![]() |
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
Final summary about the scanned process. More...
#include <pe_sieve_types.h>
Public Attributes | |
DWORD | pid |
pid of the process that was scanned | |
bool | is_managed |
is process managed (.NET) | |
bool | is_64bit |
is process 64 bit | |
bool | is_reflection |
was the scan performed on process reflection | |
DWORD | scanned |
number of all scanned modules | |
DWORD | suspicious |
general summary of suspicious | |
DWORD | replaced |
PE file replaced in memory (probably hollowed) | |
DWORD | hdr_mod |
PE header is modified (but not replaced) | |
DWORD | unreachable_file |
cannot read the file corresponding to the module in memory | |
DWORD | patched |
detected modifications in the code | |
DWORD | iat_hooked |
detected IAT hooks | |
DWORD | implanted |
all implants: shellcodes + PEs | |
DWORD | implanted_pe |
the full PE was probably loaded manually | |
DWORD | implanted_shc |
implanted shellcodes | |
DWORD | other |
other indicators | |
DWORD | skipped |
some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this scan does not apply) | |
DWORD | errors |
the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE, no scan was performed. | |
Final summary about the scanned process.
Definition at line 118 of file pe_sieve_types.h.
DWORD t_report::errors |
the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE, no scan was performed.
Definition at line 135 of file pe_sieve_types.h.
DWORD t_report::hdr_mod |
PE header is modified (but not replaced)
Definition at line 126 of file pe_sieve_types.h.
DWORD t_report::iat_hooked |
detected IAT hooks
Definition at line 129 of file pe_sieve_types.h.
DWORD t_report::implanted |
all implants: shellcodes + PEs
Definition at line 130 of file pe_sieve_types.h.
DWORD t_report::implanted_pe |
the full PE was probably loaded manually
Definition at line 131 of file pe_sieve_types.h.
DWORD t_report::implanted_shc |
implanted shellcodes
Definition at line 132 of file pe_sieve_types.h.
bool t_report::is_64bit |
is process 64 bit
Definition at line 121 of file pe_sieve_types.h.
bool t_report::is_managed |
is process managed (.NET)
Definition at line 120 of file pe_sieve_types.h.
bool t_report::is_reflection |
was the scan performed on process reflection
Definition at line 122 of file pe_sieve_types.h.
DWORD t_report::other |
other indicators
Definition at line 133 of file pe_sieve_types.h.
DWORD t_report::patched |
detected modifications in the code
Definition at line 128 of file pe_sieve_types.h.
DWORD t_report::pid |
pid of the process that was scanned
Definition at line 119 of file pe_sieve_types.h.
DWORD t_report::replaced |
PE file replaced in memory (probably hollowed)
Definition at line 125 of file pe_sieve_types.h.
DWORD t_report::scanned |
number of all scanned modules
Definition at line 123 of file pe_sieve_types.h.
DWORD t_report::skipped |
some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this scan does not apply)
Definition at line 134 of file pe_sieve_types.h.
DWORD t_report::suspicious |
general summary of suspicious
Definition at line 124 of file pe_sieve_types.h.
DWORD t_report::unreachable_file |
cannot read the file corresponding to the module in memory
Definition at line 127 of file pe_sieve_types.h.