PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Classes | Namespaces | Macros | Typedefs | Functions | Variables
thread_scanner.cpp File Reference
#include "thread_scanner.h"
#include <peconv.h>
#include "mempage_data.h"
#include "../utils/process_util.h"
#include "../utils/ntddk.h"
#include "../stats/stats.h"
#include "../utils/process_symbols.h"
#include "../utils/syscall_extractor.h"

Go to the source code of this file.

Classes

struct  _t_stack_enum_params
 

Namespaces

namespace  pesieve
 

Macros

#define ENTROPY_TRESHOLD   3.0
 

Typedefs

typedef struct _t_stack_enum_params t_stack_enum_params
 

Functions

bool pesieve::is_thread_running (HANDLE hThread)
 
bool get_page_details (HANDLE processHandle, LPVOID start_va, MEMORY_BASIC_INFORMATION &page_info)
 
DWORD WINAPI enum_stack_thread (LPVOID lpParam)
 
bool has_empty_gui_info (DWORD tid)
 
template<typename PTR_T >
bool read_return_ptr (IN HANDLE hProcess, IN OUT ctx_details &cDetails)
 
bool should_scan_context (const util::thread_info &info)
 

Variables

pesieve::SyscallTable g_SyscallTable
 

Macro Definition Documentation

◆ ENTROPY_TRESHOLD

#define ENTROPY_TRESHOLD   3.0

Definition at line 12 of file thread_scanner.cpp.

Typedef Documentation

◆ t_stack_enum_params

typedef struct _t_stack_enum_params t_stack_enum_params

Function Documentation

◆ enum_stack_thread()

DWORD WINAPI enum_stack_thread ( LPVOID lpParam)

Definition at line 70 of file thread_scanner.cpp.

◆ get_page_details()

bool get_page_details ( HANDLE processHandle,
LPVOID start_va,
MEMORY_BASIC_INFORMATION & page_info )

Definition at line 57 of file thread_scanner.cpp.

◆ has_empty_gui_info()

bool has_empty_gui_info ( DWORD tid)

Definition at line 119 of file thread_scanner.cpp.

◆ read_return_ptr()

template<typename PTR_T >
bool read_return_ptr ( IN HANDLE hProcess,
IN OUT ctx_details & cDetails )

Definition at line 318 of file thread_scanner.cpp.

◆ should_scan_context()

bool should_scan_context ( const util::thread_info & info)

Definition at line 474 of file thread_scanner.cpp.

Here is the call graph for this function:

Variable Documentation

◆ g_SyscallTable

pesieve::SyscallTable g_SyscallTable
extern

Definition at line 24 of file pe_sieve.cpp.

Generated by doxygen 1.12.0