PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Attributes | List of all members
t_report Struct Reference

Final summary about the scanned process. More...

#include <pe_sieve_types.h>

Public Attributes

DWORD pid
 pid of the process that was scanned
 
bool is_managed
 is process managed (.NET)
 
bool is_64bit
 is process 64 bit
 
bool is_reflection
 was the scan performed on process reflection
 
DWORD scanned
 number of all scanned modules
 
DWORD suspicious
 general summary of suspicious
 
DWORD replaced
 PE file replaced in memory (probably hollowed)
 
DWORD hdr_mod
 PE header is modified (but not replaced)
 
DWORD unreachable_file
 cannot read the file corresponding to the module in memory
 
DWORD patched
 detected modifications in the code
 
DWORD iat_hooked
 detected IAT hooks
 
DWORD implanted
 all implants: shellcodes + PEs
 
DWORD implanted_pe
 the full PE was probably loaded manually
 
DWORD implanted_shc
 implanted shellcodes
 
DWORD other
 other indicators
 
DWORD skipped
 some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this scan does not apply)
 
DWORD errors
 the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE, no scan was performed.
 

Detailed Description

Final summary about the scanned process.

Definition at line 118 of file pe_sieve_types.h.

Member Data Documentation

◆ errors

DWORD t_report::errors

the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE, no scan was performed.

Definition at line 135 of file pe_sieve_types.h.

◆ hdr_mod

DWORD t_report::hdr_mod

PE header is modified (but not replaced)

Definition at line 126 of file pe_sieve_types.h.

◆ iat_hooked

DWORD t_report::iat_hooked

detected IAT hooks

Definition at line 129 of file pe_sieve_types.h.

◆ implanted

DWORD t_report::implanted

all implants: shellcodes + PEs

Definition at line 130 of file pe_sieve_types.h.

◆ implanted_pe

DWORD t_report::implanted_pe

the full PE was probably loaded manually

Definition at line 131 of file pe_sieve_types.h.

◆ implanted_shc

DWORD t_report::implanted_shc

implanted shellcodes

Definition at line 132 of file pe_sieve_types.h.

◆ is_64bit

bool t_report::is_64bit

is process 64 bit

Definition at line 121 of file pe_sieve_types.h.

◆ is_managed

bool t_report::is_managed

is process managed (.NET)

Definition at line 120 of file pe_sieve_types.h.

◆ is_reflection

bool t_report::is_reflection

was the scan performed on process reflection

Definition at line 122 of file pe_sieve_types.h.

◆ other

DWORD t_report::other

other indicators

Definition at line 133 of file pe_sieve_types.h.

◆ patched

DWORD t_report::patched

detected modifications in the code

Definition at line 128 of file pe_sieve_types.h.

◆ pid

DWORD t_report::pid

pid of the process that was scanned

Definition at line 119 of file pe_sieve_types.h.

◆ replaced

DWORD t_report::replaced

PE file replaced in memory (probably hollowed)

Definition at line 125 of file pe_sieve_types.h.

◆ scanned

DWORD t_report::scanned

number of all scanned modules

Definition at line 123 of file pe_sieve_types.h.

◆ skipped

DWORD t_report::skipped

some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this scan does not apply)

Definition at line 134 of file pe_sieve_types.h.

◆ suspicious

DWORD t_report::suspicious

general summary of suspicious

Definition at line 124 of file pe_sieve_types.h.

◆ unreachable_file

DWORD t_report::unreachable_file

cannot read the file corresponding to the module in memory

Definition at line 127 of file pe_sieve_types.h.


The documentation for this struct was generated from the following file: