 |
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
|
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
Final summary about the scanned process. More...
#include <pe_sieve_types.h>
Public Attributes | |
| DWORD | pid |
| pid of the process that was scanned More... | |
| bool | is_managed |
| is process managed (.NET) More... | |
| bool | is_64bit |
| is process 64 bit More... | |
| bool | is_reflection |
| was the scan performed on process reflection More... | |
| DWORD | scanned |
| number of all scanned modules More... | |
| DWORD | suspicious |
| general summary of suspicious More... | |
| DWORD | replaced |
| PE file replaced in memory (probably hollowed) More... | |
| DWORD | hdr_mod |
| PE header is modified (but not replaced) More... | |
| DWORD | unreachable_file |
| cannot read the file corresponding to the module in memory More... | |
| DWORD | patched |
| detected modifications in the code More... | |
| DWORD | iat_hooked |
| detected IAT hooks More... | |
| DWORD | implanted |
| all implants: shellcodes + PEs More... | |
| DWORD | implanted_pe |
| the full PE was probably loaded manually More... | |
| DWORD | implanted_shc |
| implanted shellcodes More... | |
| DWORD | other |
| other indicators More... | |
| DWORD | skipped |
| some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this scan does not apply) More... | |
| DWORD | errors |
| the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE, no scan was performed. More... | |
Final summary about the scanned process.
Definition at line 106 of file pe_sieve_types.h.
| DWORD t_report::errors |
the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE, no scan was performed.
Definition at line 123 of file pe_sieve_types.h.
| DWORD t_report::hdr_mod |
PE header is modified (but not replaced)
Definition at line 114 of file pe_sieve_types.h.
| DWORD t_report::iat_hooked |
detected IAT hooks
Definition at line 117 of file pe_sieve_types.h.
| DWORD t_report::implanted |
all implants: shellcodes + PEs
Definition at line 118 of file pe_sieve_types.h.
| DWORD t_report::implanted_pe |
the full PE was probably loaded manually
Definition at line 119 of file pe_sieve_types.h.
| DWORD t_report::implanted_shc |
implanted shellcodes
Definition at line 120 of file pe_sieve_types.h.
| bool t_report::is_64bit |
is process 64 bit
Definition at line 109 of file pe_sieve_types.h.
| bool t_report::is_managed |
is process managed (.NET)
Definition at line 108 of file pe_sieve_types.h.
| bool t_report::is_reflection |
was the scan performed on process reflection
Definition at line 110 of file pe_sieve_types.h.
| DWORD t_report::other |
other indicators
Definition at line 121 of file pe_sieve_types.h.
| DWORD t_report::patched |
detected modifications in the code
Definition at line 116 of file pe_sieve_types.h.
| DWORD t_report::pid |
pid of the process that was scanned
Definition at line 107 of file pe_sieve_types.h.
| DWORD t_report::replaced |
PE file replaced in memory (probably hollowed)
Definition at line 113 of file pe_sieve_types.h.
| DWORD t_report::scanned |
number of all scanned modules
Definition at line 111 of file pe_sieve_types.h.
| DWORD t_report::skipped |
some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this scan does not apply)
Definition at line 122 of file pe_sieve_types.h.
| DWORD t_report::suspicious |
general summary of suspicious
Definition at line 112 of file pe_sieve_types.h.
| DWORD t_report::unreachable_file |
cannot read the file corresponding to the module in memory
Definition at line 115 of file pe_sieve_types.h.
1.9.2