PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
patch_list.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4#include <vector>
5#include <fstream>
6
7#include <peconv.h>
8
9namespace pesieve {
10
17
18 class PatchList {
19 public:
20 class Patch
21 {
22 public:
30
31 Patch(const Patch& other)
32 {
33 id = other.id;
34 startRva = other.startRva;
35 endRva = other.endRva;
36 moduleBase = other.moduleBase;
37
38 isDirect = other.isDirect;
39 type = other.type;
40 hookTargetVA = other.hookTargetVA;
41 hooked_func = other.hooked_func;
42
43 hookTargetModule = other.hookTargetModule;
44 isTargetSuspicious = other.isTargetSuspicious;
45 hookTargetModName = other.hookTargetModName;
46 }
47
48 void setEnd(DWORD end_rva)
49 {
50 endRva = end_rva;
51 }
52
59
60 ULONGLONG getHookTargetVA()
61 {
62 return hookTargetVA;
63 }
64
65 bool setHookTargetInfo(ULONGLONG targetModuleBase, bool isSuspiocious, std::string targetModuleName)
66 {
67 if (type == pesieve::HOOK_NONE || targetModuleBase == 0 || targetModuleBase > this->hookTargetVA) {
68 return false;
69 }
70 this->hookTargetModule = targetModuleBase;
71 this->isTargetSuspicious = isSuspiocious;
72 this->hookTargetModName = targetModuleName;
73 return true;
74 }
75
76 const bool toTAG(std::ofstream &patch_report, const char delimiter);
77 const bool toJSON(std::stringstream &outs, size_t level, bool short_info);
78
79 protected:
80 bool resolveHookedExport(peconv::ExportsMapper &expMap);
81
82 std::string getFormattedName();
83
84 size_t id;
85 DWORD startRva;
86 DWORD endRva;
87 HMODULE moduleBase;
88
89 t_hook_type type;
90 bool isDirect;
91 ULONGLONG hookTargetVA;
92 std::string hooked_func;
93
94 ULONGLONG hookTargetModule;
95 bool isTargetSuspicious;
96 std::string hookTargetModName;
97
98 friend class PatchList;
99 friend class PatchAnalyzer;
100 };
101
102 PatchList & operator=(const PatchList &other)
103 {
104 deletePatches();
105 std::vector<Patch*>::const_iterator itr;
106 for (itr = other.patches.begin(); itr != other.patches.end(); ++itr) {
107 Patch* next = *itr;
108 Patch* nextCopy = new Patch(*next);
109 patches.push_back(nextCopy);
110 }
111 return *this;
112 }
113
114 //constructor:
115 PatchList() {}
116
117 //destructor:
118 virtual ~PatchList() {
119 deletePatches();
120 }
121
122 void insert(Patch *p)
123 {
124 patches.push_back(p);
125 }
126
127 size_t size()
128 {
129 return patches.size();
130 }
131
132 const size_t toTAGs(std::ofstream &patch_report, const char delimiter);
133
134 const bool toJSON(std::stringstream &outs, size_t level, bool short_info);
135
136 //checks what are the names of the functions that have been hooked
137 size_t checkForHookedExports(peconv::ExportsMapper &expMap);
138
139 void deletePatches();
140
141 // variables:
142 std::vector<Patch*> patches;
143 };
144
145}; //namespace pesieve
146
pesieve::PatchAnalyzer
A postprocessor of the detected code patches. Detects if the patch is a hook, and if so,...
Definition patch_analyzer.h:10
pesieve::PatchList::Patch::getFormattedName
std::string getFormattedName()
Definition patch_list.cpp:8
pesieve::PatchList::Patch::hookTargetModName
std::string hookTargetModName
Definition patch_list.h:96
pesieve::PatchList::Patch::Patch
Patch(const Patch &other)
Definition patch_list.h:31
pesieve::PatchList::Patch::resolveHookedExport
bool resolveHookedExport(peconv::ExportsMapper &expMap)
Definition patch_list.cpp:115
pesieve::PatchList::Patch::setHookTargetInfo
bool setHookTargetInfo(ULONGLONG targetModuleBase, bool isSuspiocious, std::string targetModuleName)
Definition patch_list.h:65
pesieve::PatchList::Patch::Patch
Patch(HMODULE module_base, size_t patch_id, DWORD start_rva)
Definition patch_list.h:23
pesieve::PatchList::Patch::toTAG
const bool toTAG(std::ofstream &patch_report, const char delimiter)
Definition patch_list.cpp:51
pesieve::PatchList::Patch::getHookTargetVA
ULONGLONG getHookTargetVA()
Definition patch_list.h:60
pesieve::PatchList::Patch::toJSON
const bool toJSON(std::stringstream &outs, size_t level, bool short_info)
Definition patch_list.cpp:67
pesieve::PatchList::Patch::setHookTarget
void setHookTarget(ULONGLONG target_va, bool is_direct=true, t_hook_type hook_type=pesieve::HOOK_INLINE)
Definition patch_list.h:53
pesieve::PatchList::Patch::setEnd
void setEnd(DWORD end_rva)
Definition patch_list.h:48
pesieve::PatchList::checkForHookedExports
size_t checkForHookedExports(peconv::ExportsMapper &expMap)
Definition patch_list.cpp:158
pesieve::PatchList::operator=
PatchList & operator=(const PatchList &other)
Definition patch_list.h:102
pesieve::PatchList::~PatchList
virtual ~PatchList()
Definition patch_list.h:118
pesieve::PatchList::patches
std::vector< Patch * > patches
Definition patch_list.h:142
pesieve::PatchList::toJSON
const bool toJSON(std::stringstream &outs, size_t level, bool short_info)
Definition patch_list.cpp:136
pesieve::PatchList::toTAGs
const size_t toTAGs(std::ofstream &patch_report, const char delimiter)
Definition patch_list.cpp:126
pesieve::PatchList::insert
void insert(Patch *p)
Definition patch_list.h:122
pesieve::HOOK_INLINE
@ HOOK_INLINE
Definition patch_list.h:13
pesieve::COUNT_HOOK_TYPES
@ COUNT_HOOK_TYPES
Definition patch_list.h:15
pesieve::HOOK_ADDR_REPLACEMENT
@ HOOK_ADDR_REPLACEMENT
Definition patch_list.h:14
pesieve::HOOK_NONE
@ HOOK_NONE
Definition patch_list.h:12
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
Generated by doxygen 1.10.0