PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
mempage_data.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4
5#include <peconv.h>
6
7#include "../utils/byte_buffer.h"
8
9namespace pesieve {
10
11 class MemPageData
12 {
13 public:
14 MemPageData(HANDLE _process, bool _is_process_refl, ULONGLONG _start_va, ULONGLONG _stop_va)
15 : processHandle(_process), start_va(_start_va), stop_va(_stop_va),
16 is_listed_module(false),
17 is_info_filled(false),
18 is_process_refl(_is_process_refl)
19 {
20 fillInfo();
21 }
22
23 virtual ~MemPageData()
24 {
25 _freeRemote();
26 }
27
28 bool isRefl() const { return is_process_refl; }
29 bool fillInfo();
30 bool isInfoFilled() { return is_info_filled; }
31 size_t getLoadedSize(bool trimmed = false) { return loadedData.getDataSize(trimmed); }
32 const PBYTE getLoadedData(bool trimmed = false) { return (PBYTE)loadedData.getData(trimmed); }
33 const size_t getStartOffset(bool trimmed = false) { return loadedData.getStartOffset(trimmed); }
34
35 bool validatePtr(const LPVOID field_bgn, size_t field_size)
36 {
37 return loadedData.isValidPtr((BYTE*)field_bgn, field_size);
38 }
39
40 ULONGLONG start_va;
41 ULONGLONG stop_va;
42 DWORD protection;
43 DWORD initial_protect;
44 bool is_private;
45 DWORD mapping_type;
46 bool is_listed_module;
47
48 ULONGLONG alloc_base;
49 ULONGLONG region_start;
50 ULONGLONG region_end;
51
52 std::string mapped_name;
53 std::string module_name;
54
55 // Checks if `loadedData` is already filled, if not, fills it by reading the remote memory.
56 bool load()
57 {
58 if (loadedData.isFilled()) {
59 return true;
60 }
61 if (!_loadRemote()) {
62 return false;
63 }
64 //check again:
65 if (loadedData.isFilled()) {
66 return true;
67 }
68 return false;
69 }
70
71 bool loadMappedName();
72 bool loadModuleName();
73
74 // checks if the memory area is mapped 1-to-1 from the file on the disk
75 bool isRealMapping();
76
77 util::ByteBuffer loadedData;
78
79 protected:
80 bool _loadRemote();
81
82 void _freeRemote()
83 {
84 loadedData.freeBuffer();
85 }
86
87 bool is_info_filled;
88 const bool is_process_refl;
89 HANDLE processHandle;
90 };
91
92}; //namespace pesieve
93
byte_buffer.h
pesieve::MemPageData
Definition mempage_data.h:12
pesieve::MemPageData::load
bool load()
Definition mempage_data.h:56
pesieve::MemPageData::loadMappedName
bool loadMappedName()
Definition mempage_data.cpp:44
pesieve::MemPageData::getLoadedSize
size_t getLoadedSize(bool trimmed=false)
Definition mempage_data.h:31
pesieve::MemPageData::protection
DWORD protection
page protection
Definition mempage_data.h:42
pesieve::MemPageData::loadedData
util::ByteBuffer loadedData
Definition mempage_data.h:77
pesieve::MemPageData::~MemPageData
virtual ~MemPageData()
Definition mempage_data.h:23
pesieve::MemPageData::_loadRemote
bool _loadRemote()
Definition mempage_data.cpp:112
pesieve::MemPageData::MemPageData
MemPageData(HANDLE _process, bool _is_process_refl, ULONGLONG _start_va, ULONGLONG _stop_va)
Definition mempage_data.h:14
pesieve::MemPageData::region_end
ULONGLONG region_end
Definition mempage_data.h:50
pesieve::MemPageData::is_process_refl
const bool is_process_refl
Definition mempage_data.h:88
pesieve::MemPageData::alloc_base
ULONGLONG alloc_base
Definition mempage_data.h:48
pesieve::MemPageData::processHandle
HANDLE processHandle
Definition mempage_data.h:89
pesieve::MemPageData::fillInfo
bool fillInfo()
Definition mempage_data.cpp:7
pesieve::MemPageData::getLoadedData
const PBYTE getLoadedData(bool trimmed=false)
Definition mempage_data.h:32
pesieve::MemPageData::loadModuleName
bool loadModuleName()
Definition mempage_data.cpp:30
pesieve::MemPageData::_freeRemote
void _freeRemote()
Definition mempage_data.h:82
pesieve::MemPageData::stop_va
ULONGLONG stop_va
the VA at which the read will stop
Definition mempage_data.h:41
pesieve::MemPageData::mapped_name
std::string mapped_name
if the region is mapped from a file, stores its file name
Definition mempage_data.h:52
pesieve::MemPageData::mapping_type
DWORD mapping_type
Definition mempage_data.h:45
pesieve::MemPageData::initial_protect
DWORD initial_protect
Definition mempage_data.h:43
pesieve::MemPageData::isInfoFilled
bool isInfoFilled()
Definition mempage_data.h:30
pesieve::MemPageData::isRefl
bool isRefl() const
Definition mempage_data.h:28
pesieve::MemPageData::validatePtr
bool validatePtr(const LPVOID field_bgn, size_t field_size)
Definition mempage_data.h:35
pesieve::MemPageData::start_va
ULONGLONG start_va
VA that was requested. May not be beginning of the region.
Definition mempage_data.h:40
pesieve::MemPageData::is_info_filled
bool is_info_filled
Definition mempage_data.h:87
pesieve::MemPageData::isRealMapping
bool isRealMapping()
Definition mempage_data.cpp:60
pesieve::MemPageData::getStartOffset
const size_t getStartOffset(bool trimmed=false)
Definition mempage_data.h:33
pesieve::MemPageData::region_start
ULONGLONG region_start
Definition mempage_data.h:49
pesieve::MemPageData::is_private
bool is_private
Definition mempage_data.h:44
pesieve::MemPageData::is_listed_module
bool is_listed_module
Definition mempage_data.h:46
pesieve::MemPageData::module_name
std::string module_name
if the region is on the list of loaded PEs, stores its module name
Definition mempage_data.h:53
pesieve::util::BasicBuffer::getDataSize
size_t getDataSize(bool trimmed=false) const
Definition byte_buffer.h:55
pesieve::util::BasicBuffer::getData
const BYTE * getData(bool trimmed=false) const
Definition byte_buffer.h:65
pesieve::util::BasicBuffer::getStartOffset
size_t getStartOffset(bool trimmed) const
Definition byte_buffer.h:48
pesieve::util::ByteBuffer::isValidPtr
bool isValidPtr(BYTE *field_bgn, size_t field_size)
Definition byte_buffer.h:112
Generated by doxygen 1.12.0