PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Protected Member Functions | Static Protected Member Functions | Protected Attributes | List of all members
pesieve::ThreadScanner Class Reference

#include <thread_scanner.h>

Inheritance diagram for pesieve::ThreadScanner:
Inheritance graph
[legend]

Public Member Functions

 ThreadScanner (HANDLE hProc, bool _isReflection, bool _isManaged, const util::thread_info &_info, ModulesInfo &_modulesInfo, peconv::ExportsMapper *_exportsMap, ProcessSymbolsManager *_symbols)
 
virtual ThreadScanReportscanRemote ()
 
- Public Member Functions inherited from pesieve::ProcessFeatureScanner
 ProcessFeatureScanner (HANDLE _processHandle)
 
virtual ~ProcessFeatureScanner ()
 

Protected Member Functions

void initReport (ThreadScanReport &my_report)
 
void reportResolvedCallstack (ThreadScanReport &my_report)
 
bool scanRemoteThreadCtx (HANDLE hThread, ThreadScanReport &my_report)
 
bool fetchThreadCtxDetails (IN HANDLE hProcess, IN HANDLE hThread, OUT ThreadScanReport &my_report)
 
bool isAddrInNamedModule (ULONGLONG addr)
 
void printThreadInfo (const util::thread_info &threadi)
 
std::string resolveLowLevelFuncName (IN const ULONGLONG addr, OUT OPTIONAL size_t *disp=nullptr)
 
std::string resolveAddrToString (IN ULONGLONG addr)
 
bool printResolvedAddr (const ULONGLONG addr)
 
size_t fillCallStackInfo (IN HANDLE hProcess, IN HANDLE hThread, IN LPVOID ctx, IN OUT ThreadScanReport &my_report)
 
size_t analyzeCallStackInfo (IN OUT ThreadScanReport &my_report)
 
size_t _analyzeCallStack (IN OUT ctx_details &cDetails, OUT IN std::set< ULONGLONG > &shcCandidates)
 
bool checkReturnAddrIntegrity (IN const std::vector< ULONGLONG > &callStack, IN OUT ThreadScanReport &my_report)
 
bool fillAreaStats (ThreadScanReport *my_report)
 
bool reportSuspiciousAddr (ThreadScanReport *my_report, ULONGLONG susp_addr)
 
bool filterDotNet (ThreadScanReport &my_report)
 

Static Protected Member Functions

static std::string choosePreferredFunctionName (const std::string &dbgSymbol, const std::string &manualSymbol)
 

Protected Attributes

bool isReflection
 
bool isManaged
 
const util::thread_infoinfo
 
ModulesInfomodulesInfo
 
peconv::ExportsMapper * exportsMap
 
ProcessSymbolsManagersymbols
 
- Protected Attributes inherited from pesieve::ProcessFeatureScanner
HANDLE processHandle
 

Detailed Description

A scanner for threads Stack-scan inspired by the idea presented here: https://github.com/thefLink/Hunt-Sleeping-Beacons

Definition at line 262 of file thread_scanner.h.

Constructor & Destructor Documentation

◆ ThreadScanner()

pesieve::ThreadScanner::ThreadScanner ( HANDLE hProc,
bool _isReflection,
bool _isManaged,
const util::thread_info & _info,
ModulesInfo & _modulesInfo,
peconv::ExportsMapper * _exportsMap,
ProcessSymbolsManager * _symbols )
inline

Definition at line 264 of file thread_scanner.h.

Here is the call graph for this function:

Member Function Documentation

◆ _analyzeCallStack()

size_t pesieve::ThreadScanner::_analyzeCallStack ( IN OUT ctx_details & cDetails,
OUT IN std::set< ULONGLONG > & shcCandidates )
protected

Definition at line 306 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ analyzeCallStackInfo()

size_t pesieve::ThreadScanner::analyzeCallStackInfo ( IN OUT ThreadScanReport & my_report)
protected

Definition at line 361 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ checkReturnAddrIntegrity()

bool pesieve::ThreadScanner::checkReturnAddrIntegrity ( IN const std::vector< ULONGLONG > & callStack,
IN OUT ThreadScanReport & my_report )
protected

Definition at line 179 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ choosePreferredFunctionName()

std::string pesieve::ThreadScanner::choosePreferredFunctionName ( const std::string & dbgSymbol,
const std::string & manualSymbol )
staticprotected

Definition at line 160 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ fetchThreadCtxDetails()

bool pesieve::ThreadScanner::fetchThreadCtxDetails ( IN HANDLE hProcess,
IN HANDLE hThread,
OUT ThreadScanReport & my_report )
protected

Definition at line 428 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ fillAreaStats()

bool pesieve::ThreadScanner::fillAreaStats ( ThreadScanReport * my_report)
protected

Definition at line 603 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ fillCallStackInfo()

size_t pesieve::ThreadScanner::fillCallStackInfo ( IN HANDLE hProcess,
IN HANDLE hThread,
IN LPVOID ctx,
IN OUT ThreadScanReport & my_report )
protected

Definition at line 382 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ filterDotNet()

bool pesieve::ThreadScanner::filterDotNet ( ThreadScanReport & my_report)
protected

Definition at line 750 of file thread_scanner.cpp.

◆ initReport()

void pesieve::ThreadScanner::initReport ( ThreadScanReport & my_report)
protected

Definition at line 767 of file thread_scanner.cpp.

◆ isAddrInNamedModule()

bool pesieve::ThreadScanner::isAddrInNamedModule ( ULONGLONG addr)
protected

Definition at line 467 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ printResolvedAddr()

bool pesieve::ThreadScanner::printResolvedAddr ( const ULONGLONG addr)
protected

Definition at line 568 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ printThreadInfo()

void pesieve::ThreadScanner::printThreadInfo ( const util::thread_info & threadi)
protected

Definition at line 582 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ reportResolvedCallstack()

void pesieve::ThreadScanner::reportResolvedCallstack ( ThreadScanReport & my_report)
protected

Definition at line 780 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ reportSuspiciousAddr()

bool pesieve::ThreadScanner::reportSuspiciousAddr ( ThreadScanReport * my_report,
ULONGLONG susp_addr )
protected

Definition at line 617 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ resolveAddrToString()

std::string pesieve::ThreadScanner::resolveAddrToString ( IN ULONGLONG addr)
protected

Definition at line 528 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ resolveLowLevelFuncName()

std::string pesieve::ThreadScanner::resolveLowLevelFuncName ( IN const ULONGLONG addr,
OUT OPTIONAL size_t * disp = nullptr )
protected

Definition at line 479 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ scanRemote()

ThreadScanReport * pesieve::ThreadScanner::scanRemote ( )
virtual

Perform the scan on the remote process

Returns
a pointer to an object of the class inherited from ModuleScanReport

Implements pesieve::ProcessFeatureScanner.

Definition at line 788 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ scanRemoteThreadCtx()

bool pesieve::ThreadScanner::scanRemoteThreadCtx ( HANDLE hThread,
ThreadScanReport & my_report )
protected

Definition at line 660 of file thread_scanner.cpp.

Here is the call graph for this function:

Member Data Documentation

◆ exportsMap

peconv::ExportsMapper* pesieve::ThreadScanner::exportsMap
protected

Definition at line 299 of file thread_scanner.h.

◆ info

const util::thread_info& pesieve::ThreadScanner::info
protected

Definition at line 297 of file thread_scanner.h.

◆ isManaged

bool pesieve::ThreadScanner::isManaged
protected

Definition at line 296 of file thread_scanner.h.

◆ isReflection

bool pesieve::ThreadScanner::isReflection
protected

Definition at line 295 of file thread_scanner.h.

◆ modulesInfo

ModulesInfo& pesieve::ThreadScanner::modulesInfo
protected

Definition at line 298 of file thread_scanner.h.

◆ symbols

ProcessSymbolsManager* pesieve::ThreadScanner::symbols
protected

Definition at line 300 of file thread_scanner.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.13.2