PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
mempage_data.cpp
Go to the documentation of this file.
1#include "mempage_data.h"
2#include "module_data.h"
3#include "../utils/process_util.h"
4
5using namespace pesieve;
6
7bool pesieve::MemPageData::fillInfo()
8{
9 MEMORY_BASIC_INFORMATION page_info = { 0 };
10 SIZE_T out = VirtualQueryEx(this->processHandle, (LPCVOID) start_va, &page_info, sizeof(page_info));
11 if (out != sizeof(page_info)) {
12 if (GetLastError() == ERROR_INVALID_PARAMETER) {
13 return false;
14 }
15#ifdef _DEBUG
16 std::cout << "Could not query page: " << std::hex << start_va << ". Error: " << GetLastError() << std::endl;
17#endif
18 return false;
19 }
20 initial_protect = page_info.AllocationProtect;
21 mapping_type = page_info.Type;
22 protection = page_info.Protect;
23 alloc_base = (ULONGLONG) page_info.AllocationBase;
24 region_start = (ULONGLONG) page_info.BaseAddress;
25 region_end = region_start + page_info.RegionSize;
26 is_info_filled = true;
27 return true;
28}
29
30bool pesieve::MemPageData::loadModuleName()
31{
32 const HMODULE mod_base = (HMODULE)this->alloc_base;
33 std::string module_name = RemoteModuleData::getModuleName(processHandle, mod_base);
34 if (module_name.length() == 0) {
35#ifdef _DEBUG
36 std::cerr << "Could not retrieve the module name. Base: " << std::hex << mod_base << std::endl;
37#endif
38 return false;
39 }
40 this->module_name = module_name;
41 return true;
42}
43
44bool pesieve::MemPageData::loadMappedName()
45{
46 if (!isInfoFilled() && !fillInfo()) {
47 return false;
48 }
49 std::string mapped_filename = RemoteModuleData::getMappedName(this->processHandle, (HMODULE)this->alloc_base);
50 if (mapped_filename.length() == 0) {
51#ifdef _DEBUG
52 std::cerr << "Could not retrieve the mapped name. Base: " << std::hex << this->alloc_base << std::endl;
53#endif
54 return false;
55 }
56 this->mapped_name = mapped_filename;
57 return true;
58}
59
60bool pesieve::MemPageData::isRealMapping()
61{
62 if (!loadMappedName()) {
63#ifdef _DEBUG
64 std::cerr << "Could not retrieve name" << std::endl;
65#endif
66 return false;
67 }
68 PVOID old_val = nullptr;
69 util::wow64_disable_fs_redirection(&old_val);
70 HANDLE file = CreateFileA(this->mapped_name.c_str(), GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
71 util::wow64_revert_fs_redirection(old_val);
72 if(file == INVALID_HANDLE_VALUE) {
73#ifdef _DEBUG
74 std::cerr << "Could not open file!" << std::endl;
75#endif
76 return false;
77 }
78 HANDLE mapping = CreateFileMapping(file, 0, PAGE_READONLY, 0, 0, 0);
79 if (!mapping) {
80#ifdef _DEBUG
81 std::cerr << "Could not create mapping!" << std::endl;
82#endif
83 CloseHandle(file);
84 return false;
85 }
86 BYTE *rawData = (BYTE*) MapViewOfFile(mapping, FILE_MAP_READ, 0, 0, 0);
87 if (rawData == nullptr) {
88#ifdef _DEBUG
89 std::cerr << "Could not map view of file: " << this->mapped_name << std::endl;
90#endif
91 CloseHandle(mapping);
92 CloseHandle(file);
93 return false;
94 }
95
96 bool is_same = false;
97 if (this->load()) {
98 size_t r_size = GetFileSize(file, 0);
99 is_same = this->loadedData.isDataContained(rawData, r_size);
100 }
101 else {
102#ifdef _DEBUG
103 std::cerr << "[" << std::hex << start_va << "] Page not loaded!" << std::endl;
104#endif
105 }
106 UnmapViewOfFile(rawData);
107 CloseHandle(mapping);
108 CloseHandle(file);
109 return is_same;
110}
111
112bool pesieve::MemPageData::_loadRemote()
113{
114 _freeRemote();
115 size_t region_size = size_t(this->region_end - this->start_va);
116 if (stop_va && ( stop_va >= start_va && stop_va < this->region_end)) {
117 region_size = size_t(this->stop_va - this->start_va);
118 }
119
120 if (region_size == 0) {
121 return false;
122 }
123 if (!loadedData.allocBuffer(region_size)) {
124 return false;
125 }
126 const bool can_force_access = is_process_refl ? true : false;
127 const size_t size_read = peconv::read_remote_region(this->processHandle, (BYTE*)this->start_va, loadedData.data, loadedData.getDataSize(), can_force_access);
128 if (size_read == 0) {
129 _freeRemote();
130#ifdef _DEBUG
131 std::cerr << "Cannot read remote memory!" << std::endl;
132#endif
133 return false;
134 }
135 loadedData.trim();
136 return true;
137}
138
pesieve::MemPageData::loadMappedName
bool loadMappedName()
Definition mempage_data.cpp:44
pesieve::MemPageData::protection
DWORD protection
page protection
Definition mempage_data.h:42
pesieve::MemPageData::_loadRemote
bool _loadRemote()
Definition mempage_data.cpp:112
pesieve::MemPageData::region_end
ULONGLONG region_end
Definition mempage_data.h:50
pesieve::MemPageData::alloc_base
ULONGLONG alloc_base
Definition mempage_data.h:48
pesieve::MemPageData::processHandle
HANDLE processHandle
Definition mempage_data.h:89
pesieve::MemPageData::fillInfo
bool fillInfo()
Definition mempage_data.cpp:7
pesieve::MemPageData::loadModuleName
bool loadModuleName()
Definition mempage_data.cpp:30
pesieve::MemPageData::mapping_type
DWORD mapping_type
Definition mempage_data.h:45
pesieve::MemPageData::initial_protect
DWORD initial_protect
Definition mempage_data.h:43
pesieve::MemPageData::start_va
ULONGLONG start_va
VA that was requested. May not be beginning of the region.
Definition mempage_data.h:40
pesieve::MemPageData::is_info_filled
bool is_info_filled
Definition mempage_data.h:87
pesieve::MemPageData::isRealMapping
bool isRealMapping()
Definition mempage_data.cpp:60
pesieve::MemPageData::region_start
ULONGLONG region_start
Definition mempage_data.h:49
pesieve::RemoteModuleData::getModuleName
static std::string getModuleName(HANDLE _processHandle, HMODULE _modBaseAddr)
Definition module_data.cpp:255
pesieve::RemoteModuleData::getMappedName
static std::string getMappedName(HANDLE _processHandle, LPVOID _modBaseAddr)
Definition module_data.cpp:269
mempage_data.h
module_data.h
pesieve::util::wow64_disable_fs_redirection
BOOL wow64_disable_fs_redirection(OUT PVOID *OldValue)
Definition process_util.cpp:104
pesieve::util::wow64_revert_fs_redirection
BOOL wow64_revert_fs_redirection(IN PVOID OldValue)
Definition process_util.cpp:121
process_util.h
Generated by doxygen 1.12.0