PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
mapping_scanner.cpp
Go to the documentation of this file.
1#include "mapping_scanner.h"
2
3#include "../utils/path_converter.h"
4
5using namespace pesieve;
6using namespace pesieve::util;
7
8MappingScanReport* pesieve::MappingScanner::scanRemote()
9{
10 MappingScanReport *my_report = new MappingScanReport(moduleData.moduleHandle, moduleData.original_size);
11
12 std::string mapped_name = RemoteModuleData::getMappedName(processHandle, moduleData.moduleHandle);
13 std::string module_name = moduleData.szModName;
14 bool is_same = (to_lowercase(mapped_name) == to_lowercase(module_name));
15
16 my_report->mappedFile = mapped_name;
17 my_report->moduleFile = module_name;
18
19 size_t mod_name_len = module_name.length();
20 if (!is_same && mod_name_len > 0) {
21 //check Wow64
22 char path_copy[MAX_PATH] = { 0 };
23 ::memcpy(path_copy, moduleData.szModName, mod_name_len);
24 convert_to_wow64_path(path_copy);
25 is_same = (to_lowercase(mapped_name) == to_lowercase(path_copy));
26 if (is_same) {
27 moduleData.switchToWow64Path();
28 }
29 }
30 if (is_same) {
31 my_report->status = SCAN_NOT_SUSPICIOUS;
32 return my_report;
33 }
34 bool isFilled = false;
35 if (moduleData.loadOriginal()) {
36 isFilled = true;
37 }
38 else {
39#ifdef _DEBUG
40 std::cout << "Failed to load module name:\n\t" << module_name << "\nswitching to mapped name:\n\t" << mapped_name << std::endl;
41#endif
42 moduleData.switchToMappedPath();
43 if (moduleData.loadOriginal()) {
44 isFilled = true;
45 }
46 }
47 if (isFilled) {
48 my_report->isDotNetModule = moduleData.isDotNet();
49 my_report->origBase = moduleData.getHdrImageBase();
50 }
51 my_report->status = SCAN_SUSPICIOUS;
52 return my_report;
53}
pesieve::MappingScanner::scanRemote
virtual MappingScanReport * scanRemote()
Definition mapping_scanner.cpp:8
pesieve::ModuleData::szModName
char szModName[MAX_PATH]
Definition module_data.h:100
pesieve::ModuleData::getHdrImageBase
ULONGLONG getHdrImageBase()
Definition module_data.h:83
pesieve::RemoteModuleData::getMappedName
static std::string getMappedName(HANDLE _processHandle, LPVOID _modBaseAddr)
Definition module_data.cpp:269
mapping_scanner.h
pesieve::util::to_lowercase
std::string to_lowercase(std::string)
Definition strings_util.cpp:6
pesieve::util::convert_to_wow64_path
bool convert_to_wow64_path(char *szModName)
Definition path_converter.cpp:195
pesieve.MAX_PATH
int MAX_PATH
Definition pesieve.py:10
path_converter.h
Generated by doxygen 1.12.0