PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
patch_analyzer.h
Go to the documentation of this file.
1#pragma once
2
3#include "module_data.h"
4#include "patch_list.h"
5
6namespace pesieve {
7
9 class PatchAnalyzer
10 {
11 public:
12 typedef enum {
13 OP_SHORTJMP = 0xEB,
14 OP_JMP = 0xE9,
15 OP_CALL_DWORD = 0xE8,
16 OP_PUSH_DWORD = 0x68,
17 OP_JMP_VIA_ADDR_B1 = 0xFF,
18 OP_JMP_VIA_ADDR_B2 = 0x25
19 } t_hook_opcode;
20
21 PatchAnalyzer(ModuleData &_moduleData, DWORD _sectionRVA, PBYTE patched_code, size_t code_size)
22 : moduleData(_moduleData), sectionRVA(_sectionRVA), patchedCode(patched_code), codeSize(code_size)
23 {
24 isModule64bit = moduleData.is64bit();
25 moduleData.loadRelocatedFields(relocs);
26 }
27
28 size_t analyzeHook(PatchList::Patch &patch);
29
30 size_t analyzeOther(PatchList::Patch& patch);
31
32 protected:
33 size_t _analyzeHook(PatchList::Patch &patch, PBYTE patch_ptr, ULONGLONG patch_va);
34 size_t _analyzeRelocated(PatchList::Patch &patch, BYTE* patch_ptr);
35
36 size_t parseJmpViaAddr(PatchList::Patch &patch, PBYTE patch_ptr, ULONGLONG patch_va);
37 size_t parseShortJmp(PatchList::Patch &patch, PBYTE patch_ptr, ULONGLONG patch_va);
38 size_t parseJmp(PatchList::Patch &patch, PBYTE patch_ptr, ULONGLONG patch_va);
39 size_t parseMovJmp(PatchList::Patch &patch, PBYTE patch_ptr, bool is_long);
40 size_t parsePushRet(PatchList::Patch &patch, PBYTE patch_ptr);
41
42 template <typename DELTA_T>
43 ULONGLONG getJmpDestAddr(ULONGLONG currVA, int instrLen, DELTA_T lVal);
44
45 bool is64Modifier(BYTE op);
46 bool isLongModifier(BYTE op);
47
48 bool isModule64bit;
49
50 ModuleData &moduleData;
51 DWORD sectionRVA;
52 PBYTE patchedCode;
53 size_t codeSize;
54
55 std::set<DWORD> relocs;
56 };
57
58}; //namespace pesieve
59
pesieve::ModuleData
Loads a module from the disk, corresponding to the module in the scanned process' memory.
Definition module_data.h:15
pesieve::ModuleData::loadRelocatedFields
bool loadRelocatedFields(std::set< DWORD > &fields_rvas)
Definition module_data.cpp:73
pesieve::PatchAnalyzer
A postprocessor of the detected code patches. Detects if the patch is a hook, and if so,...
Definition patch_analyzer.h:10
pesieve::PatchAnalyzer::_analyzeHook
size_t _analyzeHook(PatchList::Patch &patch, PBYTE patch_ptr, ULONGLONG patch_va)
Definition patch_analyzer.cpp:150
pesieve::PatchAnalyzer::parseShortJmp
size_t parseShortJmp(PatchList::Patch &patch, PBYTE patch_ptr, ULONGLONG patch_va)
Definition patch_analyzer.cpp:13
pesieve::PatchAnalyzer::_analyzeRelocated
size_t _analyzeRelocated(PatchList::Patch &patch, BYTE *patch_ptr)
Definition patch_analyzer.cpp:180
pesieve::PatchAnalyzer::PatchAnalyzer
PatchAnalyzer(ModuleData &_moduleData, DWORD _sectionRVA, PBYTE patched_code, size_t code_size)
Definition patch_analyzer.h:21
pesieve::PatchAnalyzer::relocs
std::set< DWORD > relocs
Definition patch_analyzer.h:55
pesieve::PatchAnalyzer::analyzeOther
size_t analyzeOther(PatchList::Patch &patch)
Definition patch_analyzer.cpp:195
pesieve::PatchAnalyzer::parseJmpViaAddr
size_t parseJmpViaAddr(PatchList::Patch &patch, PBYTE patch_ptr, ULONGLONG patch_va)
Definition patch_analyzer.cpp:39
pesieve::PatchAnalyzer::parseJmp
size_t parseJmp(PatchList::Patch &patch, PBYTE patch_ptr, ULONGLONG patch_va)
Definition patch_analyzer.cpp:26
pesieve::PatchAnalyzer::getJmpDestAddr
ULONGLONG getJmpDestAddr(ULONGLONG currVA, int instrLen, DELTA_T lVal)
Definition patch_analyzer.cpp:6
pesieve::PatchAnalyzer::parseMovJmp
size_t parseMovJmp(PatchList::Patch &patch, PBYTE patch_ptr, bool is_long)
Definition patch_analyzer.cpp:55
pesieve::PatchAnalyzer::parsePushRet
size_t parsePushRet(PatchList::Patch &patch, PBYTE patch_ptr)
Definition patch_analyzer.cpp:116
pesieve::PatchAnalyzer::analyzeHook
size_t analyzeHook(PatchList::Patch &patch)
Definition patch_analyzer.cpp:222
module_data.h
patch_list.h
Generated by doxygen 1.12.0