 |
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
Loading...
Searching...
No Matches
|
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
Final summary about the scanned process. More...
#include <pe_sieve_types.h>
Public Attributes | |
| DWORD | pid |
| pid of the process that was scanned | |
| bool | is_managed |
| is process managed (.NET) | |
| bool | is_64bit |
| is process 64 bit | |
| bool | is_reflection |
| was the scan performed on process reflection | |
| DWORD | scanned |
| number of all scanned modules | |
| DWORD | suspicious |
| general summary of suspicious | |
| DWORD | replaced |
| PE file replaced in memory (probably hollowed) | |
| DWORD | hdr_mod |
| PE header is modified (but not replaced) | |
| DWORD | unreachable_file |
| cannot read the file corresponding to the module in memory | |
| DWORD | patched |
| detected modifications in the code | |
| DWORD | iat_hooked |
| detected IAT hooks | |
| DWORD | implanted |
| all implants: shellcodes + PEs | |
| DWORD | implanted_pe |
| the full PE was probably loaded manually | |
| DWORD | implanted_shc |
| implanted shellcodes | |
| DWORD | other |
| other indicators | |
| DWORD | skipped |
| some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this scan does not apply) | |
| DWORD | errors |
| the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE, no scan was performed. | |
Final summary about the scanned process.
Definition at line 137 of file pe_sieve_types.h.
| DWORD report::errors |
the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE, no scan was performed.
Definition at line 154 of file pe_sieve_types.h.
| DWORD report::hdr_mod |
PE header is modified (but not replaced)
Definition at line 145 of file pe_sieve_types.h.
| DWORD report::iat_hooked |
detected IAT hooks
Definition at line 148 of file pe_sieve_types.h.
| DWORD report::implanted |
all implants: shellcodes + PEs
Definition at line 149 of file pe_sieve_types.h.
| DWORD report::implanted_pe |
the full PE was probably loaded manually
Definition at line 150 of file pe_sieve_types.h.
| DWORD report::implanted_shc |
implanted shellcodes
Definition at line 151 of file pe_sieve_types.h.
| bool report::is_64bit |
is process 64 bit
Definition at line 140 of file pe_sieve_types.h.
| bool report::is_managed |
is process managed (.NET)
Definition at line 139 of file pe_sieve_types.h.
| bool report::is_reflection |
was the scan performed on process reflection
Definition at line 141 of file pe_sieve_types.h.
| DWORD report::other |
other indicators
Definition at line 152 of file pe_sieve_types.h.
| DWORD report::patched |
detected modifications in the code
Definition at line 147 of file pe_sieve_types.h.
| DWORD report::pid |
pid of the process that was scanned
Definition at line 138 of file pe_sieve_types.h.
| DWORD report::replaced |
PE file replaced in memory (probably hollowed)
Definition at line 144 of file pe_sieve_types.h.
| DWORD report::scanned |
number of all scanned modules
Definition at line 142 of file pe_sieve_types.h.
| DWORD report::skipped |
some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this scan does not apply)
Definition at line 153 of file pe_sieve_types.h.
| DWORD report::suspicious |
general summary of suspicious
Definition at line 143 of file pe_sieve_types.h.
| DWORD report::unreachable_file |
cannot read the file corresponding to the module in memory
Definition at line 146 of file pe_sieve_types.h.
1.10.0