pesieve::ThreadScanner Class Reference

#include <thread_scanner.h>

Inheritance diagram for pesieve::ThreadScanner:

Public Member Functions
	ThreadScanner (HANDLE hProc, bool _isReflection, bool _isManaged, const util::thread_info &_info, ModulesInfo &_modulesInfo, peconv::ExportsMapper *_exportsMap, ProcessSymbolsManager *_symbols)
virtual ThreadScanReport *	scanRemote ()
Public Member Functions inherited from pesieve::ProcessFeatureScanner
	ProcessFeatureScanner (HANDLE _processHandle)
virtual	~ProcessFeatureScanner ()

Protected Member Functions
void	initReport (ThreadScanReport &my_report)
void	reportResolvedCallstack (ThreadScanReport &my_report)
bool	scanRemoteThreadCtx (HANDLE hThread, ThreadScanReport &my_report)
bool	fetchThreadCtxDetails (IN HANDLE hProcess, IN HANDLE hThread, OUT ThreadScanReport &my_report)
bool	isAddrInNamedModule (ULONGLONG addr)
void	printThreadInfo (const util::thread_info &threadi)
std::string	resolveLowLevelFuncName (IN const ULONGLONG addr, OUT OPTIONAL size_t *disp=nullptr)
std::string	resolveAddrToString (IN ULONGLONG addr)
bool	printResolvedAddr (const ULONGLONG addr)
size_t	fillCallStackInfo (IN HANDLE hProcess, IN HANDLE hThread, IN LPVOID ctx, IN OUT ThreadScanReport &my_report)
size_t	analyzeCallStackInfo (IN OUT ThreadScanReport &my_report)
size_t	_analyzeCallStack (IN OUT ctx_details &cDetails, OUT IN std::set< ULONGLONG > &shcCandidates)
bool	checkReturnAddrIntegrity (IN const std::vector< ULONGLONG > &callStack, IN OUT ThreadScanReport &my_report)
bool	fillAreaStats (ThreadScanReport *my_report)
bool	reportSuspiciousAddr (ThreadScanReport *my_report, ULONGLONG susp_addr)
bool	filterDotNet (ThreadScanReport &my_report)

Static Protected Member Functions
static std::string	choosePreferredFunctionName (const std::string &dbgSymbol, const std::string &manualSymbol)

Protected Attributes
bool	isReflection
bool	isManaged
const util::thread_info &	info
ModulesInfo &	modulesInfo
peconv::ExportsMapper *	exportsMap
ProcessSymbolsManager *	symbols
Protected Attributes inherited from pesieve::ProcessFeatureScanner
HANDLE	processHandle

Detailed Description

A scanner for threads Stack-scan inspired by the idea presented here: https://github.com/thefLink/Hunt-Sleeping-Beacons

Definition at line 262 of file thread_scanner.h.

Constructor & Destructor Documentation

ThreadScanner()

pesieve::ThreadScanner::ThreadScanner ( HANDLE hProc, bool _isReflection, bool _isManaged, const util::thread_info & _info, ModulesInfo & _modulesInfo, peconv::ExportsMapper * _exportsMap, ProcessSymbolsManager * _symbols )

inline

Definition at line 264 of file thread_scanner.h.

Here is the call graph for this function:

Member Function Documentation

_analyzeCallStack()

size_t pesieve::ThreadScanner::_analyzeCallStack ( IN OUT ctx_details & cDetails, OUT IN std::set< ULONGLONG > & shcCandidates )

protected

Definition at line 306 of file thread_scanner.cpp.

Here is the call graph for this function:

analyzeCallStackInfo()

size_t pesieve::ThreadScanner::analyzeCallStackInfo ( IN OUT ThreadScanReport & my_report )

protected

Definition at line 361 of file thread_scanner.cpp.

Here is the call graph for this function:

checkReturnAddrIntegrity()

bool pesieve::ThreadScanner::checkReturnAddrIntegrity ( IN const std::vector< ULONGLONG > & callStack, IN OUT ThreadScanReport & my_report )

protected

Definition at line 179 of file thread_scanner.cpp.

Here is the call graph for this function:

choosePreferredFunctionName()

std::string pesieve::ThreadScanner::choosePreferredFunctionName ( const std::string & dbgSymbol, const std::string & manualSymbol )

staticprotected

Definition at line 160 of file thread_scanner.cpp.

Here is the call graph for this function:

fetchThreadCtxDetails()

bool pesieve::ThreadScanner::fetchThreadCtxDetails ( IN HANDLE hProcess, IN HANDLE hThread, OUT ThreadScanReport & my_report )

protected

Definition at line 428 of file thread_scanner.cpp.

Here is the call graph for this function:

fillAreaStats()

bool pesieve::ThreadScanner::fillAreaStats ( ThreadScanReport * my_report )

protected

Definition at line 603 of file thread_scanner.cpp.

Here is the call graph for this function:

fillCallStackInfo()

size_t pesieve::ThreadScanner::fillCallStackInfo ( IN HANDLE hProcess, IN HANDLE hThread, IN LPVOID ctx, IN OUT ThreadScanReport & my_report )

protected

Definition at line 382 of file thread_scanner.cpp.

Here is the call graph for this function:

filterDotNet()

bool pesieve::ThreadScanner::filterDotNet ( ThreadScanReport & my_report )

protected

Definition at line 750 of file thread_scanner.cpp.

initReport()

void pesieve::ThreadScanner::initReport ( ThreadScanReport & my_report )

protected

Definition at line 767 of file thread_scanner.cpp.

isAddrInNamedModule()

bool pesieve::ThreadScanner::isAddrInNamedModule ( ULONGLONG addr )

protected

Definition at line 467 of file thread_scanner.cpp.

Here is the call graph for this function:

printResolvedAddr()

bool pesieve::ThreadScanner::printResolvedAddr ( const ULONGLONG addr )

protected

Definition at line 568 of file thread_scanner.cpp.

Here is the call graph for this function:

printThreadInfo()

void pesieve::ThreadScanner::printThreadInfo ( const util::thread_info & threadi )

protected

Definition at line 582 of file thread_scanner.cpp.

Here is the call graph for this function:

reportResolvedCallstack()

void pesieve::ThreadScanner::reportResolvedCallstack ( ThreadScanReport & my_report )

protected

Definition at line 780 of file thread_scanner.cpp.

Here is the call graph for this function:

reportSuspiciousAddr()

bool pesieve::ThreadScanner::reportSuspiciousAddr ( ThreadScanReport * my_report, ULONGLONG susp_addr )

protected

Definition at line 617 of file thread_scanner.cpp.

Here is the call graph for this function:

resolveAddrToString()

std::string pesieve::ThreadScanner::resolveAddrToString ( IN ULONGLONG addr )

protected

Definition at line 528 of file thread_scanner.cpp.

Here is the call graph for this function:

resolveLowLevelFuncName()

std::string pesieve::ThreadScanner::resolveLowLevelFuncName ( IN const ULONGLONG addr, OUT OPTIONAL size_t * disp = nullptr )

protected

Definition at line 479 of file thread_scanner.cpp.

Here is the call graph for this function:

scanRemote()

ThreadScanReport * pesieve::ThreadScanner::scanRemote ( )

virtual

Perform the scan on the remote process

Returns

a pointer to an object of the class inherited from ModuleScanReport

Implements pesieve::ProcessFeatureScanner.

Definition at line 788 of file thread_scanner.cpp.

Here is the call graph for this function:

scanRemoteThreadCtx()

bool pesieve::ThreadScanner::scanRemoteThreadCtx ( HANDLE hThread, ThreadScanReport & my_report )

protected

Definition at line 660 of file thread_scanner.cpp.

Here is the call graph for this function:

Member Data Documentation

exportsMap

peconv::ExportsMapper* pesieve::ThreadScanner::exportsMap

protected

Definition at line 299 of file thread_scanner.h.

info

const util::thread_info& pesieve::ThreadScanner::info

protected

Definition at line 297 of file thread_scanner.h.

isManaged

bool pesieve::ThreadScanner::isManaged

protected

Definition at line 296 of file thread_scanner.h.

isReflection

bool pesieve::ThreadScanner::isReflection

protected

Definition at line 295 of file thread_scanner.h.

modulesInfo

ModulesInfo& pesieve::ThreadScanner::modulesInfo

protected

Definition at line 298 of file thread_scanner.h.

symbols

ProcessSymbolsManager* pesieve::ThreadScanner::symbols

protected

Definition at line 300 of file thread_scanner.h.

---

The documentation for this class was generated from the following files:

• scanners/thread_scanner.h
• scanners/thread_scanner.cpp