pe-sieve/iat__scanner_8h_source.html

#pragma once


#include <windows.h>


#include "module_scanner.h"

#include "scanned_modules.h"


namespace pesieve {


    class IATScanReport : public ModuleScanReport

    {

    public:


        static bool saveNotRecovered(IN const std::string &fileName,

            IN HANDLE hProcess,

            IN peconv::ImportsCollection *storedFunc,

            IN peconv::ImpsNotCovered &notCovered,

            IN const ModulesInfo &modulesInfo,

            IN const peconv::ExportsMapper *exportsMap);


        IATScanReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)

            : ModuleScanReport(_module, _moduleSize, SCAN_SUSPICIOUS)

        {

            moduleFile = _moduleFile;

        }


        const virtual bool toJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)

        {

            size_t hooks = countHooked();

            OUT_PADDED(outs, level, "\"iat_scan\" : ");

            outs << "{\n";

            ModuleScanReport::_toJSON(outs, level + 1);

            outs << ",\n";

            OUT_PADDED(outs, level + 1, "\"hooks\" : ");

            outs << std::dec << hooks;

            if (jdetails >= JSON_DETAILS && hooks) {

                outs << ",\n";

                this->hooksToJSON(outs, level + 1);

            }

            outs << "\n";

            OUT_PADDED(outs, level, "}");

            return true;

        }


        bool generateList(IN const std::string &fileName, IN HANDLE hProcess, IN const ModulesInfo &modulesInfo, IN const peconv::ExportsMapper *exportsMap);


        const bool hooksToJSON(std::stringstream &outs, size_t level);

        size_t countHooked() { return notCovered.count(); }


        peconv::ImportsCollection storedFunc;

        peconv::ImpsNotCovered notCovered;


    protected:

        static std::string formatHookedFuncName(IN peconv::ImportsCollection* storedFunc, DWORD thunk_rva);

        static std::string formatTargetName(IN const peconv::ExportsMapper* exportsMap, IN const ModulesInfo& modulesInfo, IN const ULONGLONG module_start, IN ULONGLONG addr);

    };


    //---


    class IATScanner : public ModuleScanner {

    public:


        IATScanner(

            HANDLE hProc,

            ModuleData &moduleData,

            RemoteModuleData &remoteModData,

            const peconv::ExportsMapper &_exportsMap,

            IN const ModulesInfo &_modulesInfo,

            t_iat_scan_mode _hooksFilter

        )

            : ModuleScanner(hProc, moduleData, remoteModData),

            exportsMap(_exportsMap), modulesInfo(_modulesInfo),

            hooksFilter(_hooksFilter)

        {

            initExcludedPaths();

        }


        virtual IATScanReport* scanRemote();


    private:

        bool scanByOriginalTable(peconv::ImpsNotCovered &not_covered);

        bool isValidFuncFilled(ULONGLONG filled_val, const peconv::ExportedFunc &definedFunc, const peconv::ExportedFunc& possibleFunc);


        void initExcludedPaths();

        bool isInSystemDir(const std::string &moduleName);


        bool filterResults(peconv::ImpsNotCovered &not_covered, IATScanReport &report);


        bool listAllImports(peconv::ImportsCollection &collection);


        const peconv::ExportsMapper &exportsMap;

        const ModulesInfo &modulesInfo;


        t_iat_scan_mode hooksFilter;


        //excluded paths:

        std::string m_sysWow64Path_str;

        std::string m_system32Path_str;

    };


}; //namespace pesieve


pesieve::IATScanReport
A report from an IAT scan, generated by IATScanner.
Definition iat_scanner.h:12

pesieve::IATScanReport::IATScanReport
IATScanReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)
Definition iat_scanner.h:22

pesieve::IATScanReport::hooksToJSON
const bool hooksToJSON(std::stringstream &outs, size_t level)
Definition iat_scanner.cpp:11

pesieve::IATScanReport::formatHookedFuncName
static std::string formatHookedFuncName(IN peconv::ImportsCollection *storedFunc, DWORD thunk_rva)
Definition iat_scanner.cpp:75

pesieve::IATScanReport::generateList
bool generateList(IN const std::string &fileName, IN HANDLE hProcess, IN const ModulesInfo &modulesInfo, IN const peconv::ExportsMapper *exportsMap)
Definition iat_scanner.cpp:143

pesieve::IATScanReport::storedFunc
peconv::ImportsCollection storedFunc
Definition iat_scanner.h:51

pesieve::IATScanReport::formatTargetName
static std::string formatTargetName(IN const peconv::ExportsMapper *exportsMap, IN const ModulesInfo &modulesInfo, IN const ULONGLONG module_start, IN ULONGLONG addr)
Definition iat_scanner.cpp:50

pesieve::IATScanReport::saveNotRecovered
static bool saveNotRecovered(IN const std::string &fileName, IN HANDLE hProcess, IN peconv::ImportsCollection *storedFunc, IN peconv::ImpsNotCovered &notCovered, IN const ModulesInfo &modulesInfo, IN const peconv::ExportsMapper *exportsMap)
Definition iat_scanner.cpp:92

pesieve::IATScanReport::countHooked
size_t countHooked()
Definition iat_scanner.h:49

pesieve::IATScanReport::notCovered
peconv::ImpsNotCovered notCovered
Definition iat_scanner.h:52

pesieve::IATScanReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition iat_scanner.h:28

pesieve::IATScanner
A scanner for detection of IAT hooking.
Definition iat_scanner.h:62

pesieve::IATScanner::IATScanner
IATScanner(HANDLE hProc, ModuleData &moduleData, RemoteModuleData &remoteModData, const peconv::ExportsMapper &_exportsMap, IN const ModulesInfo &_modulesInfo, t_iat_scan_mode _hooksFilter)
Definition iat_scanner.h:65

pesieve::IATScanner::scanRemote
virtual IATScanReport * scanRemote()
Definition iat_scanner.cpp:279

pesieve::ModuleData
Loads a module from the disk, corresponding to the module in the scanned process' memory.
Definition module_data.h:15

pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26

pesieve::ModuleScanReport::_toJSON
virtual const bool _toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:64

pesieve::ModuleScanReport::moduleFile
std::string moduleFile
Definition module_scan_report.h:58

pesieve::ModuleScanner
A base class for all the scanners operating on module data.
Definition module_scanner.h:17

pesieve::ModuleScanner::remoteModData
RemoteModuleData & remoteModData
Definition module_scanner.h:31

pesieve::ModuleScanner::moduleData
ModuleData & moduleData
Definition module_scanner.h:30

pesieve::ModulesInfo
A container of all the process modules that were scanned.
Definition scanned_modules.h:84

pesieve::RemoteModuleData
Buffers the data from the module loaded in the scanned process into the local memory.
Definition module_data.h:121

pesieve.t_iat_scan_mode
Definition pesieve.py:58

pesieve.t_json_level
Definition pesieve.py:82

OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12

module_scanner.h

pesieve
Definition pesieve.py:1

pesieve::SCAN_SUSPICIOUS
@ SCAN_SUSPICIOUS
Definition module_scan_report.h:21

JSON_DETAILS
@ JSON_DETAILS
include the basic list patches in the main JSON report
Definition pe_sieve_types.h:105

scanned_modules.h

report
Final summary about the scanned process.
Definition pe_sieve_types.h:150