pe-sieve/code__scanner_8h_source.html

#pragma once

#include <windows.h>

#include <vector>

#include <fstream>


#include "module_scanner.h"

#include "pe_section.h"

#include "patch_list.h"


namespace pesieve {


    class CodeScanReport : public ModuleScanReport

    {

    public:


        typedef enum section_status {

            SECTION_SCAN_ERR = -1,

            SECTION_NOT_MODIFIED = 0,

            SECTION_PATCHED = 1,

            SECTION_UNPACKED = 2

        } t_section_status;


        CodeScanReport(HMODULE _module, size_t _moduleSize)

            : ModuleScanReport(_module, _moduleSize)

        {

        }


        size_t countSectionsWithStatus(const t_section_status neededStatus)

        {

            size_t counter = 0;

            std::map<DWORD, t_section_status>::iterator itr;

            for (itr = sectionToResult.begin(); itr != sectionToResult.end(); ++itr) {

                const t_section_status status = itr->second;

                if (status == neededStatus) {

                    counter++;

                }

            }

            return counter;

        }


        const virtual void fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)

        {

            const size_t inaccessibleCount = countInaccessibleSections();

            const size_t scannedCount = sectionToResult.size() - inaccessibleCount;

            ModuleScanReport::_toJSON(outs, level);

            if (sectionToResult.size() > 0) {

                outs << ",\n";

                OUT_PADDED(outs, level, "\"scanned_sections\" : ");

                outs << std::dec << scannedCount;

            }

            if (inaccessibleCount > 0) {

                outs << ",\n";

                OUT_PADDED(outs, level, "\"inaccessible_sections\" : ");

                outs << std::dec << inaccessibleCount;

            }

            const size_t unpacked = countUnpackedSections();

            if (unpacked > 0) {

                outs << ",\n";

                OUT_PADDED(outs, level, "\"unpacked_sections\" : ");

                outs << std::dec << unpacked;

            }

            if (patchesList.size() > 0) {

                outs << ",\n";

                OUT_PADDED(outs, level, "\"patches\" : ");

                outs << std::dec << patchesList.size();


                if (jdetails >= JSON_DETAILS) {

                    outs << ",\n";

                    const bool is_short = (jdetails < JSON_DETAILS2) ? true : false;

                    patchesList.toJSON(outs, level, is_short);

                }

            }

        }


        const virtual bool toJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)

        {

            OUT_PADDED(outs, level, "\"code_scan\" : {\n");

            fieldsToJSON(outs, level + 1, jdetails);

            outs << "\n";

            OUT_PADDED(outs, level, "}");

            return true;

        }


        virtual ULONGLONG getRelocBase()

        {

            return this->relocBase;

        }


        size_t countUnpackedSections()

        {

            return countSectionsWithStatus(SECTION_UNPACKED);

        }


        size_t countInaccessibleSections()

        {

            return countSectionsWithStatus(SECTION_SCAN_ERR);

        }


        size_t generateTags(const std::string &reportPath);


        std::map<DWORD, t_section_status> sectionToResult;

        PatchList patchesList;

    };


    class CodeScanner : public ModuleScanner {

    public:


        CodeScanner(HANDLE hProc, ModuleData &moduleData, RemoteModuleData &remoteModData)

            : ModuleScanner(hProc, moduleData, remoteModData),

            isScanData(false), isScanInaccessible(false)

        {

        }


        virtual CodeScanReport* scanRemote();


        void setScanData(bool enable) { this->isScanData = enable; }

        void setScanInaccessible(bool enable) { this->isScanInaccessible = enable; }


    private:


        size_t collectExecutableSections(RemoteModuleData &remoteModData, std::map<size_t, PeSection*> &sections, CodeScanReport &my_report);


        void freeExecutableSections(std::map<size_t, PeSection*> &sections);


        bool postProcessScan(IN OUT CodeScanReport &report);


        t_scan_status scanUsingBase(IN ULONGLONG load_base, IN std::map<size_t, PeSection*> &remote_code, OUT std::map<DWORD, CodeScanReport::t_section_status> &sectionToResult, OUT PatchList &patchesList);


        CodeScanReport::t_section_status scanSection(PeSection &originalSec, PeSection &remoteSec, OUT PatchList &patchesList);


        bool clearIAT(PeSection &originalSec, PeSection &remoteSec);


        bool clearExports(PeSection &originalSec, PeSection &remoteSec);


        bool clearLoadConfig(PeSection &originalSec, PeSection &remoteSec);


        size_t collectPatches(DWORD section_rva, PBYTE orig_code, PBYTE patched_code, size_t code_size, OUT PatchList &patchesList);


        bool isScanData;

        bool isScanInaccessible;

    };


}; //namespace pesieve


pesieve::CodeScanReport
A report from the code scan, generated by CodeScanner.
Definition code_scanner.h:14

pesieve::CodeScanReport::generateTags
size_t generateTags(const std::string &reportPath)
Definition code_scanner.cpp:13

pesieve::CodeScanReport::countUnpackedSections
size_t countUnpackedSections()
Definition code_scanner.h:89

pesieve::CodeScanReport::section_status
section_status
Definition code_scanner.h:16

pesieve::CodeScanReport::SECTION_PATCHED
@ SECTION_PATCHED
Definition code_scanner.h:19

pesieve::CodeScanReport::SECTION_SCAN_ERR
@ SECTION_SCAN_ERR
Definition code_scanner.h:17

pesieve::CodeScanReport::SECTION_UNPACKED
@ SECTION_UNPACKED
Definition code_scanner.h:20

pesieve::CodeScanReport::SECTION_NOT_MODIFIED
@ SECTION_NOT_MODIFIED
Definition code_scanner.h:18

pesieve::CodeScanReport::t_section_status
enum pesieve::CodeScanReport::section_status t_section_status

pesieve::CodeScanReport::countSectionsWithStatus
size_t countSectionsWithStatus(const t_section_status neededStatus)
Definition code_scanner.h:28

pesieve::CodeScanReport::getRelocBase
virtual ULONGLONG getRelocBase()
Definition code_scanner.h:84

pesieve::CodeScanReport::patchesList
PatchList patchesList
Definition code_scanner.h:102

pesieve::CodeScanReport::countInaccessibleSections
size_t countInaccessibleSections()
Definition code_scanner.h:94

pesieve::CodeScanReport::fieldsToJSON
virtual const void fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition code_scanner.h:41

pesieve::CodeScanReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition code_scanner.h:75

pesieve::CodeScanReport::CodeScanReport
CodeScanReport(HMODULE _module, size_t _moduleSize)
Definition code_scanner.h:23

pesieve::CodeScanReport::sectionToResult
std::map< DWORD, t_section_status > sectionToResult
Definition code_scanner.h:101

pesieve::CodeScanner
A scanner for detection of patches in the code.
Definition code_scanner.h:107

pesieve::CodeScanner::setScanInaccessible
void setScanInaccessible(bool enable)
Definition code_scanner.h:119

pesieve::CodeScanner::setScanData
void setScanData(bool enable)
Definition code_scanner.h:118

pesieve::CodeScanner::scanRemote
virtual CodeScanReport * scanRemote()
Definition code_scanner.cpp:339

pesieve::CodeScanner::CodeScanner
CodeScanner(HANDLE hProc, ModuleData &moduleData, RemoteModuleData &remoteModData)
Definition code_scanner.h:110

pesieve::ModuleData
Loads a module from the disk, corresponding to the module in the scanned process' memory.
Definition module_data.h:15

pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26

pesieve::ModuleScanReport::status
t_scan_status status
Definition module_scan_report.h:61

pesieve::ModuleScanReport::_toJSON
virtual const bool _toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:64

pesieve::ModuleScanReport::relocBase
ULONGLONG relocBase
Definition module_scan_report.h:60

pesieve::ModuleScanner
A base class for all the scanners operating on module data.
Definition module_scanner.h:17

pesieve::ModuleScanner::remoteModData
RemoteModuleData & remoteModData
Definition module_scanner.h:31

pesieve::ModuleScanner::moduleData
ModuleData & moduleData
Definition module_scanner.h:30

pesieve::PatchList
Definition patch_list.h:20

pesieve::PatchList::toJSON
const bool toJSON(std::stringstream &outs, size_t level, bool short_info)
Definition patch_list.cpp:145

pesieve::PatchList::size
size_t size()
Definition patch_list.h:132

pesieve::PeSection
Buffers the defined PE section belonging to the module loaded in the scanned process into the local m...
Definition pe_section.h:12

pesieve::RemoteModuleData
Buffers the data from the module loaded in the scanned process into the local memory.
Definition module_data.h:121

pesieve.t_json_level
Definition pesieve.py:82

OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12

module_scanner.h

pesieve
Definition pesieve.py:1

pesieve::t_scan_status
enum pesieve::module_scan_status t_scan_status

patch_list.h

pe_section.h

JSON_DETAILS
@ JSON_DETAILS
include the basic list patches in the main JSON report
Definition pe_sieve_types.h:105

JSON_DETAILS2
@ JSON_DETAILS2
include the extended list patches in the main JSON report
Definition pe_sieve_types.h:106

report
Final summary about the scanned process.
Definition pe_sieve_types.h:150