pe-sieve/module__data_8h_source.html

#pragma once


#include <windows.h>

#include <psapi.h>

#include <map>

#include <set>


#include <peconv.h>

#include "../utils/format_util.h"

#include "module_cache.h"


namespace pesieve {


    class ModuleData {


    public:


        ModuleData(HANDLE _processHandle, HMODULE _module, bool _isPEBConnected, bool _useCache)

            : processHandle(_processHandle), moduleHandle(_module),

            isPEBConnected(_isPEBConnected), useCache(_useCache),

            is_module_named(false), original_size(0), original_module(nullptr),

            is_dot_net(false)

        {

            memset(szModName, 0, MAX_PATH);

            loadModuleName();

        }


        ModuleData(HANDLE _processHandle, HMODULE _module, std::string module_name, bool _useCache)

            : processHandle(_processHandle), moduleHandle(_module), useCache(_useCache),

            is_module_named(false), original_size(0), original_module(nullptr),

            is_dot_net(false)

        {

            memset(szModName, 0, MAX_PATH);

            memcpy(this->szModName, module_name.c_str(), module_name.length());

        }


        ~ModuleData()

        {

            peconv::free_pe_buffer(original_module, original_size);

        }


        bool is64bit()

        {

            if (original_module == nullptr) {

                return false;

            }

            return peconv::is64bit(original_module);

        }


        bool isDotNet() { return this->is_dot_net; }


        ULONGLONG rvaToVa(DWORD rva, ULONGLONG module_base = 0)

        {

            if (module_base == 0) {

                module_base = reinterpret_cast<ULONGLONG>(this->moduleHandle);

            }

            return module_base + rva;

        }


        DWORD vaToRva(ULONGLONG va, ULONGLONG module_base = 0)

        {

            if (module_base == 0) {

                module_base = reinterpret_cast<ULONGLONG>(this->moduleHandle);

            }

            if (va < module_base) {

                return 0; // not this module

            }

            if (va > module_base + this->original_size) {

                return 0; // not this module

            }

            ULONGLONG diff = (va - module_base);

            return static_cast<DWORD>(diff);

        }


        bool isModuleInPEBList()

        {

            return isPEBConnected;

        }


        bool isInitialized()

        {

            return original_module != nullptr;

        }


        ULONGLONG getHdrImageBase()

        {

            if (!original_module) return 0;

            return peconv::get_image_base((const BYTE*)original_module);

        }


        bool loadOriginal();


        bool switchToWow64Path();

        bool reloadWow64();

        bool relocateToBase(ULONGLONG new_base);

        bool loadRelocatedFields(std::set<DWORD>& fields_rvas);

        bool loadImportThunks(std::set<DWORD>& fields_rvas);

        bool loadImportsList(peconv::ImportsCollection &collection);


        HANDLE processHandle;

        HMODULE moduleHandle;

        char szModName[MAX_PATH];

        bool is_module_named;


        PBYTE original_module;

        size_t original_size;


    protected:

        bool _loadOriginal(bool disableFSredir);

        bool loadModuleName();

        bool autoswichIfWow64Mapping();

        bool isDotNetManagedCode();


        bool is_dot_net;

        bool isPEBConnected;

        bool useCache;


        friend class PeSection;

    };


    class RemoteModuleData

    {

    public:

        static std::string getModuleName(HANDLE _processHandle, HMODULE _modBaseAddr);

        static std::string getMappedName(HANDLE _processHandle, LPVOID _modBaseAddr);


        RemoteModuleData(HANDLE _processHandle, bool _isRefl, HMODULE _modBaseAddr)

            : processHandle(_processHandle), isReflection(_isRefl), modBaseAddr(_modBaseAddr),

            imgBuffer(nullptr), imgBufferSize(0)

        {

            isHdrReady = false;

            memset(headerBuffer, 0, peconv::MAX_HEADER_SIZE);

            init();

        }


        virtual ~RemoteModuleData()

        {

            freeFullImage();

        }


        bool isSectionEntry(const size_t section_number);

        bool isSectionExecutable(const size_t section_number, bool allow_data, bool allow_inaccessible);

        bool hasExecutableSection(bool allow_data, bool allow_inaccessible);


        bool isInitialized()

        {

            if (!isHdrReady && !init()) {

                return false;

            }

            return true;

        }


        bool is64bit()

        {

            if (!isHdrReady) return false;

            return peconv::is64bit(headerBuffer);

        }


        size_t getHdrImageSize()

        {

            if (!isHdrReady) return 0;

            return peconv::get_image_size((const BYTE*)headerBuffer);

        }


        ULONGLONG getHdrImageBase()

        {

            if (!isHdrReady) return 0;

            return peconv::get_image_base((const BYTE*)headerBuffer);

        }


        size_t getModuleSize()

        {

            if (imgBufferSize) {

                return imgBufferSize;

            }

            return getHdrImageSize();

        }


        size_t getHeaderSize()

        {

            return peconv::MAX_HEADER_SIZE;

        }


        bool loadFullImage();

        bool isFullImageLoaded() { return (imgBuffer != nullptr) && (imgBufferSize != 0); }

        ULONGLONG getRemoteSectionVa(const size_t section_num);

        bool loadImportsList(peconv::ImportsCollection& collection);


        ULONGLONG getModuleBase()

        {

            return (ULONGLONG)modBaseAddr;

        }


        BYTE headerBuffer[peconv::MAX_HEADER_SIZE];


    protected:

        bool init();

        bool loadHeader();

        size_t calcImgSize();


        bool _loadFullImage(size_t v_size);


        void freeFullImage()

        {

            peconv::free_pe_buffer(imgBuffer);

            imgBuffer = nullptr;

            imgBufferSize = 0;

        }


        HANDLE processHandle;

        const bool isReflection;

        HMODULE modBaseAddr;


        BYTE *imgBuffer;

        size_t imgBufferSize;


    private:

        bool isHdrReady;


        friend class PeSection;

        friend class IATScanner;

    };


}; //namespace pesieve


pesieve::IATScanner
A scanner for detection of IAT hooking.
Definition iat_scanner.h:62

pesieve::ModuleData
Loads a module from the disk, corresponding to the module in the scanned process' memory.
Definition module_data.h:15

pesieve::ModuleData::~ModuleData
~ModuleData()
Definition module_data.h:37

pesieve::ModuleData::autoswichIfWow64Mapping
bool autoswichIfWow64Mapping()
Definition module_data.cpp:169

pesieve::ModuleData::rvaToVa
ULONGLONG rvaToVa(DWORD rva, ULONGLONG module_base=0)
Definition module_data.h:52

pesieve::ModuleData::isModuleInPEBList
bool isModuleInPEBList()
Definition module_data.h:75

pesieve::ModuleData::reloadWow64
bool reloadWow64()
Definition module_data.cpp:203

pesieve::ModuleData::ModuleData
ModuleData(HANDLE _processHandle, HMODULE _module, bool _isPEBConnected, bool _useCache)
Definition module_data.h:18

pesieve::ModuleData::switchToWow64Path
bool switchToWow64Path()
Definition module_data.cpp:190

pesieve::ModuleData::relocateToBase
bool relocateToBase(ULONGLONG new_base)
Definition module_data.cpp:148

pesieve::ModuleData::isPEBConnected
bool isPEBConnected
Definition module_data.h:115

pesieve::ModuleData::vaToRva
DWORD vaToRva(ULONGLONG va, ULONGLONG module_base=0)
Definition module_data.h:60

pesieve::ModuleData::loadRelocatedFields
bool loadRelocatedFields(std::set< DWORD > &fields_rvas)
Definition module_data.cpp:73

pesieve::ModuleData::_loadOriginal
bool _loadOriginal(bool disableFSredir)
Definition module_data.cpp:41

pesieve::ModuleData::is64bit
bool is64bit()
Definition module_data.h:42

pesieve::ModuleData::isDotNet
bool isDotNet()
Definition module_data.h:50

pesieve::ModuleData::moduleHandle
HMODULE moduleHandle
Definition module_data.h:101

pesieve::ModuleData::loadOriginal
bool loadOriginal()
Definition module_data.cpp:30

pesieve::ModuleData::is_dot_net
bool is_dot_net
Definition module_data.h:114

pesieve::ModuleData::isInitialized
bool isInitialized()
Definition module_data.h:80

pesieve::ModuleData::ModuleData
ModuleData(HANDLE _processHandle, HMODULE _module, std::string module_name, bool _useCache)
Definition module_data.h:28

pesieve::ModuleData::szModName
char szModName[MAX_PATH]
Definition module_data.h:102

pesieve::ModuleData::is_module_named
bool is_module_named
Definition module_data.h:103

pesieve::ModuleData::original_size
size_t original_size
Definition module_data.h:106

pesieve::ModuleData::getHdrImageBase
ULONGLONG getHdrImageBase()
Definition module_data.h:85

pesieve::ModuleData::loadImportsList
bool loadImportsList(peconv::ImportsCollection &collection)
Definition module_data.cpp:132

pesieve::ModuleData::processHandle
HANDLE processHandle
Definition module_data.h:100

pesieve::ModuleData::useCache
bool useCache
Definition module_data.h:116

pesieve::ModuleData::original_module
PBYTE original_module
Definition module_data.h:105

pesieve::ModuleData::loadImportThunks
bool loadImportThunks(std::set< DWORD > &fields_rvas)
Definition module_data.cpp:113

pesieve::ModuleData::isDotNetManagedCode
bool isDotNetManagedCode()
Definition module_data.cpp:223

pesieve::ModuleData::loadModuleName
bool loadModuleName()
Definition module_data.cpp:16

pesieve::PeSection
Buffers the defined PE section belonging to the module loaded in the scanned process into the local m...
Definition pe_section.h:12

pesieve::RemoteModuleData
Buffers the data from the module loaded in the scanned process into the local memory.
Definition module_data.h:123

pesieve::RemoteModuleData::isInitialized
bool isInitialized()
Definition module_data.h:145

pesieve::RemoteModuleData::getHeaderSize
size_t getHeaderSize()
Definition module_data.h:179

pesieve::RemoteModuleData::isFullImageLoaded
bool isFullImageLoaded()
Definition module_data.h:185

pesieve::RemoteModuleData::calcImgSize
size_t calcImgSize()
Definition module_data.cpp:416

pesieve::RemoteModuleData::_loadFullImage
bool _loadFullImage(size_t v_size)
Definition module_data.cpp:296

pesieve::RemoteModuleData::~RemoteModuleData
virtual ~RemoteModuleData()
Definition module_data.h:137

pesieve::RemoteModuleData::getHdrImageBase
ULONGLONG getHdrImageBase()
Definition module_data.h:165

pesieve::RemoteModuleData::loadHeader
bool loadHeader()
Definition module_data.cpp:324

pesieve::RemoteModuleData::loadImportsList
bool loadImportsList(peconv::ImportsCollection &collection)
Definition module_data.cpp:270

pesieve::RemoteModuleData::is64bit
bool is64bit()
Definition module_data.h:153

pesieve::RemoteModuleData::getModuleName
static std::string getModuleName(HANDLE _processHandle, HMODULE _modBaseAddr)
Definition module_data.cpp:243

pesieve::RemoteModuleData::getModuleSize
size_t getModuleSize()
Definition module_data.h:171

pesieve::RemoteModuleData::headerBuffer
BYTE headerBuffer[peconv::MAX_HEADER_SIZE]
Definition module_data.h:194

pesieve::RemoteModuleData::init
bool init()
Definition module_data.cpp:286

pesieve::RemoteModuleData::imgBufferSize
size_t imgBufferSize
Definition module_data.h:215

pesieve::RemoteModuleData::hasExecutableSection
bool hasExecutableSection(bool allow_data, bool allow_inaccessible)
Definition module_data.cpp:404

pesieve::RemoteModuleData::modBaseAddr
HMODULE modBaseAddr
Definition module_data.h:212

pesieve::RemoteModuleData::imgBuffer
BYTE * imgBuffer
Definition module_data.h:214

pesieve::RemoteModuleData::getHdrImageSize
size_t getHdrImageSize()
Definition module_data.h:159

pesieve::RemoteModuleData::isSectionExecutable
bool isSectionExecutable(const size_t section_number, bool allow_data, bool allow_inaccessible)
Definition module_data.cpp:364

pesieve::RemoteModuleData::processHandle
HANDLE processHandle
Definition module_data.h:210

pesieve::RemoteModuleData::getMappedName
static std::string getMappedName(HANDLE _processHandle, LPVOID _modBaseAddr)
Definition module_data.cpp:257

pesieve::RemoteModuleData::loadFullImage
bool loadFullImage()
Definition module_data.cpp:310

pesieve::RemoteModuleData::RemoteModuleData
RemoteModuleData(HANDLE _processHandle, bool _isRefl, HMODULE _modBaseAddr)
Definition module_data.h:128

pesieve::RemoteModuleData::getRemoteSectionVa
ULONGLONG getRemoteSectionVa(const size_t section_num)
Definition module_data.cpp:332

pesieve::RemoteModuleData::isSectionEntry
bool isSectionEntry(const size_t section_number)
Definition module_data.cpp:343

pesieve::RemoteModuleData::isReflection
const bool isReflection
Definition module_data.h:211

pesieve::RemoteModuleData::freeFullImage
void freeFullImage()
Definition module_data.h:203

pesieve::RemoteModuleData::getModuleBase
ULONGLONG getModuleBase()
Definition module_data.h:189

format_util.h

module_cache.h

pesieve
Definition pesieve.py:1

pesieve.MAX_PATH
int MAX_PATH
Definition pesieve.py:10

pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31