PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
module_data.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4#include <psapi.h>
5#include <map>
6#include <set>
7
8#include <peconv.h>
9#include "../utils/format_util.h"
10#include "module_cache.h"
11
12namespace pesieve {
13
15 class ModuleData {
16
17 public:
18 ModuleData(HANDLE _processHandle, HMODULE _module, bool _isPEBConnected, bool _useCache, const char* _moduleName = nullptr)
19 : processHandle(_processHandle), moduleHandle(_module),
20 isPEBConnected(_isPEBConnected), useCache(_useCache),
21 is_module_named(false), original_size(0), original_module(nullptr),
22 is_dot_net(false)
23 {
24 memset(szModName, 0, MAX_PATH);
25 if (!_moduleName) {
26 loadModuleName();
27 }
28 else {
29 const size_t nameLen = strnlen(_moduleName, MAX_PATH);
30 memcpy(this->szModName, _moduleName, nameLen);
31 }
32
33 }
34
35 ~ModuleData()
36 {
37 peconv::free_pe_buffer(original_module, original_size);
38 }
39
40 bool is64bit()
41 {
42 if (original_module == nullptr) {
43 return false;
44 }
45 return peconv::is64bit(original_module);
46 }
47
48 bool isDotNet() { return this->is_dot_net; }
49
50 ULONGLONG rvaToVa(DWORD rva, ULONGLONG module_base = 0)
51 {
52 if (module_base == 0) {
53 module_base = reinterpret_cast<ULONGLONG>(this->moduleHandle);
54 }
55 return module_base + rva;
56 }
57
58 DWORD vaToRva(ULONGLONG va, ULONGLONG module_base = 0)
59 {
60 if (module_base == 0) {
61 module_base = reinterpret_cast<ULONGLONG>(this->moduleHandle);
62 }
63 if (va < module_base) {
64 return 0; // not this module
65 }
66 if (va > module_base + this->original_size) {
67 return 0; // not this module
68 }
69 ULONGLONG diff = (va - module_base);
70 return static_cast<DWORD>(diff);
71 }
72
73 bool isModuleInPEBList()
74 {
75 return isPEBConnected;
76 }
77
78 bool isInitialized()
79 {
80 return original_module != nullptr;
81 }
82
83 ULONGLONG getHdrImageBase()
84 {
85 if (!original_module) return 0;
86 return peconv::get_image_base((const BYTE*)original_module);
87 }
88
89 bool loadOriginal();
90 bool switchToMappedPath();
91 bool switchToWow64Path();
92 bool reloadWow64();
93 bool relocateToBase(ULONGLONG new_base);
94 bool loadRelocatedFields(std::set<DWORD>& fields_rvas);
95 bool loadImportThunks(std::set<DWORD>& fields_rvas);
96 bool loadImportsList(peconv::ImportsCollection &collection);
97
98 HANDLE processHandle;
99 HMODULE moduleHandle;
100 char szModName[MAX_PATH];
101 bool is_module_named;
102
103 PBYTE original_module;
104 size_t original_size;
105
106 protected:
107 bool _loadOriginal(bool disableFSredir);
108 bool loadModuleName();
109 bool autoswichIfWow64Mapping();
110 bool isDotNetManagedCode();
111
112 bool is_dot_net;
113 bool isPEBConnected;
114 bool useCache;
115
116 friend class PeSection;
117 };
118
120 class RemoteModuleData
121 {
122 public:
123 static std::string getModuleName(HANDLE _processHandle, HMODULE _modBaseAddr);
124 static std::string getMappedName(HANDLE _processHandle, LPVOID _modBaseAddr);
125
126 RemoteModuleData(HANDLE _processHandle, bool _isRefl, HMODULE _modBaseAddr)
127 : processHandle(_processHandle), isReflection(_isRefl), modBaseAddr(_modBaseAddr),
128 imgBuffer(nullptr), imgBufferSize(0)
129 {
130 isHdrReady = false;
131 memset(headerBuffer, 0, peconv::MAX_HEADER_SIZE);
132 init();
133 }
134
135 virtual ~RemoteModuleData()
136 {
137 freeFullImage();
138 }
139
140 bool isSectionEntry(const size_t section_number);
141 bool isSectionExecutable(const size_t section_number, bool allow_data, bool allow_inaccessible);
142 bool hasExecutableSection(bool allow_data, bool allow_inaccessible);
143 bool isInitialized()
144 {
145 if (!isHdrReady && !init()) {
146 return false;
147 }
148 return true;
149 }
150
151 bool is64bit()
152 {
153 if (!isHdrReady) return false;
154 return peconv::is64bit(headerBuffer);
155 }
156
157 size_t getHdrImageSize()
158 {
159 if (!isHdrReady) return 0;
160 return peconv::get_image_size((const BYTE*)headerBuffer);
161 }
162
163 ULONGLONG getHdrImageBase()
164 {
165 if (!isHdrReady) return 0;
166 return peconv::get_image_base((const BYTE*)headerBuffer);
167 }
168
169 size_t getModuleSize()
170 {
171 if (imgBufferSize) {
172 return imgBufferSize;
173 }
174 size_t defined_size = getHdrImageSize();
175 if (!defined_size) {
176 return 0;
177 }
178 return peconv::round_up_to_unit(defined_size, (size_t)PAGE_SIZE);
179 }
180
181 size_t getHeaderSize()
182 {
183 return peconv::MAX_HEADER_SIZE;
184 }
185
186 bool loadFullImage();
187 bool isFullImageLoaded() { return (imgBuffer != nullptr) && (imgBufferSize != 0); }
188 ULONGLONG getRemoteSectionVa(const size_t section_num);
189 bool loadImportsList(peconv::ImportsCollection& collection);
190
191 ULONGLONG getModuleBase()
192 {
193 return (ULONGLONG)modBaseAddr;
194 }
195
196 BYTE headerBuffer[peconv::MAX_HEADER_SIZE];
197
198 protected:
199 bool init();
200 bool loadHeader();
201 size_t calcImgSize();
202
203 bool _loadFullImage(size_t v_size);
204
205 void freeFullImage()
206 {
207 peconv::free_pe_buffer(imgBuffer);
208 imgBuffer = nullptr;
209 imgBufferSize = 0;
210 }
211
212 HANDLE processHandle;
213 const bool isReflection;
214 HMODULE modBaseAddr;
215
216 BYTE *imgBuffer;
217 size_t imgBufferSize;
218
219 private:
220 bool isHdrReady;
221
222 friend class PeSection;
223 friend class IATScanner;
224 };
225
226}; //namespace pesieve
227
pesieve::ModuleData::rvaToVa
ULONGLONG rvaToVa(DWORD rva, ULONGLONG module_base=0)
Definition module_data.h:50
pesieve::ModuleData::ModuleData
ModuleData(HANDLE _processHandle, HMODULE _module, bool _isPEBConnected, bool _useCache, const char *_moduleName=nullptr)
Definition module_data.h:18
pesieve::ModuleData::PeSection
friend class PeSection
Definition module_data.h:116
pesieve::ModuleData::relocateToBase
bool relocateToBase(ULONGLONG new_base)
Definition module_data.cpp:148
pesieve::ModuleData::vaToRva
DWORD vaToRva(ULONGLONG va, ULONGLONG module_base=0)
Definition module_data.h:58
pesieve::ModuleData::loadRelocatedFields
bool loadRelocatedFields(std::set< DWORD > &fields_rvas)
Definition module_data.cpp:73
pesieve::ModuleData::_loadOriginal
bool _loadOriginal(bool disableFSredir)
Definition module_data.cpp:41
pesieve::ModuleData::szModName
char szModName[MAX_PATH]
Definition module_data.h:100
pesieve::ModuleData::getHdrImageBase
ULONGLONG getHdrImageBase()
Definition module_data.h:83
pesieve::ModuleData::loadImportsList
bool loadImportsList(peconv::ImportsCollection &collection)
Definition module_data.cpp:132
pesieve::ModuleData::loadImportThunks
bool loadImportThunks(std::set< DWORD > &fields_rvas)
Definition module_data.cpp:113
pesieve::RemoteModuleData::_loadFullImage
bool _loadFullImage(size_t v_size)
Definition module_data.cpp:308
pesieve::RemoteModuleData::loadImportsList
bool loadImportsList(peconv::ImportsCollection &collection)
Definition module_data.cpp:282
pesieve::RemoteModuleData::getModuleName
static std::string getModuleName(HANDLE _processHandle, HMODULE _modBaseAddr)
Definition module_data.cpp:255
pesieve::RemoteModuleData::headerBuffer
BYTE headerBuffer[peconv::MAX_HEADER_SIZE]
Definition module_data.h:196
pesieve::RemoteModuleData::hasExecutableSection
bool hasExecutableSection(bool allow_data, bool allow_inaccessible)
Definition module_data.cpp:416
pesieve::RemoteModuleData::isSectionExecutable
bool isSectionExecutable(const size_t section_number, bool allow_data, bool allow_inaccessible)
Definition module_data.cpp:376
pesieve::RemoteModuleData::getMappedName
static std::string getMappedName(HANDLE _processHandle, LPVOID _modBaseAddr)
Definition module_data.cpp:269
pesieve::RemoteModuleData::RemoteModuleData
RemoteModuleData(HANDLE _processHandle, bool _isRefl, HMODULE _modBaseAddr)
Definition module_data.h:126
pesieve::RemoteModuleData::getRemoteSectionVa
ULONGLONG getRemoteSectionVa(const size_t section_num)
Definition module_data.cpp:344
pesieve::RemoteModuleData::isSectionEntry
bool isSectionEntry(const size_t section_number)
Definition module_data.cpp:355
format_util.h
module_cache.h
pesieve.MAX_PATH
int MAX_PATH
Definition pesieve.py:10
PAGE_SIZE
#define PAGE_SIZE
Definition workingset_enum.h:11
Generated by doxygen 1.13.2