pe-sieve/mempage__data_8h_source.html

#pragma once


#include <windows.h>


#include <peconv.h>


#include "../utils/byte_buffer.h"


namespace pesieve {


    class MemPageData

    {

    public:


        MemPageData(HANDLE _process, bool _is_process_refl, ULONGLONG _start_va, ULONGLONG _stop_va)

            : processHandle(_process), start_va(_start_va), stop_va(_stop_va),

            is_listed_module(false),

            is_info_filled(false),

            is_process_refl(_is_process_refl)

        {

            fillInfo();

        }


        virtual ~MemPageData()

        {

            _freeRemote();

        }


        bool isRefl() const { return is_process_refl; }

        bool fillInfo();

        bool isInfoFilled() { return is_info_filled; }

        size_t getLoadedSize(bool trimmed = false) { return loadedData.getDataSize(trimmed); }

        const PBYTE getLoadedData(bool trimmed = false) { return (PBYTE)loadedData.getData(trimmed); }

        const size_t getStartOffset(bool trimmed = false) { return loadedData.getStartOffset(trimmed); }


        bool validatePtr(const LPVOID field_bgn, size_t field_size)

        {

            return loadedData.isValidPtr((BYTE*)field_bgn, field_size);

        }


        ULONGLONG start_va;

        ULONGLONG stop_va;

        DWORD protection;

        DWORD initial_protect;

        bool is_private;

        DWORD mapping_type;

        bool is_listed_module;


        ULONGLONG alloc_base;

        ULONGLONG region_start;

        ULONGLONG region_end;


        std::string mapped_name;

        std::string module_name;


        // Checks if `loadedData` is already filled, if not, fills it by reading the remote memory.


        bool load()

        {

            if (loadedData.isFilled()) {

                return true;

            }

            if (!_loadRemote()) {

                return false;

            }

            //check again:

            if (loadedData.isFilled()) {

                return true;

            }

            return false;

        }


        bool loadMappedName();

        bool loadModuleName();


        // checks if the memory area is mapped 1-to-1 from the file on the disk

        bool isRealMapping();


        util::ByteBuffer loadedData;


    protected:

        bool _loadRemote();


        void _freeRemote()

        {

            loadedData.freeBuffer();

        }


        bool is_info_filled;

        const bool is_process_refl;

        HANDLE processHandle;

    };


}; //namespace pesieve


byte_buffer.h

pesieve::MemPageData::load
bool load()
Definition mempage_data.h:56

pesieve::MemPageData::loadMappedName
bool loadMappedName()
Definition mempage_data.cpp:44

pesieve::MemPageData::getLoadedSize
size_t getLoadedSize(bool trimmed=false)
Definition mempage_data.h:31

pesieve::MemPageData::protection
DWORD protection
page protection
Definition mempage_data.h:42

pesieve::MemPageData::loadedData
util::ByteBuffer loadedData
Definition mempage_data.h:77

pesieve::MemPageData::~MemPageData
virtual ~MemPageData()
Definition mempage_data.h:23

pesieve::MemPageData::_loadRemote
bool _loadRemote()
Definition mempage_data.cpp:112

pesieve::MemPageData::MemPageData
MemPageData(HANDLE _process, bool _is_process_refl, ULONGLONG _start_va, ULONGLONG _stop_va)
Definition mempage_data.h:14

pesieve::MemPageData::region_end
ULONGLONG region_end
Definition mempage_data.h:50

pesieve::MemPageData::is_process_refl
const bool is_process_refl
Definition mempage_data.h:88

pesieve::MemPageData::alloc_base
ULONGLONG alloc_base
Definition mempage_data.h:48

pesieve::MemPageData::processHandle
HANDLE processHandle
Definition mempage_data.h:89

pesieve::MemPageData::fillInfo
bool fillInfo()
Definition mempage_data.cpp:7

pesieve::MemPageData::getLoadedData
const PBYTE getLoadedData(bool trimmed=false)
Definition mempage_data.h:32

pesieve::MemPageData::loadModuleName
bool loadModuleName()
Definition mempage_data.cpp:30

pesieve::MemPageData::_freeRemote
void _freeRemote()
Definition mempage_data.h:82

pesieve::MemPageData::stop_va
ULONGLONG stop_va
the VA at which the read will stop
Definition mempage_data.h:41

pesieve::MemPageData::mapped_name
std::string mapped_name
if the region is mapped from a file, stores its file name
Definition mempage_data.h:52

pesieve::MemPageData::mapping_type
DWORD mapping_type
Definition mempage_data.h:45

pesieve::MemPageData::initial_protect
DWORD initial_protect
Definition mempage_data.h:43

pesieve::MemPageData::isInfoFilled
bool isInfoFilled()
Definition mempage_data.h:30

pesieve::MemPageData::isRefl
bool isRefl() const
Definition mempage_data.h:28

pesieve::MemPageData::validatePtr
bool validatePtr(const LPVOID field_bgn, size_t field_size)
Definition mempage_data.h:35

pesieve::MemPageData::start_va
ULONGLONG start_va
VA that was requested. May not be beginning of the region.
Definition mempage_data.h:40

pesieve::MemPageData::is_info_filled
bool is_info_filled
Definition mempage_data.h:87

pesieve::MemPageData::isRealMapping
bool isRealMapping()
Definition mempage_data.cpp:60

pesieve::MemPageData::getStartOffset
const size_t getStartOffset(bool trimmed=false)
Definition mempage_data.h:33

pesieve::MemPageData::region_start
ULONGLONG region_start
Definition mempage_data.h:49

pesieve::MemPageData::is_private
bool is_private
Definition mempage_data.h:44

pesieve::MemPageData::is_listed_module
bool is_listed_module
Definition mempage_data.h:46

pesieve::MemPageData::module_name
std::string module_name
if the region is on the list of loaded PEs, stores its module name
Definition mempage_data.h:53

pesieve
Definition pesieve.py:1

pesieve::util::ByteBuffer
Definition byte_buffer.h:89