PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
hook_targets_resolver.cpp
Go to the documentation of this file.
1#include "hook_targets_resolver.h"
2#include "scanned_modules.h"
3
4#include "scan_report.h"
5#include "code_scanner.h"
6
7using namespace pesieve;
8
9bool pesieve::HookTargetResolver::resolveTarget(PatchList::Patch* currPatch)
10{
11 if (!currPatch) return false;
12
13 const ULONGLONG searchedAddr = currPatch->getHookTargetVA();
14 const ScannedModule* foundMod = processReport.getModuleContaining(searchedAddr);
15 if (!foundMod) return false;
16
17 if (processReport.exportsMap) {
18 const peconv::ExportedFunc* expFunc = processReport.exportsMap->find_export_by_va(searchedAddr);
19 if (expFunc) {
20 const std::string targetName = foundMod->getModName() + "." + expFunc->nameToString();
21 currPatch->setHookTargetInfo(foundMod->getStart(), foundMod->isSuspicious(), targetName);
22 return true;
23 }
24 }
25 currPatch->setHookTargetInfo(foundMod->getStart(), foundMod->isSuspicious(), foundMod->getModName());
26 return true;
27}
28
29size_t pesieve::HookTargetResolver::resolveAllHooks(IN OUT std::set<ModuleScanReport*> &code_reports)
30{
31 size_t resolved = 0;
32 std::set<ModuleScanReport*>::iterator cItr;
33 for (cItr = code_reports.begin(); cItr != code_reports.end(); ++cItr) {
34 ModuleScanReport* modrep = *cItr;
35 CodeScanReport *coderep = dynamic_cast<CodeScanReport*>(modrep);
36 if (!coderep) continue;
37
38 std::vector<PatchList::Patch*>::iterator patchItr;
39 for (patchItr = coderep->patchesList.patches.begin();
40 patchItr != coderep->patchesList.patches.end();
41 ++patchItr)
42 {
43 PatchList::Patch* currPatch = *patchItr;
44 if (resolveTarget(currPatch)) {
45 resolved++;
46 }
47 }
48 }
49 return resolved;
50}
pesieve::CodeScanReport
A report from the code scan, generated by CodeScanner.
Definition code_scanner.h:14
pesieve::HookTargetResolver::resolveAllHooks
size_t resolveAllHooks(IN OUT std::set< ModuleScanReport * > &code_reports)
Resolves all the hooks collected within the given set of reports.
Definition hook_targets_resolver.cpp:29
pesieve::HookTargetResolver::resolveTarget
bool resolveTarget(IN OUT PatchList::Patch *currPatch)
Resolves the information about the target of the provided hook, and fills it back into the object.
Definition hook_targets_resolver.cpp:9
pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26
pesieve::ProcessScanReport::exportsMap
peconv::ExportsMapper * exportsMap
Definition scan_report.h:106
pesieve::ProcessScanReport::getModuleContaining
ScannedModule * getModuleContaining(ULONGLONG field_addr, size_t field_size=0) const
Definition scan_report.h:93
pesieve::ScannedModule
Represents a basic info about the scanned module, such as its base offset, size, and the status.
Definition scanned_modules.h:14
code_scanner.h
hook_targets_resolver.h
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
scan_report.h
scanned_modules.h
Generated by doxygen 1.10.0