PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Protected Member Functions | Static Protected Member Functions | Protected Attributes | List of all members
pesieve::ThreadScanner Class Reference

#include <thread_scanner.h>

Inheritance diagram for pesieve::ThreadScanner:
Inheritance graph
[legend]

Public Member Functions

 ThreadScanner (HANDLE hProc, bool _isReflection, bool _isManaged, const util::thread_info &_info, ModulesInfo &_modulesInfo, peconv::ExportsMapper *_exportsMap, ProcessSymbolsManager *_symbols)
virtual ThreadScanReportscanRemote ()
Public Member Functions inherited from pesieve::ProcessFeatureScanner
 ProcessFeatureScanner (HANDLE _processHandle)
virtual ~ProcessFeatureScanner ()

Protected Member Functions

void initReport (ThreadScanReport &my_report)
void reportResolvedCallstack (ThreadScanReport &my_report)
bool scanRemoteThreadCtx (HANDLE hThread, ThreadScanReport &my_report)
bool fetchThreadCtxDetails (IN HANDLE hProcess, IN HANDLE hThread, OUT ThreadScanReport &my_report)
bool isAddrInNamedModule (ULONGLONG addr)
void printThreadInfo (const util::thread_info &threadi)
std::string resolveLowLevelFuncName (IN const ULONGLONG addr, OUT OPTIONAL size_t *disp=nullptr)
std::string resolveAddrToString (IN ULONGLONG addr)
bool printResolvedAddr (const ULONGLONG addr)
size_t fillCallStackInfo (IN HANDLE hThread, const IN LPVOID ctx, IN OUT ctx_details &cDetails)
bool fetchNativeThreadCtxDetails (IN HANDLE hProcess, IN HANDLE hThread, IN OUT ctx_details &cDetails)
size_t analyzeCallStackInfo (IN OUT ThreadScanReport &my_report)
size_t _analyzeCallStack (IN OUT ctx_details &cDetails, OUT IN std::set< ULONGLONG > &shcCandidates)
bool checkReturnAddrIntegrity (IN const std::vector< ULONGLONG > &callStack, IN OUT ThreadScanReport &my_report)
bool fillAreaStats (SuspAddrReport *my_report)
bool reportSuspiciousAddr (ThreadScanReport *my_report, ULONGLONG susp_addr)
bool filterDotNet (ThreadScanReport &my_report)
bool assessIndicators (ThreadScanReport &my_report)

Static Protected Member Functions

static std::string choosePreferredFunctionName (const std::string &dbgSymbol, const std::string &manualSymbol)

Protected Attributes

bool isReflection
bool isManaged
const util::thread_infoinfo
ModulesInfomodulesInfo
peconv::ExportsMapper * exportsMap
ProcessSymbolsManagersymbols
Protected Attributes inherited from pesieve::ProcessFeatureScanner
HANDLE processHandle

Detailed Description

A scanner for threads Stack-scan inspired by the idea presented here: https://github.com/thefLink/Hunt-Sleeping-Beacons

Definition at line 402 of file thread_scanner.h.

Constructor & Destructor Documentation

◆ ThreadScanner()

pesieve::ThreadScanner::ThreadScanner ( HANDLE hProc,
bool _isReflection,
bool _isManaged,
const util::thread_info & _info,
ModulesInfo & _modulesInfo,
peconv::ExportsMapper * _exportsMap,
ProcessSymbolsManager * _symbols )
inline

Definition at line 404 of file thread_scanner.h.

Here is the call graph for this function:

Member Function Documentation

◆ _analyzeCallStack()

size_t pesieve::ThreadScanner::_analyzeCallStack ( IN OUT ctx_details & cDetails,
OUT IN std::set< ULONGLONG > & shcCandidates )
protected

Definition at line 255 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ analyzeCallStackInfo()

size_t pesieve::ThreadScanner::analyzeCallStackInfo ( IN OUT ThreadScanReport & my_report)
protected

Definition at line 311 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ assessIndicators()

bool pesieve::ThreadScanner::assessIndicators ( ThreadScanReport & my_report)
protected

Definition at line 778 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ checkReturnAddrIntegrity()

bool ThreadScanner::checkReturnAddrIntegrity ( IN const std::vector< ULONGLONG > & callStack,
IN OUT ThreadScanReport & my_report )
protected

Definition at line 113 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ choosePreferredFunctionName()

std::string pesieve::ThreadScanner::choosePreferredFunctionName ( const std::string & dbgSymbol,
const std::string & manualSymbol )
staticprotected

Definition at line 94 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ fetchNativeThreadCtxDetails()

bool pesieve::ThreadScanner::fetchNativeThreadCtxDetails ( IN HANDLE hProcess,
IN HANDLE hThread,
IN OUT ctx_details & cDetails )
protected

Definition at line 400 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ fetchThreadCtxDetails()

bool pesieve::ThreadScanner::fetchThreadCtxDetails ( IN HANDLE hProcess,
IN HANDLE hThread,
OUT ThreadScanReport & my_report )
protected

Definition at line 433 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ fillAreaStats()

bool pesieve::ThreadScanner::fillAreaStats ( SuspAddrReport * my_report)
protected

Definition at line 601 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ fillCallStackInfo()

size_t pesieve::ThreadScanner::fillCallStackInfo ( IN HANDLE hThread,
const IN LPVOID ctx,
IN OUT ctx_details & cDetails )
protected

Definition at line 370 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ filterDotNet()

bool pesieve::ThreadScanner::filterDotNet ( ThreadScanReport & my_report)
protected

Definition at line 729 of file thread_scanner.cpp.

◆ initReport()

void pesieve::ThreadScanner::initReport ( ThreadScanReport & my_report)
protected

Definition at line 837 of file thread_scanner.cpp.

◆ isAddrInNamedModule()

bool pesieve::ThreadScanner::isAddrInNamedModule ( ULONGLONG addr)
protected

Definition at line 465 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ printResolvedAddr()

bool pesieve::ThreadScanner::printResolvedAddr ( const ULONGLONG addr)
protected

Definition at line 566 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ printThreadInfo()

void pesieve::ThreadScanner::printThreadInfo ( const util::thread_info & threadi)
protected

Definition at line 580 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ reportResolvedCallstack()

void pesieve::ThreadScanner::reportResolvedCallstack ( ThreadScanReport & my_report)
protected

Definition at line 850 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ reportSuspiciousAddr()

bool pesieve::ThreadScanner::reportSuspiciousAddr ( ThreadScanReport * my_report,
ULONGLONG susp_addr )
protected

Definition at line 615 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ resolveAddrToString()

std::string pesieve::ThreadScanner::resolveAddrToString ( IN ULONGLONG addr)
protected

Definition at line 526 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ resolveLowLevelFuncName()

std::string pesieve::ThreadScanner::resolveLowLevelFuncName ( IN const ULONGLONG addr,
OUT OPTIONAL size_t * disp = nullptr )
protected

Definition at line 477 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ scanRemote()

ThreadScanReport * pesieve::ThreadScanner::scanRemote ( )
virtual

Perform the scan on the remote process

Returns
a pointer to an object of the class inherited from ModuleScanReport

Implements pesieve::ProcessFeatureScanner.

Definition at line 862 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ scanRemoteThreadCtx()

bool pesieve::ThreadScanner::scanRemoteThreadCtx ( HANDLE hThread,
ThreadScanReport & my_report )
protected

Definition at line 665 of file thread_scanner.cpp.

Here is the call graph for this function:

Member Data Documentation

◆ exportsMap

peconv::ExportsMapper* pesieve::ThreadScanner::exportsMap
protected

Definition at line 446 of file thread_scanner.h.

◆ info

const util::thread_info& pesieve::ThreadScanner::info
protected

Definition at line 444 of file thread_scanner.h.

◆ isManaged

bool pesieve::ThreadScanner::isManaged
protected

Definition at line 443 of file thread_scanner.h.

◆ isReflection

bool pesieve::ThreadScanner::isReflection
protected

Definition at line 442 of file thread_scanner.h.

◆ modulesInfo

ModulesInfo& pesieve::ThreadScanner::modulesInfo
protected

Definition at line 445 of file thread_scanner.h.

◆ symbols

ProcessSymbolsManager* pesieve::ThreadScanner::symbols
protected

Definition at line 447 of file thread_scanner.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.17.0