+
+
+
+
+
+
+
+
+
+
+
263 std::cout <<
"[!] Scanning detached: " << std::hex <<
module_start <<
" : " << memPage.
mapped_name << std::endl;
+
+
+
+
+
268 std::cout <<
"[-] Could not read the remote PE at: " << std::hex <<
module_start << std::endl;
+
+
+
+
+
+
+
+
+
277 std::cerr <<
"[-] [" << std::hex <<
modData.moduleHandle <<
"] Could not read the module file" << std::endl;
+
+
+
+
+
+
+
284 std::cout <<
"[*] Scanned for hollows. Status: " <<
scan_status << std::endl;
+
+
+
+
+
+
+
+
+
+
294 if (!args.no_hooks) {
+
+
296 || (!this->pDetails.isDEP && (
this->args.data == pesieve::PE_DATA_SCAN_NO_DEP));
+
297 const bool scan_inaccessible = (this->pDetails.isReflection && (this->args.data >= pesieve::PE_DATA_SCAN_INACCESSIBLE));
+
+
+
300 std::cout <<
"[*] Scanned for hooks. Status: " <<
scan_status << std::endl;
+
+
+
+
-
-
-
305 MemPageData memPage(this->processHandle, this->pDetails.isReflection,
this->memRegion.base, 0);
-
306 memPage.
is_listed_module = this->processReport.hasModule(this->memRegion.base);
-
-
-
-
310 std::cout <<
"[!] Could not fill: " << std::hex << memPage.
start_va <<
" to: " << memPage.
region_end <<
"\n";
-
-
-
-
-
-
-
317 std::cerr <<
"WARNING: Alloc Base mismatch: " << std::hex << memPage.
alloc_base <<
" vs " << this->memRegion.alloc_base << std::endl;
-
-
-
-
-
-
323 std::cerr <<
"WARNING: Size mismatch: " << std::hex << (memPage.
region_end - memPage.
region_start) <<
" vs " << this->memRegion.size << std::endl;
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
343 if (!isScannedAsModule(memPage)) {
-
-
-
-
-
-
-
-
-
-
353 std::cout << std::hex << memPage.
start_va <<
": Scanning executable area" << std::endl;
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
308 MemPageData memPage(this->processHandle, this->pDetails.isReflection,
this->memRegion.base, 0);
+
309 memPage.
is_listed_module = this->processReport.hasModule(this->memRegion.base);
+
+
+
+
313 std::cout <<
"[!] Could not fill: " << std::hex << memPage.
start_va <<
" to: " << memPage.
region_end <<
"\n";
+
+
+
+
+
+
+
320 std::cerr <<
"WARNING: Alloc Base mismatch: " << std::hex << memPage.
alloc_base <<
" vs " << this->memRegion.alloc_base << std::endl;
+
+
+
+
+
+
326 std::cerr <<
"WARNING: Size mismatch: " << std::hex << (memPage.
region_end - memPage.
region_start) <<
" vs " << this->memRegion.size << std::endl;
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
346 if (!isScannedAsModule(memPage)) {
+
+
+
+
+
+
+
+
+
+
356 std::cout << std::hex << memPage.
start_va <<
": Scanning executable area" << std::endl;
+
+
+
+
+
+
+
+
+
+
+
@@ -500,18 +503,18 @@
std::vector< sig_finder::Match > custom_matched
size_t generateTags(const std::string &reportPath)
-
WorkingSetScanReport * scanExecutableArea(MemPageData &memPageData)
-
bool isPotentiallyExecutable(MemPageData &memPageData, const t_data_scan_mode &mode)
+
WorkingSetScanReport * scanExecutableArea(MemPageData &memPageData)
+
bool isPotentiallyExecutable(MemPageData &memPageData, const t_data_scan_mode &mode)
bool checkAreaContent(IN MemPageData &_memPage, OUT WorkingSetScanReport *my_report)
-
bool isScannedAsModule(MemPageData &memPageData)
-
bool scanImg(MemPageData &memPage)
-
bool isExecutable(MemPageData &memPageData)
-
virtual WorkingSetScanReport * scanRemote()
+
bool isScannedAsModule(MemPageData &memPageData)
+
bool scanImg(MemPageData &memPage)
+
bool isExecutable(MemPageData &memPageData)
+
virtual WorkingSetScanReport * scanRemote()
-
size_t find_all_patterns(BYTE *loadedData, size_t loadedSize, std::vector< sig_finder::Match > &allMatches)
-
size_t filter_custom(std::vector< sig_finder::Match > &allMatches, std::vector< sig_finder::Match > &customPatternMatches)
+
size_t find_all_patterns(BYTE *loadedData, size_t loadedSize, std::vector< sig_finder::Match > &allMatches)
+
size_t filter_custom(std::vector< sig_finder::Match > &allMatches, std::vector< sig_finder::Match > &customPatternMatches)
size_t fillCodeStrings(OUT std::set< std::string > &codeStrings)
diff --git a/workingset__scanner_8h_source.html b/workingset__scanner_8h_source.html
index ec78736f3..d3e847778 100644
--- a/workingset__scanner_8h_source.html
+++ b/workingset__scanner_8h_source.html
@@ -293,17 +293,17 @@
A scanner for detection of code implants in the process workingset.
virtual ~WorkingSetScanner()
-
WorkingSetScanReport * scanExecutableArea(MemPageData &memPageData)
-
bool isPotentiallyExecutable(MemPageData &memPageData, const t_data_scan_mode &mode)
+
WorkingSetScanReport * scanExecutableArea(MemPageData &memPageData)
+
bool isPotentiallyExecutable(MemPageData &memPageData, const t_data_scan_mode &mode)
ProcessScanReport & processReport
const process_details pDetails
bool checkAreaContent(IN MemPageData &_memPage, OUT WorkingSetScanReport *my_report)
-
bool isScannedAsModule(MemPageData &memPageData)
+
bool isScannedAsModule(MemPageData &memPageData)
WorkingSetScanner(HANDLE _procHndl, process_details _proc_details, const util::mem_region_info _mem_region, pesieve::t_params _args, ProcessScanReport &_process_report)
const util::mem_region_info memRegion
-
bool scanImg(MemPageData &memPage)
-
bool isExecutable(MemPageData &memPageData)
-
virtual WorkingSetScanReport * scanRemote()
+
bool scanImg(MemPageData &memPage)
+
bool isExecutable(MemPageData &memPageData)
+
virtual WorkingSetScanReport * scanRemote()