PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
headers_scanner.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4
5#include "module_scanner.h"
6
7namespace pesieve {
8
10 class HeadersScanReport : public ModuleScanReport
11 {
12 public:
20
21 const virtual void fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
22 {
23 bool is_replaced = isHdrReplaced();
24 ModuleScanReport::_toJSON(outs, level);
25 outs << ",\n";
26 OUT_PADDED(outs, level, "\"is_connected_to_peb\" : ");
27 outs << isInPEB;
28 outs << ",\n";
29 OUT_PADDED(outs, level, "\"is_pe_replaced\" : ");
30 outs << is_replaced;
31 outs << ",\n";
32 OUT_PADDED(outs, level, "\"dos_hdr_modified\" : ");
33 outs << dosHdrModified;
34 outs << ",\n";
35 OUT_PADDED(outs, level, "\"file_hdr_modified\" : ");
36 outs << fileHdrModified;
37 outs << ",\n";
38 OUT_PADDED(outs, level, "\"nt_hdr_modified\" : ");
39 outs << ntHdrModified;
40 outs << ",\n";
41 OUT_PADDED(outs, level, "\"ep_modified\" : ");
42 outs << epModified;
43 outs << ",\n";
44 OUT_PADDED(outs, level, "\"sec_hdr_modified\" : ");
45 outs << secHdrModified;
46 if (archMismatch) {
47 outs << ",\n";
48 OUT_PADDED(outs, level, "\"arch_mismatch\" : ");
49 outs << archMismatch;
50 outs << ",\n";
51 OUT_PADDED(outs, level, "\"is64b\" : ");
52 outs << is64;
53 }
54 }
55
56 const virtual bool toJSON(std::stringstream& outs, size_t level, const pesieve::t_json_level &jdetails)
57 {
58 OUT_PADDED(outs, level, "\"headers_scan\" : {\n");
59 fieldsToJSON(outs, level + 1, jdetails);
60 outs << "\n";
61 OUT_PADDED(outs, level, "}");
62 return true;
63 }
64
65 bool isHdrReplaced()
66 {
67 return secHdrModified;
68 }
69
70 bool epModified;
71 bool dosHdrModified;
72 bool fileHdrModified;
73 bool ntHdrModified;
74 bool secHdrModified;
75 bool archMismatch; // the loaded module is of different architecture than the module read from the corresponding path
76 DWORD is64; // is the remote module 64bit
77 bool isInPEB;
78 };
79
80
82 class HeadersScanner : public ModuleScanner {
83 public:
88
89 virtual HeadersScanReport* scanRemote();
90
91 private:
92 bool zeroUnusedFields(PBYTE hdr_buffer, size_t hdrs_size);
93 bool isSecHdrModified(const PBYTE hdr_buffer1, const PBYTE hdr_buffer2, const size_t hdrs_size);
94 bool isDosHdrModified(const PBYTE hdr_buffer1, const PBYTE hdr_buffer2, const size_t hdrs_size);
95 bool isFileHdrModified(const PBYTE hdr_buffer1, const PBYTE hdr_buffer2, const size_t hdrs_size, bool mask_arch_mismatch = false);
96 bool isNtHdrModified(const PBYTE hdr_buffer1, const PBYTE hdr_buffer2, const size_t hdrs_size);
97 };
98
99}; //namespace pesieve
100
pesieve::HeadersScanReport
A report from the headers scan, generated by HeadersScanner.
Definition headers_scanner.h:11
pesieve::HeadersScanReport::HeadersScanReport
HeadersScanReport(HMODULE _module, size_t _moduleSize)
Definition headers_scanner.h:13
pesieve::HeadersScanReport::fieldsToJSON
virtual const void fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition headers_scanner.h:21
pesieve::HeadersScanReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition headers_scanner.h:56
pesieve::HeadersScanner
A scanner for detection of PE header's modifications.
Definition headers_scanner.h:82
pesieve::HeadersScanner::scanRemote
virtual HeadersScanReport * scanRemote()
Definition headers_scanner.cpp:6
pesieve::HeadersScanner::HeadersScanner
HeadersScanner(HANDLE hProc, ModuleData &moduleData, RemoteModuleData &remoteModData)
Definition headers_scanner.h:84
pesieve::ModuleData
Loads a module from the disk, corresponding to the module in the scanned process' memory.
Definition module_data.h:15
pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26
pesieve::ModuleScanReport::_toJSON
virtual const bool _toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:70
pesieve::ModuleScanner
A base class for all the scanners operating on module data.
Definition module_scanner.h:17
pesieve::ModuleScanner::remoteModData
RemoteModuleData & remoteModData
Definition module_scanner.h:31
pesieve::RemoteModuleData
Buffers the data from the module loaded in the scanned process into the local memory.
Definition module_data.h:123
pesieve.t_json_level
Definition pesieve.py:82
OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12
module_scanner.h
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
Generated by doxygen 1.10.0