19 std::map<DWORD, ULONGLONG>::iterator
itr;
34 const peconv::ExportedFunc *
func =
found->second;
37 outs <<
"\"" <<
func->toString() <<
"\"" <<
",\n";
58 const peconv::ExportedFunc*
func = exportsMap->find_export_by_va(
addr);
60 return func->toString();
70 report << peconv::get_dll_shortname(
modExp->getModName());
71 report <<
".(unknown_func)";
82 const peconv::ExportedFunc*
func =
found->second;
86 return func->toString();
94 IN peconv::ImportsCollection *storedFunc,
95 IN peconv::ImpsNotCovered ¬Covered,
97 IN const peconv::ExportsMapper *exportsMap)
99 const char delim =
';';
107 if (
report.is_open() ==
false) {
111 std::map<DWORD,ULONGLONG>::iterator
itr;
154template <
typename FIELD_T>
189bool pesieve::IATScanner::scanByOriginalTable(peconv::ImpsNotCovered &
not_covered)
191 if (!remoteModData.isInitialized()) {
192 std::cerr <<
"[-] Failed to initialize remote module header" << std::endl;
195 if (!moduleData.isInitialized() && !moduleData.loadOriginal()) {
196 std::cerr <<
"[-] Failed to initialize module data: " << moduleData.szModName << std::endl;
210 if (!remoteModData.loadFullImage()) {
211 std::cerr <<
"[-] Failed to initialize remote module" << std::endl;
214 std::map<DWORD, peconv::ExportedFunc*>::iterator
itr;
222 if (moduleData.is64bit()) {
255 std::set<peconv::ExportedFunc>::const_iterator
cItr;
281 if (!remoteModData.isInitialized()) {
282 std::cerr <<
"[-] Failed to initialize remote module header" << std::endl;
296 std::cout <<
"[*] IAT: " << moduleData.szModName <<
" hooked: " <<
not_covered.count() <<
"\n";
307 listAllImports(
report->storedFunc);
316 if (
report->countHooked() == 0) {
323void pesieve::IATScanner::initExcludedPaths()
328 std::transform(m_sysWow64Path_str.begin(), m_sysWow64Path_str.end(), m_sysWow64Path_str.begin(),
tolower);
333 std::transform(m_system32Path_str.begin(), m_system32Path_str.end(), m_system32Path_str.begin(),
tolower);
336bool pesieve::IATScanner::isInSystemDir(
const std::string &moduleName)
338 std::string
dirName = peconv::get_directory_name(moduleName);
341 if (
dirName == m_system32Path_str ||
dirName == m_sysWow64Path_str) {
347bool pesieve::IATScanner::filterResults(peconv::ImpsNotCovered ¬Covered,
IATScanReport &
report)
349 std::map<DWORD, ULONGLONG>::iterator
itr;
350 for (
itr = notCovered.thunkToAddr.begin();
itr != notCovered.thunkToAddr.end(); ++
itr)
370 std::string moduleName = this->exportsMap.get_dll_path(
module_start);
371 if (isInSystemDir(moduleName)) {
373 std::cout <<
"Skipped: " << moduleName <<
"\n";
383bool pesieve::IATScanner::listAllImports(peconv::ImportsCollection &
_storedFunc)
A report from an IAT scan, generated by IATScanner.
const bool hooksToJSON(std::stringstream &outs, size_t level)
static std::string formatHookedFuncName(IN peconv::ImportsCollection *storedFunc, DWORD thunk_rva)
static bool saveNotRecovered(IN std::string fileName, IN HANDLE hProcess, IN peconv::ImportsCollection *storedFunc, IN peconv::ImpsNotCovered ¬Covered, IN const ModulesInfo &modulesInfo, IN const peconv::ExportsMapper *exportsMap)
bool generateList(IN const std::string &fileName, IN HANDLE hProcess, IN const ModulesInfo &modulesInfo, IN const peconv::ExportsMapper *exportsMap)
peconv::ImportsCollection storedFunc
static std::string formatTargetName(IN const peconv::ExportsMapper *exportsMap, IN const ModulesInfo &modulesInfo, IN const ULONGLONG module_start, IN ULONGLONG addr)
peconv::ImpsNotCovered notCovered
virtual IATScanReport * scanRemote()
A container of all the process modules that were scanned.
Represents a basic info about the scanned module, such as its base offset, size, and the status.
ULONGLONG getStart() const
FIELD_T get_thunk_at_rva(BYTE *mod_buf, size_t mod_size, DWORD rva)
DWORD(__stdcall *_PssCaptureSnapshot)(HANDLE ProcessHandle
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
enum pesieve::module_scan_status t_scan_status
@ PE_IATS_CLEAN_SYS_FILTERED
scan IAT, filter hooks if they lead to unpatched system module
@ PE_IATS_UNFILTERED
scan IAT, unfiltered
Final summary about the scanned process.