 |
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
|
PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
#include "thread_scanner.h"#include <peconv.h>#include "mempage_data.h"#include "../utils/process_util.h"#include "../utils/ntddk.h"#include "../stats/stats.h"#include "../utils/process_symbols.h"#include "../utils/syscall_extractor.h"#include "../utils/artefacts_util.h"Go to the source code of this file.
Classes | |
| struct | _t_stack_enum_params |
Namespaces | |
| namespace | pesieve |
Macros | |
| #define | ENTROPY_TRESHOLD 3.0 |
Typedefs | |
| typedef struct _t_stack_enum_params | t_stack_enum_params |
Functions | |
| bool | pesieve::is_thread_running (HANDLE hThread) |
| bool | get_page_details (HANDLE processHandle, LPVOID start_va, MEMORY_BASIC_INFORMATION &page_info) |
| DWORD WINAPI | enum_stack_thread (LPVOID lpParam) |
| template<typename PTR_T> | |
| bool | pesieve::read_return_ptr (IN HANDLE hProcess, IN OUT ctx_details &cDetails) |
| bool | should_scan_context (const util::thread_info &info) |
Variables | |
| pesieve::SyscallTable | g_SyscallTable |
| #define ENTROPY_TRESHOLD 3.0 |
Definition at line 13 of file thread_scanner.cpp.
| typedef struct _t_stack_enum_params t_stack_enum_params |
| DWORD WINAPI enum_stack_thread | ( | LPVOID | lpParam | ) |
Definition at line 71 of file thread_scanner.cpp.
| bool get_page_details | ( | HANDLE | processHandle, |
| LPVOID | start_va, | ||
| MEMORY_BASIC_INFORMATION & | page_info ) |
Definition at line 58 of file thread_scanner.cpp.
| bool should_scan_context | ( | const util::thread_info & | info | ) |
|
extern |
Definition at line 24 of file pe_sieve.cpp.
1.13.2
