 |
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
Loading...
Searching...
No Matches
|
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
Final summary about the scanned process. More...
#include <pe_sieve_types.h>
Public Attributes | |
| DWORD | pid |
| pid of the process that was scanned | |
| bool | is_managed |
| is process managed (.NET) | |
| bool | is_64bit |
| is process 64 bit | |
| bool | is_reflection |
| was the scan performed on process reflection | |
| DWORD | scanned |
| number of all scanned modules | |
| DWORD | suspicious |
| general summary of suspicious | |
| DWORD | replaced |
| PE file replaced in memory (probably hollowed) | |
| DWORD | hdr_mod |
| PE header is modified (but not replaced) | |
| DWORD | unreachable_file |
| cannot read the file corresponding to the module in memory | |
| DWORD | patched |
| detected modifications in the code | |
| DWORD | iat_hooked |
| detected IAT hooks | |
| DWORD | implanted |
| all implants: shellcodes + PEs | |
| DWORD | implanted_pe |
| the full PE was probably loaded manually | |
| DWORD | implanted_shc |
| implanted shellcodes | |
| DWORD | other |
| other indicators | |
| DWORD | skipped |
| some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this scan does not apply) | |
| DWORD | errors |
| the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE, no scan was performed. | |
Final summary about the scanned process.
Definition at line 118 of file pe_sieve_types.h.
| DWORD t_report::errors |
the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE, no scan was performed.
Definition at line 135 of file pe_sieve_types.h.
| DWORD t_report::hdr_mod |
PE header is modified (but not replaced)
Definition at line 126 of file pe_sieve_types.h.
| DWORD t_report::iat_hooked |
detected IAT hooks
Definition at line 129 of file pe_sieve_types.h.
| DWORD t_report::implanted |
all implants: shellcodes + PEs
Definition at line 130 of file pe_sieve_types.h.
| DWORD t_report::implanted_pe |
the full PE was probably loaded manually
Definition at line 131 of file pe_sieve_types.h.
| DWORD t_report::implanted_shc |
implanted shellcodes
Definition at line 132 of file pe_sieve_types.h.
| bool t_report::is_64bit |
is process 64 bit
Definition at line 121 of file pe_sieve_types.h.
| bool t_report::is_managed |
is process managed (.NET)
Definition at line 120 of file pe_sieve_types.h.
| bool t_report::is_reflection |
was the scan performed on process reflection
Definition at line 122 of file pe_sieve_types.h.
| DWORD t_report::other |
other indicators
Definition at line 133 of file pe_sieve_types.h.
| DWORD t_report::patched |
detected modifications in the code
Definition at line 128 of file pe_sieve_types.h.
| DWORD t_report::pid |
pid of the process that was scanned
Definition at line 119 of file pe_sieve_types.h.
| DWORD t_report::replaced |
PE file replaced in memory (probably hollowed)
Definition at line 125 of file pe_sieve_types.h.
| DWORD t_report::scanned |
number of all scanned modules
Definition at line 123 of file pe_sieve_types.h.
| DWORD t_report::skipped |
some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this scan does not apply)
Definition at line 134 of file pe_sieve_types.h.
| DWORD t_report::suspicious |
general summary of suspicious
Definition at line 124 of file pe_sieve_types.h.
| DWORD t_report::unreachable_file |
cannot read the file corresponding to the module in memory
Definition at line 127 of file pe_sieve_types.h.
1.9.6