PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
artefacts_util.h
Go to the documentation of this file.
1#pragma once
2#include <windows.h>
3#include <sig_finder.h>
4#include <vector>
5#include "custom_mutex.h"
6#define PATTERN_NOT_FOUND (-1)
7
8namespace pesieve {
9 namespace util {
10 /*
11 Scans the buffer of given size, in a search of the supplied pattern (using simple memcmp)
12 If the number of iterations is not specified (0) it scans full space, otherwise it takes only max_iter number of steps.
13 Returns the pointer to the found pattern, or nullptr if not found.
14 */
15 BYTE* find_pattern(BYTE* buffer, size_t buf_size, BYTE* pattern_buf, size_t pattern_size, size_t max_iter = 0);
16
17 /*
18 Scans the buffer searching for the hardcoded 32-bit code patterns. If found, returns the match offset, otherwise returns CODE_PATTERN_NOT_FOUND
19 */
20 size_t is_32bit_code(const BYTE* loadedData, size_t loadedSize);
21
22 /*
23 Scans the buffer searching for the hardcoded 64-bit code patterns. If found, returns the match offset, otherwise returns CODE_PATTERN_NOT_FOUND
24 */
25 size_t is_64bit_code(const BYTE* loadedData, size_t loadedSize);
26
27 /*
28 Scans the buffer searching for any hardcoded code patterns (both 32 and 64 bit).
29 */
30 bool is_code(const BYTE* loadedData, size_t loadedSize);
31
32 bool is_executable(DWORD mapping_type, DWORD protection);
33
34 bool is_readable(DWORD mapping_type, DWORD protection);
35
36 bool is_normal_inaccessible(DWORD state, DWORD mapping_type, DWORD protection);
37 }; // namespace util
38
39
40 // matcher:
41 class PatternMatcher
42 {
43 public:
44 bool isReady();
45
46 size_t loadPatternFile(const char* filename);
47
48 bool initShellcodePatterns();
49
50 size_t findAllPatterns(BYTE* loadedData, size_t loadedSize, ::std::vector<sig_finder::Match>& allMatches);
51
52 size_t filterCustom(::std::vector<sig_finder::Match>& allMatches, ::std::vector<sig_finder::Match>& customPatternMatches);
53
54 protected:
55 bool _isReady() { return (mainMatcher.isEnd()) ? false : true; }
56 sig_finder::Node mainMatcher;
57 pesieve::util::Mutex mainMatcherMutex;
58 };
59
60
61}; //namespace pesieve
pesieve::PatternMatcher::mainMatcherMutex
pesieve::util::Mutex mainMatcherMutex
Definition artefacts_util.h:57
pesieve::PatternMatcher::mainMatcher
sig_finder::Node mainMatcher
Definition artefacts_util.h:56
pesieve::PatternMatcher::loadPatternFile
size_t loadPatternFile(const char *filename)
Definition artefacts_util.cpp:151
pesieve::PatternMatcher::findAllPatterns
size_t findAllPatterns(BYTE *loadedData, size_t loadedSize, ::std::vector< sig_finder::Match > &allMatches)
Definition artefacts_util.cpp:182
pesieve::PatternMatcher::filterCustom
size_t filterCustom(::std::vector< sig_finder::Match > &allMatches, ::std::vector< sig_finder::Match > &customPatternMatches)
Definition artefacts_util.cpp:195
custom_mutex.h
pesieve::util::is_code
bool is_code(const BYTE *loadedData, size_t loadedSize)
Definition artefacts_util.cpp:93
pesieve::util::is_64bit_code
size_t is_64bit_code(const BYTE *loadedData, size_t loadedSize)
Definition artefacts_util.cpp:84
pesieve::util::is_readable
bool is_readable(DWORD mapping_type, DWORD protection)
Definition artefacts_util.cpp:118
pesieve::util::find_pattern
BYTE * find_pattern(BYTE *buffer, size_t buf_size, BYTE *pattern_buf, size_t pattern_size, size_t max_iter=0)
Definition artefacts_util.cpp:10
pesieve::util::is_normal_inaccessible
bool is_normal_inaccessible(DWORD state, DWORD mapping_type, DWORD protection)
Definition artefacts_util.cpp:125
pesieve::util::is_executable
bool is_executable(DWORD mapping_type, DWORD protection)
Definition artefacts_util.cpp:109
pesieve::util::DWORD
DWORD(__stdcall *_PssCaptureSnapshot)(HANDLE ProcessHandle
pesieve::util::is_32bit_code
size_t is_32bit_code(const BYTE *loadedData, size_t loadedSize)
Definition artefacts_util.cpp:75
Generated by doxygen 1.17.0