PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
artefact_scanner.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4#include <psapi.h>
5#include <map>
6
7#include <peconv.h>
8#include "module_scan_report.h"
9#include "workingset_scanner.h"
10#include "../utils/process_util.h"
11#include "process_details.h"
12
13#define INVALID_OFFSET (-1)
14#define PE_NOT_FOUND 0
15
16namespace pesieve {
17
18 bool is_valid_file_hdr(BYTE *loadedData, size_t loadedSize, BYTE *hdr_ptr, DWORD charact);
19 bool is_valid_section(BYTE *loadedData, size_t loadedSize, BYTE *hdr_ptr, DWORD charact);
20
22 class PeArtefacts {
23 public:
24 static const size_t JSON_LEVEL = 1;
25
37
38 bool hasNtHdrs()
39 {
40 return (ntFileHdrsOffset != INVALID_OFFSET);
41 }
42
43 bool hasSectionHdrs()
44 {
45 return (secHdrsOffset != INVALID_OFFSET);
46 }
47
48 ULONGLONG peImageBase()
49 {
50 if (peBaseOffset == INVALID_OFFSET) {
51 return INVALID_OFFSET;
52 }
53 return this->peBaseOffset + this->regionStart;
54 }
55
56 ULONGLONG dropPeBase(const ULONGLONG offset_with_pe_base) const
57 {
58 if (peBaseOffset == INVALID_OFFSET || offset_with_pe_base == INVALID_OFFSET) {
59 return INVALID_OFFSET;
60 }
61 if (offset_with_pe_base < peBaseOffset) {
62 return INVALID_OFFSET;
63 }
64 return offset_with_pe_base - peBaseOffset;
65 }
66
67 const virtual bool fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
68 {
69 OUT_PADDED(outs, level, "\"pe_base_offset\" : ");
70 outs << "\"" << std::hex << peBaseOffset << "\"";
71 if (hasNtHdrs()) {
72 outs << ",\n";
73 OUT_PADDED(outs, level, "\"nt_file_hdr\" : ");
74 outs << "\"" << std::hex << ntFileHdrsOffset << "\"";
75 }
76 outs << ",\n";
77 OUT_PADDED(outs, level, "\"sections_hdrs\" : ");
78 outs << "\"" << std::hex << secHdrsOffset << "\"";
79 outs << ",\n";
80 OUT_PADDED(outs, level, "\"sections_count\" : ");
81 outs << std::dec << secCount;
82 outs << ",\n";
83#ifdef _DEBUG
84 OUT_PADDED(outs, level, "\"calculated_image_size\" : ");
85 outs << std::hex << this->calculatedImgSize;
86 outs << ",\n";
87#endif
88 OUT_PADDED(outs, level, "\"is_dll\" : ");
89 outs << std::dec << isDll;
90 outs << ",\n";
91 OUT_PADDED(outs, level, "\"is_64_bit\" : ");
92 outs << std::dec << this->is64bit;
93 return true;
94 }
95
96 const virtual bool toJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
97 {
98 OUT_PADDED(outs, level, "\"pe_artefacts\" : {\n");
99 fieldsToJSON(outs, level + 1, jdetails);
100 outs << "\n";
101 OUT_PADDED(outs, level, "}");
102 return true;
103 }
104
105 LONGLONG regionStart;
106 size_t peBaseOffset; //offset from the regionStart (PE may not start at the first page of the region)
107 size_t ntFileHdrsOffset; //offset from the regionStart
108 size_t secHdrsOffset; //offset from the regionStart
109 size_t secCount;
110 size_t calculatedImgSize;
111 bool isMzPeFound;
112 bool isDll;
113 bool is64bit;
114 };
115
117 class ArtefactScanReport : public WorkingSetScanReport
118 {
119 public:
120 ArtefactScanReport(HMODULE _module, size_t _moduleSize, t_scan_status status, PeArtefacts &peArt)
121 : WorkingSetScanReport(_module, _moduleSize, status),
122 artefacts(peArt),
123 initialRegionSize(_moduleSize)
124 {
125 is_executable = true;
126 protection = 0;
127 has_pe = true;
128 has_shellcode = false;
129
130 size_t total_region_size = peArt.calculatedImgSize + peArt.peBaseOffset;
131 if (total_region_size > this->moduleSize) {
132 this->moduleSize = total_region_size;
133 }
134 }
135
136 const virtual void fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
137 {
138 WorkingSetScanReport::fieldsToJSON(outs, level, jdetails);
139 outs << ",\n";
140 artefacts.toJSON(outs, level, jdetails);
141 }
142
143 const virtual bool toJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
144 {
145 OUT_PADDED(outs, level, "\"workingset_scan\" : {\n");
146 fieldsToJSON(outs, level + 1, jdetails);
147 outs << "\n";
148 OUT_PADDED(outs, level, "}");
149 return true;
150 }
151
152 PeArtefacts artefacts;
153 size_t initialRegionSize;
154 };
155
157 class ArtefactScanner : public ProcessFeatureScanner {
158 public:
159
160 static size_t calcImgSize(HANDLE processHandle, HMODULE modBaseAddr, BYTE* headerBuffer, size_t headerBufferSize, IMAGE_SECTION_HEADER *hdr_ptr = NULL);
161
162 ArtefactScanner(HANDLE _procHndl, const process_details _proc_details, MemPageData &_memPageData, ProcessScanReport& _process_report)
163 : ProcessFeatureScanner(_procHndl), pDetails(_proc_details),
164 processReport(_process_report), isProcess64bit(false),
165 memPage(_memPageData), prevMemPage(nullptr), artPagePtr(nullptr)
166 {
167 isProcess64bit = pesieve::util::is_process_64bit(this->processHandle);
168 }
169
170 virtual ~ArtefactScanner()
171 {
172 deletePrevPage();
173 }
174
175 virtual ArtefactScanReport* scanRemote();
176
177 protected:
178 class ArtefactsMapping
179 {
180 public:
181 ArtefactsMapping(MemPageData &_memPage, bool _is64bit) :
182 memPage(_memPage)
183 {
184 pe_image_base = PE_NOT_FOUND;
185 dos_hdr = nullptr;
186 nt_file_hdr = nullptr;
187 sec_hdr = nullptr;
188 isMzPeFound = false;
189 sec_count = 0;
190 is64bit = _is64bit;
191 }
192
193 bool foundAny()
194 {
195 if (sec_hdr || nt_file_hdr) {
196 return true;
197 }
198 return false;
199 }
200
201 size_t getScore() const
202 {
203 size_t score = 0;
204 if (sec_hdr) {
205 score++;
206 if (sec_count > 1) score += 2;
207 }
208 if (nt_file_hdr) score += 2;
209 if (dos_hdr) score++;
210 return score;
211 }
212
213 bool operator < (const ArtefactsMapping& map2) const {
214 return getScore() < map2.getScore();
215 }
216
217 ArtefactsMapping& operator = (const ArtefactsMapping& other) {
218 this->pe_image_base = other.pe_image_base;
219 this->dos_hdr = other.dos_hdr;
220 this->nt_file_hdr = other.nt_file_hdr;
221 this->sec_hdr = other.sec_hdr;
222 this->sec_count = other.sec_count;
223 this->isMzPeFound = other.isMzPeFound;
224 this->is64bit = other.is64bit;
225 return *this;
226 }
227
228 MemPageData &memPage;
229 ULONGLONG pe_image_base;
230 IMAGE_DOS_HEADER *dos_hdr;
231 IMAGE_FILE_HEADER* nt_file_hdr;
232 IMAGE_SECTION_HEADER* sec_hdr;
233 size_t sec_count;
234 bool isMzPeFound;
235 bool is64bit;
236 };
237
238 void deletePrevPage()
239 {
240 delete this->prevMemPage;
241 this->prevMemPage = nullptr;
242 this->artPagePtr = nullptr;
243 }
244
245 bool hasShellcode(HMODULE region_start, size_t region_size, PeArtefacts &peArt);
246
247 bool findMzPe(ArtefactsMapping &mapping, const size_t search_offset);
248 bool setMzPe(ArtefactsMapping &mapping, IMAGE_DOS_HEADER* _dos_hdr);
249 bool setSecHdr(ArtefactsMapping &mapping, IMAGE_SECTION_HEADER* _sec_hdr);
250 bool setNtFileHdr(ArtefactScanner::ArtefactsMapping &aMap, IMAGE_FILE_HEADER* _nt_hdr);
251 PeArtefacts *generateArtefacts(ArtefactsMapping &aMap);
252
253 PeArtefacts* findArtefacts(MemPageData &memPage, size_t start_offset);
254 PeArtefacts* findInPrevPages(ULONGLONG addr_start, ULONGLONG addr_stop);
255
256 ULONGLONG _findMZoffset(MemPageData &memPage, LPVOID hdr_ptr);
257 ULONGLONG calcPeBase(MemPageData &memPage, LPVOID hdr_ptr);
258 size_t calcImageSize(MemPageData &memPage, IMAGE_SECTION_HEADER *hdr_ptr, ULONGLONG pe_image_base);
259
260 IMAGE_FILE_HEADER* findNtFileHdr(MemPageData &memPage, const size_t start_offset, size_t stop_offset = INVALID_OFFSET);
261
262 bool _validateSecRegions(MemPageData &memPage, LPVOID sec_hdr, size_t sec_count, ULONGLONG pe_image_base, bool is_virtual);
263 bool _validateSecRegions(MemPageData &memPage, LPVOID sec_hdr, size_t sec_count);
264 BYTE* _findSecByPatterns(BYTE *search_ptr, const size_t max_search_size);
265 IMAGE_SECTION_HEADER* findSecByPatterns(MemPageData &memPageData, const size_t max_search_size, const size_t search_offset);
266
267 IMAGE_DOS_HEADER* findMzPeHeader(MemPageData &memPage, const size_t search_offset);
268 IMAGE_DOS_HEADER* _findDosHdrByPatterns(BYTE *search_ptr, const size_t max_search_size);
269 IMAGE_DOS_HEADER* findDosHdrByPatterns(MemPageData &memPage, const size_t start_offset, size_t stop_offset = INVALID_OFFSET);
270
271 MemPageData &memPage;
272 MemPageData *prevMemPage;
273 MemPageData *artPagePtr; //pointer to the page where the artefacts were found: either to memPage or to prevMemPage
274 bool isProcess64bit;
275 const process_details pDetails;
276 ProcessScanReport& processReport;
277 };
278
279}; //namespace pe-sieve
INVALID_OFFSET
#define INVALID_OFFSET
Definition artefact_scanner.h:13
PE_NOT_FOUND
#define PE_NOT_FOUND
Definition artefact_scanner.h:14
pesieve::ArtefactScanReport
A report from the artefacts scan, generated by ArtefactScanner.
Definition artefact_scanner.h:118
pesieve::ArtefactScanReport::fieldsToJSON
virtual const void fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition artefact_scanner.h:136
pesieve::ArtefactScanReport::ArtefactScanReport
ArtefactScanReport(HMODULE _module, size_t _moduleSize, t_scan_status status, PeArtefacts &peArt)
Definition artefact_scanner.h:120
pesieve::ArtefactScanReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition artefact_scanner.h:143
pesieve::ArtefactScanner::ArtefactsMapping::operator<
bool operator<(const ArtefactsMapping &map2) const
Definition artefact_scanner.h:213
pesieve::ArtefactScanner::ArtefactsMapping::operator=
ArtefactsMapping & operator=(const ArtefactsMapping &other)
Definition artefact_scanner.h:217
pesieve::ArtefactScanner::ArtefactsMapping::ArtefactsMapping
ArtefactsMapping(MemPageData &_memPage, bool _is64bit)
Definition artefact_scanner.h:181
pesieve::ArtefactScanner
A scanner for detection of artefacts related to PE implants in the process workingset.
Definition artefact_scanner.h:157
pesieve::ArtefactScanner::processReport
ProcessScanReport & processReport
Definition artefact_scanner.h:276
pesieve::ArtefactScanner::scanRemote
virtual ArtefactScanReport * scanRemote()
Definition artefact_scanner.cpp:876
pesieve::ArtefactScanner::hasShellcode
bool hasShellcode(HMODULE region_start, size_t region_size, PeArtefacts &peArt)
Definition artefact_scanner.cpp:862
pesieve::ArtefactScanner::calcImageSize
size_t calcImageSize(MemPageData &memPage, IMAGE_SECTION_HEADER *hdr_ptr, ULONGLONG pe_image_base)
Definition artefact_scanner.cpp:229
pesieve::ArtefactScanner::_findMZoffset
ULONGLONG _findMZoffset(MemPageData &memPage, LPVOID hdr_ptr)
Definition artefact_scanner.cpp:125
pesieve::ArtefactScanner::ArtefactScanner
ArtefactScanner(HANDLE _procHndl, const process_details _proc_details, MemPageData &_memPageData, ProcessScanReport &_process_report)
Definition artefact_scanner.h:162
pesieve::ArtefactScanner::findMzPe
bool findMzPe(ArtefactsMapping &mapping, const size_t search_offset)
Definition artefact_scanner.cpp:593
pesieve::ArtefactScanner::findSecByPatterns
IMAGE_SECTION_HEADER * findSecByPatterns(MemPageData &memPageData, const size_t max_search_size, const size_t search_offset)
Definition artefact_scanner.cpp:428
pesieve::ArtefactScanner::calcPeBase
ULONGLONG calcPeBase(MemPageData &memPage, LPVOID hdr_ptr)
Definition artefact_scanner.cpp:150
pesieve::ArtefactScanner::pDetails
const process_details pDetails
Definition artefact_scanner.h:275
pesieve::ArtefactScanner::setMzPe
bool setMzPe(ArtefactsMapping &mapping, IMAGE_DOS_HEADER *_dos_hdr)
Definition artefact_scanner.cpp:608
pesieve::ArtefactScanner::setNtFileHdr
bool setNtFileHdr(ArtefactScanner::ArtefactsMapping &aMap, IMAGE_FILE_HEADER *_nt_hdr)
Definition artefact_scanner.cpp:663
pesieve::ArtefactScanner::_findDosHdrByPatterns
IMAGE_DOS_HEADER * _findDosHdrByPatterns(BYTE *search_ptr, const size_t max_search_size)
Definition artefact_scanner.cpp:254
pesieve::ArtefactScanner::setSecHdr
bool setSecHdr(ArtefactsMapping &mapping, IMAGE_SECTION_HEADER *_sec_hdr)
Definition artefact_scanner.cpp:626
pesieve::ArtefactScanner::_validateSecRegions
bool _validateSecRegions(MemPageData &memPage, LPVOID sec_hdr, size_t sec_count, ULONGLONG pe_image_base, bool is_virtual)
Definition artefact_scanner.cpp:298
pesieve::ArtefactScanner::findNtFileHdr
IMAGE_FILE_HEADER * findNtFileHdr(MemPageData &memPage, const size_t start_offset, size_t stop_offset=INVALID_OFFSET)
Definition artefact_scanner.cpp:497
pesieve::ArtefactScanner::findArtefacts
PeArtefacts * findArtefacts(MemPageData &memPage, size_t start_offset)
Definition artefact_scanner.cpp:734
pesieve::ArtefactScanner::findDosHdrByPatterns
IMAGE_DOS_HEADER * findDosHdrByPatterns(MemPageData &memPage, const size_t start_offset, size_t stop_offset=INVALID_OFFSET)
Definition artefact_scanner.cpp:234
pesieve::ArtefactScanner::calcImgSize
static size_t calcImgSize(HANDLE processHandle, HMODULE modBaseAddr, BYTE *headerBuffer, size_t headerBufferSize, IMAGE_SECTION_HEADER *hdr_ptr=NULL)
Definition artefact_scanner.cpp:176
pesieve::ArtefactScanner::findInPrevPages
PeArtefacts * findInPrevPages(ULONGLONG addr_start, ULONGLONG addr_stop)
Definition artefact_scanner.cpp:836
pesieve::ArtefactScanner::generateArtefacts
PeArtefacts * generateArtefacts(ArtefactsMapping &aMap)
Definition artefact_scanner.cpp:690
pesieve::ArtefactScanner::findMzPeHeader
IMAGE_DOS_HEADER * findMzPeHeader(MemPageData &memPage, const size_t search_offset)
Definition artefact_scanner.cpp:560
pesieve::ArtefactScanner::_findSecByPatterns
BYTE * _findSecByPatterns(BYTE *search_ptr, const size_t max_search_size)
Definition artefact_scanner.cpp:374
pesieve::MemPageData
Definition mempage_data.h:12
pesieve::PeArtefacts
A report about the PE artefact detected in the workingset.
Definition artefact_scanner.h:22
pesieve::PeArtefacts::fieldsToJSON
virtual const bool fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition artefact_scanner.h:67
pesieve::PeArtefacts::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition artefact_scanner.h:96
pesieve::PeArtefacts::dropPeBase
ULONGLONG dropPeBase(const ULONGLONG offset_with_pe_base) const
Definition artefact_scanner.h:56
pesieve::PeArtefacts::JSON_LEVEL
static const size_t JSON_LEVEL
Definition artefact_scanner.h:24
pesieve::ProcessFeatureScanner
A base class for all the scanners checking appropriate process' features.
Definition process_feature_scanner.h:12
pesieve::ProcessScanReport
The report aggregating the results of the performed scan.
Definition scan_report.h:19
pesieve::WorkingSetScanReport
A report from the working set scan, generated by WorkingSetScanner.
Definition workingset_scanner.h:29
pesieve::WorkingSetScanReport::fieldsToJSON
virtual const void fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition workingset_scanner.h:53
pesieve.t_json_level
Definition pesieve.py:82
OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12
module_scan_report.h
pesieve::util::is_process_64bit
bool is_process_64bit(IN HANDLE process)
Definition process_util.cpp:47
pesieve::is_valid_file_hdr
bool is_valid_file_hdr(BYTE *loadedData, size_t loadedSize, BYTE *hdr_ptr, DWORD charact)
Definition artefact_scanner.cpp:454
pesieve::is_valid_section
bool is_valid_section(BYTE *loadedData, size_t loadedSize, BYTE *hdr_ptr, DWORD charact)
Definition artefact_scanner.cpp:102
pesieve::t_scan_status
enum pesieve::module_scan_status t_scan_status
process_details.h
process_util.h
pesieve::_process_details
Definition process_details.h:8
workingset_scanner.h
Generated by doxygen 1.12.0