PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
scanners
mapping_scanner.cpp
Go to the documentation of this file.
1
#include "
mapping_scanner.h
"
2
3
#include "
../utils/path_converter.h
"
4
5
using namespace
pesieve
;
6
using namespace
pesieve::util
;
7
8
MappingScanReport
*
pesieve::MappingScanner::scanRemote
()
9
{
10
MappingScanReport
*
my_report
=
new
MappingScanReport
(
moduleData
.
moduleHandle
,
moduleData
.
original_size
);
11
12
std::string mapped_name =
RemoteModuleData::getMappedName
(
processHandle
,
moduleData
.
moduleHandle
);
13
std::string module_name =
moduleData
.
szModName
;
14
bool
is_same
= (
to_lowercase
(mapped_name) ==
to_lowercase
(module_name));
15
16
my_report
->mappedFile = mapped_name;
17
my_report
->moduleFile = module_name;
18
my_report
->isDotNetModule =
moduleData
.
isDotNet
();
19
20
size_t
mod_name_len
= module_name.length();
21
if
(!
is_same
&&
mod_name_len
> 0) {
22
//check Wow64
23
char
path_copy
[
MAX_PATH
] = { 0 };
24
memcpy
(
path_copy
,
moduleData
.
szModName
,
mod_name_len
);
25
convert_to_wow64_path
(
path_copy
);
26
is_same
= (
to_lowercase
(mapped_name) ==
to_lowercase
(
path_copy
));
27
if
(
is_same
) {
28
moduleData
.
switchToWow64Path
();
29
}
30
}
31
if
(!
is_same
) {
32
my_report
->status =
SCAN_SUSPICIOUS
;
33
return
my_report
;
34
}
35
my_report
->status =
SCAN_NOT_SUSPICIOUS
;
36
return
my_report
;
37
}
pesieve::MappingScanReport
Definition
mapping_scanner.h:13
pesieve::MappingScanner::scanRemote
virtual MappingScanReport * scanRemote()
Definition
mapping_scanner.cpp:8
pesieve::MappingScanner::moduleData
ModuleData & moduleData
Definition
mapping_scanner.h:58
pesieve::ModuleData::switchToWow64Path
bool switchToWow64Path()
Definition
module_data.cpp:190
pesieve::ModuleData::isDotNet
bool isDotNet()
Definition
module_data.h:50
pesieve::ModuleData::moduleHandle
HMODULE moduleHandle
Definition
module_data.h:101
pesieve::ModuleData::szModName
char szModName[MAX_PATH]
Definition
module_data.h:102
pesieve::ModuleData::original_size
size_t original_size
Definition
module_data.h:106
pesieve::ProcessFeatureScanner::processHandle
HANDLE processHandle
Definition
process_feature_scanner.h:29
pesieve::RemoteModuleData::getMappedName
static std::string getMappedName(HANDLE _processHandle, LPVOID _modBaseAddr)
Definition
module_data.cpp:257
mapping_scanner.h
pesieve::util
Definition
artefact_scanner.cpp:12
pesieve::util::to_lowercase
std::string to_lowercase(std::string)
Definition
strings_util.cpp:6
pesieve::util::convert_to_wow64_path
bool convert_to_wow64_path(char *szModName)
Definition
path_converter.cpp:195
pesieve
Definition
pesieve.py:1
pesieve.MAX_PATH
int MAX_PATH
Definition
pesieve.py:10
pesieve::SCAN_NOT_SUSPICIOUS
@ SCAN_NOT_SUSPICIOUS
Definition
module_scan_report.h:20
pesieve::SCAN_SUSPICIOUS
@ SCAN_SUSPICIOUS
Definition
module_scan_report.h:21
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition
iat_finder.h:31
path_converter.h
Generated by
1.10.0