PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
pesieve::ThreadScanner Class Reference

#include <thread_scanner.h>

Inheritance diagram for pesieve::ThreadScanner:
Inheritance graph
[legend]

Public Member Functions

 ThreadScanner (HANDLE hProc, bool _isReflection, const util::thread_info &_info, ModulesInfo &_modulesInfo, peconv::ExportsMapper *_exportsMap, ProcessSymbolsManager *_symbols)
 
virtual ThreadScanReportscanRemote ()
 
- Public Member Functions inherited from pesieve::ProcessFeatureScanner
 ProcessFeatureScanner (HANDLE _processHandle)
 
virtual ~ProcessFeatureScanner ()
 

Protected Member Functions

bool scanRemoteThreadCtx (HANDLE hThread, ThreadScanReport *my_report)
 
bool isAddrInShellcode (ULONGLONG addr)
 
void printThreadInfo (const util::thread_info &threadi)
 
bool printResolvedAddr (ULONGLONG addr)
 
bool fetchThreadCtxDetails (IN HANDLE hProcess, IN HANDLE hThread, OUT ctx_details &c)
 
size_t fillCallStackInfo (IN HANDLE hProcess, IN HANDLE hThread, IN LPVOID ctx, IN OUT ctx_details &cDetails)
 
size_t analyzeCallStack (IN const std::vector< ULONGLONG > &stack_frame, IN OUT ctx_details &cDetails)
 
bool checkReturnAddrIntegrity (IN const std::vector< ULONGLONG > &callStack)
 
bool fillAreaStats (ThreadScanReport *my_report)
 
bool reportSuspiciousAddr (ThreadScanReport *my_report, ULONGLONG susp_addr)
 

Protected Attributes

bool isReflection
 
const util::thread_infoinfo
 
ModulesInfomodulesInfo
 
peconv::ExportsMapper * exportsMap
 
ProcessSymbolsManagersymbols
 
- Protected Attributes inherited from pesieve::ProcessFeatureScanner
HANDLE processHandle
 

Detailed Description

A scanner for threads Stack-scan inspired by the idea presented here: https://github.com/thefLink/Hunt-Sleeping-Beacons

Definition at line 130 of file thread_scanner.h.

Constructor & Destructor Documentation

◆ ThreadScanner()

pesieve::ThreadScanner::ThreadScanner ( HANDLE hProc,
bool _isReflection,
const util::thread_info & _info,
ModulesInfo & _modulesInfo,
peconv::ExportsMapper * _exportsMap,
ProcessSymbolsManager * _symbols )
inline

Definition at line 132 of file thread_scanner.h.

Member Function Documentation

◆ analyzeCallStack()

size_t pesieve::ThreadScanner::analyzeCallStack ( IN const std::vector< ULONGLONG > & stack_frame,
IN OUT ctx_details & cDetails )
protected

Definition at line 222 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ checkReturnAddrIntegrity()

bool pesieve::ThreadScanner::checkReturnAddrIntegrity ( IN const std::vector< ULONGLONG > & callStack)
protected

Definition at line 173 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ fetchThreadCtxDetails()

bool pesieve::ThreadScanner::fetchThreadCtxDetails ( IN HANDLE hProcess,
IN HANDLE hThread,
OUT ctx_details & c )
protected

Definition at line 328 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ fillAreaStats()

bool pesieve::ThreadScanner::fillAreaStats ( ThreadScanReport * my_report)
protected

Definition at line 430 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ fillCallStackInfo()

size_t pesieve::ThreadScanner::fillCallStackInfo ( IN HANDLE hProcess,
IN HANDLE hThread,
IN LPVOID ctx,
IN OUT ctx_details & cDetails )
protected

Definition at line 278 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ isAddrInShellcode()

bool pesieve::ThreadScanner::isAddrInShellcode ( ULONGLONG addr)
protected

Definition at line 367 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ printResolvedAddr()

bool pesieve::ThreadScanner::printResolvedAddr ( ULONGLONG addr)
protected

Definition at line 379 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ printThreadInfo()

void pesieve::ThreadScanner::printThreadInfo ( const util::thread_info & threadi)
protected

Definition at line 409 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ reportSuspiciousAddr()

bool pesieve::ThreadScanner::reportSuspiciousAddr ( ThreadScanReport * my_report,
ULONGLONG susp_addr )
protected

Definition at line 443 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ scanRemote()

ThreadScanReport * pesieve::ThreadScanner::scanRemote ( )
virtual

Perform the scan on the remote process

Returns
a pointer to an object of the class inherited from ModuleScanReport

Implements pesieve::ProcessFeatureScanner.

Definition at line 584 of file thread_scanner.cpp.

Here is the call graph for this function:

◆ scanRemoteThreadCtx()

bool pesieve::ThreadScanner::scanRemoteThreadCtx ( HANDLE hThread,
ThreadScanReport * my_report )
protected

Definition at line 492 of file thread_scanner.cpp.

Here is the call graph for this function:

Member Data Documentation

◆ exportsMap

peconv::ExportsMapper* pesieve::ThreadScanner::exportsMap
protected

Definition at line 155 of file thread_scanner.h.

◆ info

const util::thread_info& pesieve::ThreadScanner::info
protected

Definition at line 153 of file thread_scanner.h.

◆ isReflection

bool pesieve::ThreadScanner::isReflection
protected

Definition at line 152 of file thread_scanner.h.

◆ modulesInfo

ModulesInfo& pesieve::ThreadScanner::modulesInfo
protected

Definition at line 154 of file thread_scanner.h.

◆ symbols

ProcessSymbolsManager* pesieve::ThreadScanner::symbols
protected

Definition at line 156 of file thread_scanner.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.12.0