PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
module_data.cpp
Go to the documentation of this file.
1#include "module_data.h"
2
3#include "../utils/format_util.h"
4#include "../utils/path_converter.h"
5#include "../utils/process_util.h"
6#include "../utils/artefacts_util.h"
7#include "artefact_scanner.h"
8
9#include <psapi.h>
10#pragma comment(lib,"psapi.lib")
11
12using namespace pesieve::util;
13
14pesieve::ModulesCache cache;
15//---
16bool pesieve::ModuleData::loadModuleName()
17{
18 std::string my_name = pesieve::RemoteModuleData::getModuleName(processHandle, this->moduleHandle);
19 if (my_name.length() == 0 || my_name.length() > MAX_PATH) {
20 //invalid length
21 return false;
22 }
23 memcpy(this->szModName, my_name.c_str(), my_name.length());
24
25 // autoswitch the path to Wow64 mode if needed:
26 autoswichIfWow64Mapping();
27 return true;
28}
29
30bool pesieve::ModuleData::loadOriginal()
31{
32 //disable FS redirection by default
33 bool is_ok = _loadOriginal(true);
34 if (!is_ok) {
35 //if loading with FS redirection has failed, try without
36 is_ok = _loadOriginal(false);
37 }
38 return is_ok;
39}
40
41bool pesieve::ModuleData::_loadOriginal(bool disableFSredir)
42{
43 if (strlen(this->szModName) == 0) {
44 loadModuleName();
45 }
46 //just in case if something was loaded before...
47 peconv::free_pe_buffer(original_module, original_size);
48
49 BOOL isRedirDisabled = FALSE;
50 PVOID old_val;
51 if (disableFSredir) {
52 isRedirDisabled = wow64_disable_fs_redirection(&old_val);
53 // try to load with FS redirection disabled
54 }
55 if (this->useCache) {
56 original_module = cache.loadCached(szModName, original_size);
57 }
58 else {
59 original_module = peconv::load_pe_module(szModName, original_size, false, false);
60 }
61
62 if (isRedirDisabled) {
63 wow64_revert_fs_redirection(old_val);
64 }
65 if (!original_module) {
66 return false;
67 }
68 this->is_dot_net = isDotNetManagedCode();
69 return true;
70}
71
72
73bool pesieve::ModuleData::loadRelocatedFields(std::set<DWORD>& fields_rvas)
74{
75 if (!original_module || !original_size) {
76 return false;
77 }
78 //---
79 class CollectRelocField : public peconv::RelocBlockCallback
80 {
81 public:
82 CollectRelocField(ModuleData &_mod, std::set<DWORD>& _fields)
83 : RelocBlockCallback(_mod.is64bit()), mod(_mod), fields(_fields)
84 {
85 }
86
87 virtual bool processRelocField(ULONG_PTR relocField)
88 {
89 DWORD reloc_rva = mod.vaToRva(relocField, (ULONG_PTR)mod.original_module);
90 fields.insert(reloc_rva);
91 return true;
92 }
93
94 std::set<DWORD> &fields;
95 ModuleData &mod;
96 };
97 //---
98 if (!peconv::has_valid_relocation_table(original_module, original_size)) {
99 // No reloc table
100 return false;
101 }
102 CollectRelocField collector(*this, fields_rvas);
103 if (!peconv::process_relocation_table(original_module, original_size, &collector)) {
104 // Could not collect relocations
105 return false;
106 }
107 if (fields_rvas.size()) {
108 return true;
109 }
110 return false;
111}
112
113bool pesieve::ModuleData::loadImportThunks(std::set<DWORD>& thunk_rvas)
114{
115 if (!original_module || !original_size) {
116 return false;
117 }
118 if (!peconv::has_valid_import_table(original_module, original_size)) {
119 // No import table
120 return false;
121 }
122 if (!peconv::collect_thunks(original_module, original_size, thunk_rvas)) {
123 // Could not collect thunks
124 return false;
125 }
126 if (thunk_rvas.size()) {
127 return true;
128 }
129 return false;
130}
131
132bool pesieve::ModuleData::loadImportsList(peconv::ImportsCollection &collection)
133{
134 if (!original_module || !original_size) {
135 return false;
136 }
137 if (!peconv::has_valid_import_table(original_module, original_size)) {
138 // No import table
139 return false;
140 }
141 if (!peconv::collect_imports(original_module, original_size, collection)) {
142 // Could not collect imports
143 return false;
144 }
145 return true;
146}
147
148bool pesieve::ModuleData::relocateToBase(ULONGLONG new_base)
149{
150 if (!original_module) return false;
151
152 ULONGLONG original_base = peconv::get_image_base(original_module);
153 if (original_base == new_base) {
154 return true; // already relocated
155 }
156 if (peconv::has_relocations(original_module)
157 && !peconv::relocate_module(original_module, original_size, new_base, original_base))
158 {
159#ifdef _DEBUG
160 std::cerr << "[!] Relocating module failed!" << std::endl;
161#endif
162 return false;
163 }
164 peconv::update_image_base(original_module, new_base);
165 return true;
166}
167
168
169bool pesieve::ModuleData::autoswichIfWow64Mapping()
170{
171 std::string mapped_name = pesieve::RemoteModuleData::getMappedName(processHandle, this->moduleHandle);
172 std::string module_name = this->szModName;
173 bool is_same = (to_lowercase(mapped_name) == to_lowercase(module_name));
174
175 size_t mod_name_len = module_name.length();
176 if (!is_same && mod_name_len > 0) {
177 //check Wow64
178 char path_copy[MAX_PATH] = { 0 };
179 memcpy(path_copy, this->szModName, mod_name_len);
180 convert_to_wow64_path(path_copy);
181 is_same = (to_lowercase(mapped_name) == to_lowercase(path_copy));
182 if (is_same) {
183 this->switchToWow64Path();
184 return true;
185 }
186 }
187 return false;
188}
189
190bool pesieve::ModuleData::switchToWow64Path()
191{
192 BOOL isWow64 = FALSE;
193 if (!is_process_wow64(this->processHandle, &isWow64)) {
194 //failed to retrieve the info...
195 return false;
196 }
197 if (isWow64) {
198 if (pesieve::util::convert_to_wow64_path(szModName)) return true;
199 }
200 return false;
201}
202
203bool pesieve::ModuleData::switchToMappedPath()
204{
205 const std::string path = RemoteModuleData::getMappedName(this->processHandle, this->moduleHandle);
206 const size_t len = path.length();
207 if (len >= MAX_PATH) {
208 return false;
209 }
210 ::memcpy(szModName, path.c_str(), len);
211 szModName[len] = 0;
212 return true;
213}
214
215bool pesieve::ModuleData::reloadWow64()
216{
217 if (!switchToWow64Path()) return false;
218
219 //reload it and check again...
220 peconv::free_pe_buffer(original_module, original_size);
221 if (this->useCache) {
222 original_module = cache.loadCached(szModName, original_size);
223 }
224 else {
225 original_module = peconv::load_pe_module(szModName, original_size, false, false);
226 }
227 if (!original_module) {
228#ifdef _DEBUG
229 std::cout << "[-] Failed to reload: " << szModName << "\n";
230#endif //_DEBUG
231 return false;
232 }
233#ifdef _DEBUG
234 std::cout << "[+] Reloaded: " << szModName << "\n";
235#endif //_DEBUG
236 return true;
237}
238
239bool pesieve::ModuleData::isDotNetManagedCode()
240{
241 //has a directory entry for .NET header
242 IMAGE_DATA_DIRECTORY* dotNetDir = peconv::get_directory_entry(this->original_module, IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR);
243 if (dotNetDir == nullptr) {
244 //does not have .NET directory
245 return false;
246 }
247
248 if (!peconv::get_dotnet_hdr(this->original_module, this->original_size, dotNetDir)){
249 return false;
250 }
251#ifdef _DEBUG
252 std::cout << "This is a .NET module" << std::endl;
253#endif
254 return true;
255}
256
257//----
258
259std::string pesieve::RemoteModuleData::getModuleName(HANDLE processHandle, HMODULE modBaseAddr)
260{
261 char filename[MAX_PATH] = { 0 };
262 if (!GetModuleFileNameExA(processHandle, modBaseAddr, filename, MAX_PATH)) {
263 return "";
264 }
265 std::string basic_filename = pesieve::util::convert_to_win32_path(filename);
266 std::string expanded = pesieve::util::expand_path(basic_filename);
267 if (expanded.length() == 0) {
268 return filename;
269 }
270 return expanded;
271}
272
273std::string pesieve::RemoteModuleData::getMappedName(HANDLE processHandle, LPVOID modBaseAddr)
274{
275 char filename[MAX_PATH] = { 0 };
276 if (GetMappedFileNameA(processHandle, modBaseAddr, filename, MAX_PATH) == 0) {
277 return "";
278 }
279 std::string expanded = pesieve::util::expand_path(filename);
280 if (expanded.length() == 0) {
281 return filename;
282 }
283 return expanded;
284}
285
286bool pesieve::RemoteModuleData::loadImportsList(peconv::ImportsCollection& collection)
287{
288 if (!isFullImageLoaded()) {
289 return false;
290 }
291 if (!peconv::has_valid_import_table(imgBuffer, imgBufferSize)) {
292 // No import table
293 return false;
294 }
295 if (!peconv::collect_imports(imgBuffer, imgBufferSize, collection)) {
296 // Could not collect imports
297 return false;
298 }
299 return true;
300}
301
302bool pesieve::RemoteModuleData::init()
303{
304 this->isHdrReady = false;
305 if (!loadHeader()) {
306 return false;
307 }
308 this->isHdrReady = true;
309 return true;
310}
311
312bool pesieve::RemoteModuleData::_loadFullImage(size_t mod_size)
313{
314 if (this->isFullImageLoaded()) {
315 return true;
316 }
317 this->imgBuffer = peconv::alloc_pe_buffer(mod_size, PAGE_READWRITE);
318 this->imgBufferSize = peconv::read_remote_pe(this->processHandle, (PBYTE)this->modBaseAddr, mod_size, this->imgBuffer, mod_size);
319 if (this->imgBufferSize == mod_size) {
320 return true;
321 }
322 this->freeFullImage();
323 return false;
324}
325
326bool pesieve::RemoteModuleData::loadFullImage()
327{
328 if (this->isFullImageLoaded()) {
329 return true;
330 }
331 size_t mod_size = this->getHdrImageSize();
332 if (_loadFullImage(mod_size)) {
333 return true;
334 }
335 //try again with calculated size:
336 mod_size = calcImgSize();
337 return _loadFullImage(mod_size);
338}
339
340bool pesieve::RemoteModuleData::loadHeader()
341{
342 if (!peconv::read_remote_pe_header(this->processHandle, (PBYTE)this->modBaseAddr, this->headerBuffer, peconv::MAX_HEADER_SIZE, this->isReflection)) {
343 return false;
344 }
345 return true;
346}
347
348ULONGLONG pesieve::RemoteModuleData::getRemoteSectionVa(const size_t section_num)
349{
350 if (!this->isInitialized()) return 0;
351
352 PIMAGE_SECTION_HEADER section_hdr = peconv::get_section_hdr(headerBuffer, peconv::MAX_HEADER_SIZE, section_num);
353 if (!section_hdr || (section_hdr->SizeOfRawData == 0)) {
354 return 0;
355 }
356 return (ULONGLONG) modBaseAddr + section_hdr->VirtualAddress;
357}
358
359bool pesieve::RemoteModuleData::isSectionEntry(const size_t section_number)
360{
361 if (!this->isInitialized()) {
362 return false;
363 }
364 const DWORD ep_va = peconv::get_entry_point_rva(this->headerBuffer);
365 if (ep_va == 0) {
366 return false;
367 }
368 PIMAGE_SECTION_HEADER sec_hdr = peconv::get_section_hdr(this->headerBuffer, peconv::MAX_HEADER_SIZE, section_number);
369 if (!sec_hdr) {
370 return false;
371 }
372 if (ep_va >= sec_hdr->VirtualAddress
373 && ep_va < (sec_hdr->VirtualAddress + sec_hdr->Misc.VirtualSize))
374 {
375 return true;
376 }
377 return false;
378}
379
380bool pesieve::RemoteModuleData::isSectionExecutable(const size_t section_number, bool allow_data, bool allow_inaccessible)
381{
382 //for special cases when the section is not set executable in headers, but in reality is executable...
383 //get the section header from the module:
384 ULONGLONG start_va = getRemoteSectionVa(section_number);
385 if (!start_va) {
386 return false;
387 }
388 MEMORY_BASIC_INFORMATION page_info = { 0 };
389
390 SIZE_T out = VirtualQueryEx(processHandle, (LPCVOID) start_va, &page_info, sizeof(page_info));
391 if (out != sizeof(page_info)) {
392#ifdef _DEBUG
393 std::cerr << "Cannot retrieve remote section info" << std::endl;
394#endif
395 return false;
396 }
397#ifdef _DEBUG
398 std::cout << std::hex << "Sec: " << section_number << " VA: " << start_va << " t: " << page_info.Type << " p: " << page_info.Protect << std::endl;
399#endif
400
401 if (pesieve::util::is_executable(page_info.Type, page_info.Protect)) {
402 //std::cout << std::hex << "p1 Sec: " << section_number << " VA: " << start_va << " t: " << page_info.Type << " p: " << page_info.Protect << std::endl;
403 return true;
404 }
405 if (allow_data) {
406 if (pesieve::util::is_readable(page_info.Type, page_info.Protect)) {
407 //std::cout << std::hex << "p1 Sec: " << section_number << " VA: " << start_va << " t: " << page_info.Type << " p: " << page_info.Protect << std::endl;
408 return true;
409 }
410 }
411 if (allow_inaccessible) {
412 if (pesieve::util::is_normal_inaccessible(page_info.State, page_info.Type, page_info.Protect)) {
413 //std::cout << "[" << section_number << "] Inaccessible section found!\n";
414 return true;
415 }
416 }
417 return false;
418}
419
420bool pesieve::RemoteModuleData::hasExecutableSection(bool allow_data, bool allow_inaccessible)
421{
422 size_t sec_count = peconv::get_sections_count(this->headerBuffer, peconv::MAX_HEADER_SIZE);
423 for (size_t i = 0; i < sec_count ; i++) {
424 if (isSectionExecutable(i, allow_data, allow_inaccessible)) {
425 return true;
426 }
427 }
428 return false;
429}
430
431//calculate image size basing on the sizes of sections
432size_t pesieve::RemoteModuleData::calcImgSize()
433{
434 if (!isHdrReady) return 0;
435
436 return ArtefactScanner::calcImgSize(this->processHandle, this->modBaseAddr, this->headerBuffer, peconv::MAX_HEADER_SIZE);
437}
438
artefact_scanner.h
artefacts_util.h
pesieve::ArtefactScanner::calcImgSize
static size_t calcImgSize(HANDLE processHandle, HMODULE modBaseAddr, BYTE *headerBuffer, size_t headerBufferSize, IMAGE_SECTION_HEADER *hdr_ptr=NULL)
Definition artefact_scanner.cpp:176
pesieve::ModuleData::ModuleData
ModuleData(HANDLE _processHandle, HMODULE _module, bool _isPEBConnected, bool _useCache, const char *_moduleName=nullptr)
Definition module_data.h:18
pesieve::ModuleData::relocateToBase
bool relocateToBase(ULONGLONG new_base)
Definition module_data.cpp:148
pesieve::ModuleData::loadRelocatedFields
bool loadRelocatedFields(std::set< DWORD > &fields_rvas)
Definition module_data.cpp:73
pesieve::ModuleData::_loadOriginal
bool _loadOriginal(bool disableFSredir)
Definition module_data.cpp:41
pesieve::ModuleData::szModName
char szModName[MAX_PATH]
Definition module_data.h:100
pesieve::ModuleData::loadImportsList
bool loadImportsList(peconv::ImportsCollection &collection)
Definition module_data.cpp:132
pesieve::ModuleData::loadImportThunks
bool loadImportThunks(std::set< DWORD > &fields_rvas)
Definition module_data.cpp:113
pesieve::RemoteModuleData::_loadFullImage
bool _loadFullImage(size_t v_size)
Definition module_data.cpp:312
pesieve::RemoteModuleData::loadImportsList
bool loadImportsList(peconv::ImportsCollection &collection)
Definition module_data.cpp:286
pesieve::RemoteModuleData::getModuleName
static std::string getModuleName(HANDLE _processHandle, HMODULE _modBaseAddr)
Definition module_data.cpp:259
pesieve::RemoteModuleData::headerBuffer
BYTE headerBuffer[peconv::MAX_HEADER_SIZE]
Definition module_data.h:196
pesieve::RemoteModuleData::hasExecutableSection
bool hasExecutableSection(bool allow_data, bool allow_inaccessible)
Definition module_data.cpp:420
pesieve::RemoteModuleData::isSectionExecutable
bool isSectionExecutable(const size_t section_number, bool allow_data, bool allow_inaccessible)
Definition module_data.cpp:380
pesieve::RemoteModuleData::getMappedName
static std::string getMappedName(HANDLE _processHandle, LPVOID _modBaseAddr)
Definition module_data.cpp:273
pesieve::RemoteModuleData::getRemoteSectionVa
ULONGLONG getRemoteSectionVa(const size_t section_num)
Definition module_data.cpp:348
pesieve::RemoteModuleData::isSectionEntry
bool isSectionEntry(const size_t section_number)
Definition module_data.cpp:359
format_util.h
cache
pesieve::ModulesCache cache
Definition module_data.cpp:14
module_data.h
pesieve::util::expand_path
std::string expand_path(const std::string &path)
Definition path_converter.cpp:252
pesieve::util::to_lowercase
std::string to_lowercase(std::string)
Definition strings_util.cpp:6
pesieve::util::wow64_disable_fs_redirection
BOOL wow64_disable_fs_redirection(OUT PVOID *OldValue)
Definition process_util.cpp:104
pesieve::util::is_process_wow64
BOOL is_process_wow64(IN HANDLE processHandle, OUT BOOL *isProcWow64)
Definition process_util.cpp:27
pesieve::util::is_readable
bool is_readable(DWORD mapping_type, DWORD protection)
Definition artefacts_util.cpp:118
pesieve::util::convert_to_win32_path
std::string convert_to_win32_path(const std::string &path)
Definition path_converter.cpp:206
pesieve::util::is_normal_inaccessible
bool is_normal_inaccessible(DWORD state, DWORD mapping_type, DWORD protection)
Definition artefacts_util.cpp:125
pesieve::util::BOOL
BOOL(CALLBACK *_MiniDumpWriteDump)(HANDLE hProcess
pesieve::util::is_executable
bool is_executable(DWORD mapping_type, DWORD protection)
Definition artefacts_util.cpp:109
pesieve::util::DWORD
DWORD(__stdcall *_PssCaptureSnapshot)(HANDLE ProcessHandle
pesieve::util::convert_to_wow64_path
bool convert_to_wow64_path(char *szModName)
Definition path_converter.cpp:195
pesieve::util::wow64_revert_fs_redirection
BOOL wow64_revert_fs_redirection(IN PVOID OldValue)
Definition process_util.cpp:121
pesieve.MAX_PATH
int MAX_PATH
Definition pesieve.py:10
path_converter.h
process_util.h
Generated by doxygen 1.13.2