PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Public Attributes | List of all members
t_report Struct Reference

Final summary about the scanned process. More...

#include <pe_sieve_types.h>

Public Attributes

DWORD pid
 pid of the process that was scanned More...
 
bool is_managed
 is process managed (.NET) More...
 
bool is_64bit
 is process 64 bit More...
 
DWORD scanned
 number of all scanned modules More...
 
DWORD suspicious
 general summary of suspicious More...
 
DWORD replaced
 PE file replaced in memory (probably hollowed) More...
 
DWORD hdr_mod
 PE header is modified (but not replaced) More...
 
DWORD unreachable_file
 cannot read the file corresponding to the module in memory More...
 
DWORD patched
 detected modifications in the code More...
 
DWORD iat_hooked
 detected IAT hooks More...
 
DWORD implanted
 all implants: shellcodes + PEs More...
 
DWORD implanted_pe
 the full PE was probably loaded manually More...
 
DWORD implanted_shc
 implanted shellcodes More...
 
DWORD other
 other indicators More...
 
DWORD skipped
 some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this scan does not apply) More...
 
DWORD errors
 the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE, no scan was performed. More...
 

Detailed Description

Final summary about the scanned process.

Definition at line 103 of file pe_sieve_types.h.

Member Data Documentation

◆ errors

DWORD t_report::errors

the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE, no scan was performed.

Definition at line 119 of file pe_sieve_types.h.

◆ hdr_mod

DWORD t_report::hdr_mod

PE header is modified (but not replaced)

Definition at line 110 of file pe_sieve_types.h.

◆ iat_hooked

DWORD t_report::iat_hooked

detected IAT hooks

Definition at line 113 of file pe_sieve_types.h.

◆ implanted

DWORD t_report::implanted

all implants: shellcodes + PEs

Definition at line 114 of file pe_sieve_types.h.

◆ implanted_pe

DWORD t_report::implanted_pe

the full PE was probably loaded manually

Definition at line 115 of file pe_sieve_types.h.

◆ implanted_shc

DWORD t_report::implanted_shc

implanted shellcodes

Definition at line 116 of file pe_sieve_types.h.

◆ is_64bit

bool t_report::is_64bit

is process 64 bit

Definition at line 106 of file pe_sieve_types.h.

◆ is_managed

bool t_report::is_managed

is process managed (.NET)

Definition at line 105 of file pe_sieve_types.h.

◆ other

DWORD t_report::other

other indicators

Definition at line 117 of file pe_sieve_types.h.

◆ patched

DWORD t_report::patched

detected modifications in the code

Definition at line 112 of file pe_sieve_types.h.

◆ pid

DWORD t_report::pid

pid of the process that was scanned

Definition at line 104 of file pe_sieve_types.h.

◆ replaced

DWORD t_report::replaced

PE file replaced in memory (probably hollowed)

Definition at line 109 of file pe_sieve_types.h.

◆ scanned

DWORD t_report::scanned

number of all scanned modules

Definition at line 107 of file pe_sieve_types.h.

◆ skipped

DWORD t_report::skipped

some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this scan does not apply)

Definition at line 118 of file pe_sieve_types.h.

◆ suspicious

DWORD t_report::suspicious

general summary of suspicious

Definition at line 108 of file pe_sieve_types.h.

◆ unreachable_file

DWORD t_report::unreachable_file

cannot read the file corresponding to the module in memory

Definition at line 111 of file pe_sieve_types.h.


The documentation for this struct was generated from the following file: