PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
patch_analyzer.h
Go to the documentation of this file.
1#pragma once
2
3#include "module_data.h"
4#include "patch_list.h"
5#include <set>
6
7namespace pesieve {
8
10 class PatchAnalyzer
11 {
12 public:
13 typedef enum {
14 OP_SHORTJMP = 0xEB,
15 OP_JMP = 0xE9,
16 OP_CALL_DWORD = 0xE8,
17 OP_PUSH_DWORD = 0x68,
18 OP_JMP_VIA_ADDR_B1 = 0xFF,
19 OP_JMP_VIA_ADDR_B2 = 0x25
20 } t_hook_opcode;
21
22 PatchAnalyzer(ModuleData &_moduleData, DWORD _sectionRVA, PBYTE patched_code, size_t code_size)
23 : moduleData(_moduleData), sectionRVA(_sectionRVA), patchedCode(patched_code), codeSize(code_size)
24 {
25 isModule64bit = moduleData.is64bit();
26 moduleData.loadRelocatedFields(relocs);
27 }
28
29 size_t analyzeHook(PatchList::Patch &patch);
30
31 size_t analyzeOther(PatchList::Patch& patch);
32
33 protected:
34 size_t _analyzeHook(PatchList::Patch &patch, BYTE* patch_ptr, ULONGLONG patch_va);
35 size_t _analyzeRelocated(PatchList::Patch &patch, BYTE* patch_ptr);
36
37 size_t parseJmpViaAddr(PatchList::Patch &patch, BYTE* patch_ptr, ULONGLONG patch_va);
38 size_t parseShortJmp(PatchList::Patch &patch, BYTE* patch_ptr, ULONGLONG patch_va);
39 size_t parseJmp(PatchList::Patch &patch, BYTE* patch_ptr, ULONGLONG patch_va);
40 size_t parseMovJmp(PatchList::Patch &patch, BYTE* patch_ptr, bool is_long);
41 size_t parsePushRet(PatchList::Patch &patch, BYTE* patch_ptr);
42
43 template <typename DELTA_T>
44 ULONGLONG getJmpDestAddr(ULONGLONG currVA, int instrLen, DELTA_T lVal);
45
46 bool is64Modifier(BYTE op);
47 bool isLongModifier(BYTE op);
48
49 bool isModule64bit;
50
51 ModuleData &moduleData;
52 DWORD sectionRVA;
53 PBYTE patchedCode;
54 size_t codeSize;
55
56 std::set<DWORD> relocs;
57 };
58
59}; //namespace pesieve
60
pesieve::ModuleData
Loads a module from the disk, corresponding to the module in the scanned process' memory.
Definition module_data.h:15
pesieve::PatchAnalyzer::parsePushRet
size_t parsePushRet(PatchList::Patch &patch, BYTE *patch_ptr)
Definition patch_analyzer.cpp:115
pesieve::PatchAnalyzer::_analyzeRelocated
size_t _analyzeRelocated(PatchList::Patch &patch, BYTE *patch_ptr)
Definition patch_analyzer.cpp:179
pesieve::PatchAnalyzer::PatchAnalyzer
PatchAnalyzer(ModuleData &_moduleData, DWORD _sectionRVA, PBYTE patched_code, size_t code_size)
Definition patch_analyzer.h:22
pesieve::PatchAnalyzer::parseJmp
size_t parseJmp(PatchList::Patch &patch, BYTE *patch_ptr, ULONGLONG patch_va)
Definition patch_analyzer.cpp:26
pesieve::PatchAnalyzer::relocs
std::set< DWORD > relocs
Definition patch_analyzer.h:56
pesieve::PatchAnalyzer::analyzeOther
size_t analyzeOther(PatchList::Patch &patch)
Definition patch_analyzer.cpp:194
pesieve::PatchAnalyzer::parseMovJmp
size_t parseMovJmp(PatchList::Patch &patch, BYTE *patch_ptr, bool is_long)
Definition patch_analyzer.cpp:54
pesieve::PatchAnalyzer::getJmpDestAddr
ULONGLONG getJmpDestAddr(ULONGLONG currVA, int instrLen, DELTA_T lVal)
Definition patch_analyzer.cpp:6
pesieve::PatchAnalyzer::_analyzeHook
size_t _analyzeHook(PatchList::Patch &patch, BYTE *patch_ptr, ULONGLONG patch_va)
Definition patch_analyzer.cpp:149
pesieve::PatchAnalyzer::parseJmpViaAddr
size_t parseJmpViaAddr(PatchList::Patch &patch, BYTE *patch_ptr, ULONGLONG patch_va)
Definition patch_analyzer.cpp:39
pesieve::PatchAnalyzer::parseShortJmp
size_t parseShortJmp(PatchList::Patch &patch, BYTE *patch_ptr, ULONGLONG patch_va)
Definition patch_analyzer.cpp:13
pesieve::PatchAnalyzer::analyzeHook
size_t analyzeHook(PatchList::Patch &patch)
Definition patch_analyzer.cpp:221
module_data.h
patch_list.h
Generated by doxygen 1.13.2