PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
module_data.cpp
Go to the documentation of this file.
1#include "module_data.h"
2
3#include "../utils/format_util.h"
4#include "../utils/path_converter.h"
5#include "../utils/process_util.h"
6#include "../utils/artefacts_util.h"
7#include "artefact_scanner.h"
8
9#include <psapi.h>
10#pragma comment(lib,"psapi.lib")
11
12using namespace pesieve::util;
13
14pesieve::ModulesCache cache;
15//---
16bool pesieve::ModuleData::loadModuleName()
17{
18 std::string my_name = pesieve::RemoteModuleData::getModuleName(processHandle, this->moduleHandle);
19 if (my_name.length() == 0 || my_name.length() > MAX_PATH) {
20 //invalid length
21 return false;
22 }
23 memcpy(this->szModName, my_name.c_str(), my_name.length());
24
25 // autoswitch the path to Wow64 mode if needed:
26 autoswichIfWow64Mapping();
27 return true;
28}
29
30bool pesieve::ModuleData::loadOriginal()
31{
32 //disable FS redirection by default
33 bool is_ok = _loadOriginal(true);
34 if (!is_ok) {
35 //if loading with FS redirection has failed, try without
36 is_ok = _loadOriginal(false);
37 }
38 return is_ok;
39}
40
41bool pesieve::ModuleData::_loadOriginal(bool disableFSredir)
42{
43 if (strlen(this->szModName) == 0) {
44 loadModuleName();
45 }
46 //just in case if something was loaded before...
47 peconv::free_pe_buffer(original_module, original_size);
48
49 BOOL isRedirDisabled = FALSE;
50 PVOID old_val;
51 if (disableFSredir) {
52 isRedirDisabled = wow64_disable_fs_redirection(&old_val);
53 // try to load with FS redirection disabled
54 }
55 if (this->useCache) {
56 original_module = cache.loadCached(szModName, original_size);
57 }
58 else {
59 original_module = peconv::load_pe_module(szModName, original_size, false, false);
60 }
61
62 if (isRedirDisabled) {
63 wow64_revert_fs_redirection(old_val);
64 }
65 if (!original_module) {
66 return false;
67 }
68 this->is_dot_net = isDotNetManagedCode();
69 return true;
70}
71
72
73bool pesieve::ModuleData::loadRelocatedFields(std::set<DWORD>& fields_rvas)
74{
75 if (!original_module || !original_size) {
76 return false;
77 }
78 //---
79 class CollectRelocField : public peconv::RelocBlockCallback
80 {
81 public:
82 CollectRelocField(ModuleData &_mod, std::set<DWORD>& _fields)
83 : RelocBlockCallback(_mod.is64bit()), mod(_mod), fields(_fields)
84 {
85 }
86
87 virtual bool processRelocField(ULONG_PTR relocField)
88 {
89 DWORD reloc_rva = mod.vaToRva(relocField, (ULONG_PTR)mod.original_module);
90 fields.insert(reloc_rva);
91 return true;
92 }
93
94 std::set<DWORD> &fields;
95 ModuleData &mod;
96 };
97 //---
98 if (!peconv::has_valid_relocation_table(original_module, original_size)) {
99 // No reloc table
100 return false;
101 }
102 CollectRelocField collector(*this, fields_rvas);
103 if (!peconv::process_relocation_table(original_module, original_size, &collector)) {
104 // Could not collect relocations
105 return false;
106 }
107 if (fields_rvas.size()) {
108 return true;
109 }
110 return false;
111}
112
113bool pesieve::ModuleData::loadImportThunks(std::set<DWORD>& thunk_rvas)
114{
115 if (!original_module || !original_size) {
116 return false;
117 }
118 if (!peconv::has_valid_import_table(original_module, original_size)) {
119 // No import table
120 return false;
121 }
122 if (!peconv::collect_thunks(original_module, original_size, thunk_rvas)) {
123 // Could not collect thunks
124 return false;
125 }
126 if (thunk_rvas.size()) {
127 return true;
128 }
129 return false;
130}
131
132bool pesieve::ModuleData::loadImportsList(peconv::ImportsCollection &collection)
133{
134 if (!original_module || !original_size) {
135 return false;
136 }
137 if (!peconv::has_valid_import_table(original_module, original_size)) {
138 // No import table
139 return false;
140 }
141 if (!peconv::collect_imports(original_module, original_size, collection)) {
142 // Could not collect imports
143 return false;
144 }
145 return true;
146}
147
148bool pesieve::ModuleData::relocateToBase(ULONGLONG new_base)
149{
150 if (!original_module) return false;
151
152 ULONGLONG original_base = peconv::get_image_base(original_module);
153 if (original_base == new_base) {
154 return true; // already relocated
155 }
156 if (peconv::has_relocations(original_module)
157 && !peconv::relocate_module(original_module, original_size, new_base, original_base))
158 {
159#ifdef _DEBUG
160 std::cerr << "[!] Relocating module failed!" << std::endl;
161#endif
162 return false;
163 }
164 peconv::update_image_base(original_module, new_base);
165 return true;
166}
167
168
169bool pesieve::ModuleData::autoswichIfWow64Mapping()
170{
171 std::string mapped_name = pesieve::RemoteModuleData::getMappedName(processHandle, this->moduleHandle);
172 std::string module_name = this->szModName;
173 bool is_same = (to_lowercase(mapped_name) == to_lowercase(module_name));
174
175 size_t mod_name_len = module_name.length();
176 if (!is_same && mod_name_len > 0) {
177 //check Wow64
178 char path_copy[MAX_PATH] = { 0 };
179 memcpy(path_copy, this->szModName, mod_name_len);
180 convert_to_wow64_path(path_copy);
181 is_same = (to_lowercase(mapped_name) == to_lowercase(path_copy));
182 if (is_same) {
183 this->switchToWow64Path();
184 return true;
185 }
186 }
187 return false;
188}
189
190bool pesieve::ModuleData::switchToWow64Path()
191{
192 BOOL isWow64 = FALSE;
193 if (!is_process_wow64(this->processHandle, &isWow64)) {
194 //failed to retrieve the info...
195 return false;
196 }
197 if (isWow64) {
198 if (pesieve::util::convert_to_wow64_path(szModName)) return true;
199 }
200 return false;
201}
202
203bool pesieve::ModuleData::reloadWow64()
204{
205 if (!switchToWow64Path()) return false;
206
207 //reload it and check again...
208 peconv::free_pe_buffer(original_module, original_size);
209 if (this->useCache) {
210 original_module = cache.loadCached(szModName, original_size);
211 }
212 else {
213 original_module = peconv::load_pe_module(szModName, original_size, false, false);
214 }
215 if (!original_module) {
216 std::cout << "[-] Failed to reload: " << szModName << "\n";
217 return false;
218 }
219 std::cout << "[+] Reloaded: " << szModName << "\n";
220 return true;
221}
222
223bool pesieve::ModuleData::isDotNetManagedCode()
224{
225 //has a directory entry for .NET header
226 IMAGE_DATA_DIRECTORY* dotNetDir = peconv::get_directory_entry(this->original_module, IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR);
227 if (dotNetDir == nullptr) {
228 //does not have .NET directory
229 return false;
230 }
231
232 if (!peconv::get_dotnet_hdr(this->original_module, this->original_size, dotNetDir)){
233 return false;
234 }
235#ifdef _DEBUG
236 std::cout << "This is a .NET module" << std::endl;
237#endif
238 return true;
239}
240
241//----
242
243std::string pesieve::RemoteModuleData::getModuleName(HANDLE processHandle, HMODULE modBaseAddr)
244{
245 char filename[MAX_PATH] = { 0 };
246 if (!GetModuleFileNameExA(processHandle, modBaseAddr, filename, MAX_PATH)) {
247 return "";
248 }
249 std::string basic_filename = pesieve::util::convert_to_win32_path(filename);
250 std::string expanded = pesieve::util::expand_path(basic_filename);
251 if (expanded.length() == 0) {
252 return filename;
253 }
254 return expanded;
255}
256
257std::string pesieve::RemoteModuleData::getMappedName(HANDLE processHandle, LPVOID modBaseAddr)
258{
259 char filename[MAX_PATH] = { 0 };
260 if (GetMappedFileNameA(processHandle, modBaseAddr, filename, MAX_PATH) == 0) {
261 return "";
262 }
263 std::string expanded = pesieve::util::expand_path(filename);
264 if (expanded.length() == 0) {
265 return filename;
266 }
267 return expanded;
268}
269
270bool pesieve::RemoteModuleData::loadImportsList(peconv::ImportsCollection& collection)
271{
272 if (!isFullImageLoaded()) {
273 return false;
274 }
275 if (!peconv::has_valid_import_table(imgBuffer, imgBufferSize)) {
276 // No import table
277 return false;
278 }
279 if (!peconv::collect_imports(imgBuffer, imgBufferSize, collection)) {
280 // Could not collect imports
281 return false;
282 }
283 return true;
284}
285
286bool pesieve::RemoteModuleData::init()
287{
288 this->isHdrReady = false;
289 if (!loadHeader()) {
290 return false;
291 }
292 this->isHdrReady = true;
293 return true;
294}
295
296bool pesieve::RemoteModuleData::_loadFullImage(size_t mod_size)
297{
298 if (this->isFullImageLoaded()) {
299 return true;
300 }
301 this->imgBuffer = peconv::alloc_pe_buffer(mod_size, PAGE_READWRITE);
302 this->imgBufferSize = peconv::read_remote_pe(this->processHandle, (PBYTE)this->modBaseAddr, mod_size, this->imgBuffer, mod_size);
303 if (this->imgBufferSize == mod_size) {
304 return true;
305 }
306 this->freeFullImage();
307 return false;
308}
309
310bool pesieve::RemoteModuleData::loadFullImage()
311{
312 if (this->isFullImageLoaded()) {
313 return true;
314 }
315 size_t mod_size = this->getHdrImageSize();
316 if (_loadFullImage(mod_size)) {
317 return true;
318 }
319 //try again with calculated size:
320 mod_size = calcImgSize();
321 return _loadFullImage(mod_size);
322}
323
324bool pesieve::RemoteModuleData::loadHeader()
325{
326 if (!peconv::read_remote_pe_header(this->processHandle, (PBYTE)this->modBaseAddr, this->headerBuffer, peconv::MAX_HEADER_SIZE, this->isReflection)) {
327 return false;
328 }
329 return true;
330}
331
332ULONGLONG pesieve::RemoteModuleData::getRemoteSectionVa(const size_t section_num)
333{
334 if (!this->isInitialized()) return NULL;
335
336 PIMAGE_SECTION_HEADER section_hdr = peconv::get_section_hdr(headerBuffer, peconv::MAX_HEADER_SIZE, section_num);
337 if ((section_hdr == NULL) || section_hdr->SizeOfRawData == 0) {
338 return NULL;
339 }
340 return (ULONGLONG) modBaseAddr + section_hdr->VirtualAddress;
341}
342
343bool pesieve::RemoteModuleData::isSectionEntry(const size_t section_number)
344{
345 if (!this->isInitialized()) {
346 return false;
347 }
348 const DWORD ep_va = peconv::get_entry_point_rva(this->headerBuffer);
349 if (ep_va == 0) {
350 return false;
351 }
352 PIMAGE_SECTION_HEADER sec_hdr = peconv::get_section_hdr(this->headerBuffer, peconv::MAX_HEADER_SIZE, section_number);
353 if (!sec_hdr) {
354 return false;
355 }
356 if (ep_va >= sec_hdr->VirtualAddress
357 && ep_va < (sec_hdr->VirtualAddress + sec_hdr->Misc.VirtualSize))
358 {
359 return true;
360 }
361 return false;
362}
363
364bool pesieve::RemoteModuleData::isSectionExecutable(const size_t section_number, bool allow_data, bool allow_inaccessible)
365{
366 //for special cases when the section is not set executable in headers, but in reality is executable...
367 //get the section header from the module:
368 ULONGLONG start_va = getRemoteSectionVa(section_number);
369 if (start_va == NULL) {
370 return false;
371 }
372 MEMORY_BASIC_INFORMATION page_info = { 0 };
373
374 SIZE_T out = VirtualQueryEx(processHandle, (LPCVOID) start_va, &page_info, sizeof(page_info));
375 if (out != sizeof(page_info)) {
376#ifdef _DEBUG
377 std::cerr << "Cannot retrieve remote section info" << std::endl;
378#endif
379 return false;
380 }
381#ifdef _DEBUG
382 std::cout << std::hex << "Sec: " << section_number << " VA: " << start_va << " t: " << page_info.Type << " p: " << page_info.Protect << std::endl;
383#endif
384
385 if (pesieve::util::is_executable(page_info.Type, page_info.Protect)) {
386 //std::cout << std::hex << "p1 Sec: " << section_number << " VA: " << start_va << " t: " << page_info.Type << " p: " << page_info.Protect << std::endl;
387 return true;
388 }
389 if (allow_data) {
390 if (pesieve::util::is_readable(page_info.Type, page_info.Protect)) {
391 //std::cout << std::hex << "p1 Sec: " << section_number << " VA: " << start_va << " t: " << page_info.Type << " p: " << page_info.Protect << std::endl;
392 return true;
393 }
394 }
395 if (allow_inaccessible) {
396 if (pesieve::util::is_normal_inaccessible(page_info.State, page_info.Type, page_info.Protect)) {
397 //std::cout << "[" << section_number << "] Inaccessible section found!\n";
398 return true;
399 }
400 }
401 return false;
402}
403
404bool pesieve::RemoteModuleData::hasExecutableSection(bool allow_data, bool allow_inaccessible)
405{
406 size_t sec_count = peconv::get_sections_count(this->headerBuffer, peconv::MAX_HEADER_SIZE);
407 for (size_t i = 0; i < sec_count ; i++) {
408 if (isSectionExecutable(i, allow_data, allow_inaccessible)) {
409 return true;
410 }
411 }
412 return false;
413}
414
415//calculate image size basing on the sizes of sections
416size_t pesieve::RemoteModuleData::calcImgSize()
417{
418 if (!isHdrReady) return 0;
419
420 return ArtefactScanner::calcImgSize(this->processHandle, this->modBaseAddr, this->headerBuffer, peconv::MAX_HEADER_SIZE);
421}
artefact_scanner.h
artefacts_util.h
pesieve::ArtefactScanner::calcImgSize
static size_t calcImgSize(HANDLE processHandle, HMODULE modBaseAddr, BYTE *headerBuffer, size_t headerBufferSize, IMAGE_SECTION_HEADER *hdr_ptr=NULL)
Definition artefact_scanner.cpp:176
pesieve::ModuleData
Loads a module from the disk, corresponding to the module in the scanned process' memory.
Definition module_data.h:15
pesieve::ModuleData::relocateToBase
bool relocateToBase(ULONGLONG new_base)
Definition module_data.cpp:148
pesieve::ModuleData::loadRelocatedFields
bool loadRelocatedFields(std::set< DWORD > &fields_rvas)
Definition module_data.cpp:73
pesieve::ModuleData::_loadOriginal
bool _loadOriginal(bool disableFSredir)
Definition module_data.cpp:41
pesieve::ModuleData::szModName
char szModName[MAX_PATH]
Definition module_data.h:102
pesieve::ModuleData::loadImportsList
bool loadImportsList(peconv::ImportsCollection &collection)
Definition module_data.cpp:132
pesieve::ModuleData::loadImportThunks
bool loadImportThunks(std::set< DWORD > &fields_rvas)
Definition module_data.cpp:113
pesieve::ModulesCache::loadCached
BYTE * loadCached(LPSTR szModName, size_t &original_size)
Definition module_cache.cpp:3
pesieve::RemoteModuleData::_loadFullImage
bool _loadFullImage(size_t v_size)
Definition module_data.cpp:296
pesieve::RemoteModuleData::loadImportsList
bool loadImportsList(peconv::ImportsCollection &collection)
Definition module_data.cpp:270
pesieve::RemoteModuleData::getModuleName
static std::string getModuleName(HANDLE _processHandle, HMODULE _modBaseAddr)
Definition module_data.cpp:243
pesieve::RemoteModuleData::hasExecutableSection
bool hasExecutableSection(bool allow_data, bool allow_inaccessible)
Definition module_data.cpp:404
pesieve::RemoteModuleData::isSectionExecutable
bool isSectionExecutable(const size_t section_number, bool allow_data, bool allow_inaccessible)
Definition module_data.cpp:364
pesieve::RemoteModuleData::getMappedName
static std::string getMappedName(HANDLE _processHandle, LPVOID _modBaseAddr)
Definition module_data.cpp:257
pesieve::RemoteModuleData::getRemoteSectionVa
ULONGLONG getRemoteSectionVa(const size_t section_num)
Definition module_data.cpp:332
pesieve::RemoteModuleData::isSectionEntry
bool isSectionEntry(const size_t section_number)
Definition module_data.cpp:343
format_util.h
cache
pesieve::ModulesCache cache
Definition module_data.cpp:14
module_data.h
pesieve::util::to_lowercase
std::string to_lowercase(std::string)
Definition strings_util.cpp:6
pesieve::util::wow64_disable_fs_redirection
BOOL wow64_disable_fs_redirection(OUT PVOID *OldValue)
Definition process_util.cpp:91
pesieve::util::is_process_wow64
BOOL is_process_wow64(IN HANDLE processHandle, OUT BOOL *isProcWow64)
Definition process_util.cpp:27
pesieve::util::expand_path
std::string expand_path(std::string path)
Definition path_converter.cpp:252
pesieve::util::is_readable
bool is_readable(DWORD mapping_type, DWORD protection)
Definition artefacts_util.cpp:115
pesieve::util::convert_to_win32_path
std::string convert_to_win32_path(const std::string &path)
Definition path_converter.cpp:206
pesieve::util::is_normal_inaccessible
bool is_normal_inaccessible(DWORD state, DWORD mapping_type, DWORD protection)
Definition artefacts_util.cpp:122
pesieve::util::BOOL
BOOL(CALLBACK *_MiniDumpWriteDump)(HANDLE hProcess
pesieve::util::is_executable
bool is_executable(DWORD mapping_type, DWORD protection)
Definition artefacts_util.cpp:106
pesieve::util::DWORD
DWORD(__stdcall *_PssCaptureSnapshot)(HANDLE ProcessHandle
pesieve::util::convert_to_wow64_path
bool convert_to_wow64_path(char *szModName)
Definition path_converter.cpp:195
pesieve::util::wow64_revert_fs_redirection
BOOL wow64_revert_fs_redirection(IN PVOID OldValue)
Definition process_util.cpp:108
pesieve.MAX_PATH
int MAX_PATH
Definition pesieve.py:10
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
path_converter.h
process_util.h
Generated by doxygen 1.10.0