41 std::set<DWORD>::iterator
itr;
57 WORD charact = peconv::get_dll_characteristics(moduleData.original_module);
61 BYTE *
ldconf_ptr = peconv::get_load_config_ptr(moduleData.original_module, moduleData.original_size);
64 peconv::t_load_config_ver
ver = peconv::get_load_config_version(moduleData.original_module, moduleData.original_size,
ldconf_ptr);
65 if (
ver != peconv::LOAD_CONFIG_W8_VER &&
ver != peconv::LOAD_CONFIG_W10_VER) {
70 if (this->moduleData.is64bit()) {
71 peconv::IMAGE_LOAD_CONFIG_DIR64_W8*
ldc = (peconv::IMAGE_LOAD_CONFIG_DIR64_W8*)
ldconf_ptr;
76 peconv::IMAGE_LOAD_CONFIG_DIR32_W8*
ldc = (peconv::IMAGE_LOAD_CONFIG_DIR32_W8*)
ldconf_ptr;
106 std::cout <<
"Exports are in the Code section!" << std::endl;
163 return patchesList.size();
190 std::cout <<
"Code RVA: "
225 if (patchesList.size()) {
238 for (
DWORD i = 0;
i < sec_count;
i++) {
272 if (sec_count == 0) {
287void pesieve::CodeScanner::freeExecutableSections(std::map<size_t, PeSection*> &
sections)
289 std::map<size_t, PeSection*>::iterator
itr;
300 OUT std::map<DWORD, CodeScanReport::t_section_status> §ionToResult,
306 if (!moduleData.relocateToBase(
load_base)) {
312 std::map<size_t, PeSection*>::iterator
itr;
332 else if (errors > 0) {
340 if (!moduleData.isInitialized()) {
341 std::cerr <<
"[-] Module not initialized" << std::endl;
344 if (!remoteModData.isInitialized()) {
345 std::cerr <<
"[-] Failed to read the module header" << std::endl;
358 if (
my_report->countInaccessibleSections() > 0) {
371 std::cout <<
"[WARNING] Load Base: " << std::hex <<
load_base <<
" is different than the Hdr Base: " <<
hdr_base <<
"\n";
383 std::cout <<
"Using patches list for the base: " <<
my_report->relocBase <<
" list size: " <<
my_report->patchesList.size() <<
"\n";
398 if (
report.patchesList.size() == 0) {
A report from the code scan, generated by CodeScanner.
size_t generateTags(std::string reportPath)
enum pesieve::CodeScanReport::section_status t_section_status
virtual CodeScanReport * scanRemote()
A postprocessor of the detected code patches. Detects if the patch is a hook, and if so,...
void setEnd(DWORD end_rva)
const size_t toTAGs(std::ofstream &patch_report, const char delimiter)
Buffers the defined PE section belonging to the module loaded in the scanned process into the local m...
Buffers the data from the module loaded in the scanned process into the local memory.
#define MASK_TO_DWORD(val)
bool is_code(BYTE *loadedData, size_t loadedSize)
DWORD(__stdcall *_PssCaptureSnapshot)(HANDLE ProcessHandle
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
BYTE * first_different(const BYTE *buf_ptr, size_t bif_size, const BYTE padding)
enum pesieve::module_scan_status t_scan_status
Final summary about the scanned process.