PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
patch_list.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4#include <vector>
5#include <fstream>
6
7#include <peconv.h>
8
9namespace pesieve {
10
19
20 class PatchList {
21 public:
22 class Patch
23 {
24 public:
25 Patch(HMODULE module_base, size_t patch_id, DWORD start_rva)
26 : moduleBase(module_base), id(patch_id), startRva(start_rva), endRva(start_rva),
27 type(pesieve::PATCH_UNKNOWN),
28 isDirect(true),
29 hookTargetVA(0), hookTargetModule(0), isTargetSuspicious(false),
30 paddingVal(0)
31 {
32 }
33
34 Patch(const Patch& other)
35 {
36 id = other.id;
37 startRva = other.startRva;
38 endRva = other.endRva;
39 moduleBase = other.moduleBase;
40
41 isDirect = other.isDirect;
42 type = other.type;
43 hookTargetVA = other.hookTargetVA;
44 hooked_func = other.hooked_func;
45
46 hookTargetModule = other.hookTargetModule;
47 isTargetSuspicious = other.isTargetSuspicious;
48 hookTargetModName = other.hookTargetModName;
49 paddingVal = other.paddingVal;
50 }
51
52 void setEnd(DWORD end_rva)
53 {
54 endRva = end_rva;
55 }
56
57 void setHookTarget(ULONGLONG target_va, bool is_direct = true, t_patch_type hook_type = pesieve::HOOK_INLINE)
58 {
59 hookTargetVA = target_va;
60 isDirect = is_direct;
61 this->type = hook_type;
62 }
63
64 ULONGLONG getHookTargetVA()
65 {
66 return hookTargetVA;
67 }
68
69 bool setHookTargetInfo(ULONGLONG targetModuleBase, bool isSuspicious, std::string targetModuleName)
70 {
71 if (type == pesieve::PATCH_UNKNOWN || targetModuleBase == 0 || targetModuleBase > this->hookTargetVA) {
72 return false;
73 }
74 this->hookTargetModule = targetModuleBase;
75 this->isTargetSuspicious = isSuspicious;
76 this->hookTargetModName = targetModuleName;
77 return true;
78 }
79
80 const bool toTAG(std::ofstream &patch_report, const char delimiter);
81 const bool toJSON(std::stringstream &outs, size_t level, bool short_info);
82
83 protected:
84 bool resolveHookedExport(peconv::ExportsMapper &expMap);
85
86 std::string getFormattedName();
87
88 size_t id;
89 DWORD startRva;
90 DWORD endRva;
91 HMODULE moduleBase;
92
93 t_patch_type type;
94 bool isDirect;
95 ULONGLONG hookTargetVA;
96 BYTE paddingVal;
97 std::string hooked_func;
98
99 ULONGLONG hookTargetModule;
100 bool isTargetSuspicious;
101 std::string hookTargetModName;
102
103 friend class PatchList;
104 friend class PatchAnalyzer;
105 };
106
107 PatchList & operator=(const PatchList &other)
108 {
109 deletePatches();
110 std::vector<Patch*>::const_iterator itr;
111 for (itr = other.patches.begin(); itr != other.patches.end(); ++itr) {
112 Patch* next = *itr;
113 Patch* nextCopy = new Patch(*next);
114 patches.push_back(nextCopy);
115 }
116 return *this;
117 }
118
119 //constructor:
120 PatchList() {}
121
122 //destructor:
123 virtual ~PatchList() {
124 deletePatches();
125 }
126
127 void insert(Patch *p)
128 {
129 patches.push_back(p);
130 }
131
132 size_t size()
133 {
134 return patches.size();
135 }
136
137 const size_t toTAGs(std::ofstream &patch_report, const char delimiter);
138
139 const bool toJSON(std::stringstream &outs, size_t level, bool short_info);
140
141 //checks what are the names of the functions that have been hooked
142 size_t checkForHookedExports(peconv::ExportsMapper &expMap);
143
144 void deletePatches();
145
146 // variables:
147 std::vector<Patch*> patches;
148 };
149
150}; //namespace pesieve
151
pesieve::PatchList::Patch::setHookTarget
void setHookTarget(ULONGLONG target_va, bool is_direct=true, t_patch_type hook_type=pesieve::HOOK_INLINE)
Definition patch_list.h:57
pesieve::PatchList::Patch::getFormattedName
std::string getFormattedName()
Definition patch_list.cpp:8
pesieve::PatchList::Patch::hookTargetModName
std::string hookTargetModName
Definition patch_list.h:101
pesieve::PatchList::Patch::Patch
Patch(const Patch &other)
Definition patch_list.h:34
pesieve::PatchList::Patch::resolveHookedExport
bool resolveHookedExport(peconv::ExportsMapper &expMap)
Definition patch_list.cpp:124
pesieve::PatchList::Patch::Patch
Patch(HMODULE module_base, size_t patch_id, DWORD start_rva)
Definition patch_list.h:25
pesieve::PatchList::Patch::toTAG
const bool toTAG(std::ofstream &patch_report, const char delimiter)
Definition patch_list.cpp:60
pesieve::PatchList::Patch::setHookTargetInfo
bool setHookTargetInfo(ULONGLONG targetModuleBase, bool isSuspicious, std::string targetModuleName)
Definition patch_list.h:69
pesieve::PatchList::Patch::getHookTargetVA
ULONGLONG getHookTargetVA()
Definition patch_list.h:64
pesieve::PatchList::Patch::toJSON
const bool toJSON(std::stringstream &outs, size_t level, bool short_info)
Definition patch_list.cpp:76
pesieve::PatchList::Patch::setEnd
void setEnd(DWORD end_rva)
Definition patch_list.h:52
pesieve::PatchList::checkForHookedExports
size_t checkForHookedExports(peconv::ExportsMapper &expMap)
Definition patch_list.cpp:167
pesieve::PatchList::operator=
PatchList & operator=(const PatchList &other)
Definition patch_list.h:107
pesieve::PatchList::~PatchList
virtual ~PatchList()
Definition patch_list.h:123
pesieve::PatchList::patches
std::vector< Patch * > patches
Definition patch_list.h:147
pesieve::PatchList::toJSON
const bool toJSON(std::stringstream &outs, size_t level, bool short_info)
Definition patch_list.cpp:145
pesieve::PatchList::toTAGs
const size_t toTAGs(std::ofstream &patch_report, const char delimiter)
Definition patch_list.cpp:135
pesieve::PatchList::insert
void insert(Patch *p)
Definition patch_list.h:127
pesieve::COUNT_PATCH_TYPES
@ COUNT_PATCH_TYPES
Definition patch_list.h:17
pesieve::PATCH_UNKNOWN
@ PATCH_UNKNOWN
Definition patch_list.h:12
pesieve::PATCH_BREAKPOINT
@ PATCH_BREAKPOINT
Definition patch_list.h:16
pesieve::HOOK_INLINE
@ HOOK_INLINE
Definition patch_list.h:13
pesieve::HOOK_ADDR_REPLACEMENT
@ HOOK_ADDR_REPLACEMENT
Definition patch_list.h:14
pesieve::PATCH_PADDING
@ PATCH_PADDING
Definition patch_list.h:15
Generated by doxygen 1.17.0