pe-sieve/mapping__scanner_8cpp_source.html

#include "mapping_scanner.h"


#include "../utils/path_converter.h"


using namespace pesieve;

using namespace pesieve::util;


MappingScanReport* pesieve::MappingScanner::scanRemote()

{

    MappingScanReport *my_report = new MappingScanReport(moduleData.moduleHandle, moduleData.original_size);


    std::string mapped_name = RemoteModuleData::getMappedName(processHandle, moduleData.moduleHandle);

    std::string module_name = moduleData.szModName;

    bool is_same = (to_lowercase(mapped_name) == to_lowercase(module_name));


    my_report->mappedFile = mapped_name;

    my_report->moduleFile = module_name;

    my_report->isDotNetModule = moduleData.isDotNet();


    size_t mod_name_len = module_name.length();

    if (!is_same && mod_name_len > 0) {

        //check Wow64

        char path_copy[MAX_PATH] = { 0 };

        memcpy(path_copy, moduleData.szModName, mod_name_len);

        convert_to_wow64_path(path_copy);

        is_same = (to_lowercase(mapped_name) == to_lowercase(path_copy));

        if (is_same) {

            moduleData.switchToWow64Path();

        }

    }

    if (!is_same) {

        my_report->status = SCAN_SUSPICIOUS;

        return my_report;

    }

    my_report->status = SCAN_NOT_SUSPICIOUS;

    return my_report;

}


pesieve::MappingScanReport
Definition mapping_scanner.h:13

pesieve::MappingScanner::scanRemote
virtual MappingScanReport * scanRemote()
Definition mapping_scanner.cpp:8

pesieve::MappingScanner::moduleData
ModuleData & moduleData
Definition mapping_scanner.h:58

pesieve::ModuleData::switchToWow64Path
bool switchToWow64Path()
Definition module_data.cpp:190

pesieve::ModuleData::isDotNet
bool isDotNet()
Definition module_data.h:50

pesieve::ModuleData::moduleHandle
HMODULE moduleHandle
Definition module_data.h:101

pesieve::ModuleData::szModName
char szModName[MAX_PATH]
Definition module_data.h:102

pesieve::ModuleData::original_size
size_t original_size
Definition module_data.h:106

pesieve::ProcessFeatureScanner::processHandle
HANDLE processHandle
Definition process_feature_scanner.h:29

pesieve::RemoteModuleData::getMappedName
static std::string getMappedName(HANDLE _processHandle, LPVOID _modBaseAddr)
Definition module_data.cpp:257

mapping_scanner.h

pesieve::util
Definition artefact_scanner.cpp:12

pesieve::util::to_lowercase
std::string to_lowercase(std::string)
Definition strings_util.cpp:6

pesieve::util::convert_to_wow64_path
bool convert_to_wow64_path(char *szModName)
Definition path_converter.cpp:195

pesieve
Definition pesieve.py:1

pesieve.MAX_PATH
int MAX_PATH
Definition pesieve.py:10

pesieve::SCAN_NOT_SUSPICIOUS
@ SCAN_NOT_SUSPICIOUS
Definition module_scan_report.h:20

pesieve::SCAN_SUSPICIOUS
@ SCAN_SUSPICIOUS
Definition module_scan_report.h:21

pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31

path_converter.h