params::out_filter |
level of details of the created output material
Definition at line 129 of file pe_sieve_types.h.
| char params::output_dir[MAX_PATH+1] |
the root directory where the output should be saved (default: current directory)
Definition at line 144 of file pe_sieve_types.h.
| PARAM_STRING params::pattern_file |
a file with additional patterns for code recognition
Definition at line 146 of file pe_sieve_types.h.
| DWORD params::pid |
the PID of the process to be scanned
Definition at line 125 of file pe_sieve_types.h.
| bool params::quiet |
do not print log on the stdout
Definition at line 128 of file pe_sieve_types.h.
| bool params::rebase |
rebase the module to its original base (if known)
Definition at line 137 of file pe_sieve_types.h.
| t_results_filter params::results_filter |
what type of results should be included in the report
Definition at line 143 of file pe_sieve_types.h.
| t_shellc_mode params::shellcode |
detect shellcode implants
Definition at line 131 of file pe_sieve_types.h.
| bool params::threads |
scan threads
Definition at line 133 of file pe_sieve_types.h.
| bool params::use_cache |
enable cache for the scanned modules
Definition at line 141 of file pe_sieve_types.h.
1.13.2