PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
pe_reconstructor.cpp
Go to the documentation of this file.
1#include "pe_reconstructor.h"
2
3#include "../utils/workingset_enum.h"
4
5#include <fstream>
6
7namespace pesieve {
8 inline bool shift_artefacts(PeArtefacts& artefacts, size_t shift_size)
9 {
10 artefacts.ntFileHdrsOffset += shift_size;
11 artefacts.secHdrsOffset += shift_size;
12 return true;
13 }
14}; //namespace pesieve
15
16
17//WARNING: this function shifts also offsets saved in the artefacts
18size_t pesieve::PeReconstructor::shiftPeHeader()
19{
20 BYTE *vBuf = this->peBuffer.vBuf;
21 const size_t vBufSize = this->peBuffer.vBufSize;
22 if (vBuf == nullptr) return 0;
23
24 if (!this->artefacts.hasNtHdrs()) return 0;
25
26 const size_t dos_pe_size = sizeof(IMAGE_DOS_HEADER) + sizeof(IMAGE_NT_SIGNATURE);
27 const size_t nt_offset = this->artefacts.dropPeBase(this->artefacts.ntFileHdrsOffset);
28 if (nt_offset == INVALID_OFFSET || nt_offset >= dos_pe_size) {
29 return 0;
30 }
31 //TODO: shift the header
32 if (!this->artefacts.hasSectionHdrs()) return 0; //cannot proceed
33
34 size_t shift_size = dos_pe_size - nt_offset;
35 size_t hdrs_end = this->artefacts.secHdrsOffset + (this->artefacts.secCount + 1)* sizeof(IMAGE_SECTION_HEADER);
36 if (!peconv::is_padding(vBuf + hdrs_end, shift_size, 0)) {
37 return 0; // no empty space, cannot proceed
38 }
39 size_t hdrs_size = this->artefacts.dropPeBase(hdrs_end);
40 BYTE *new_nt_ptr = vBuf + this->artefacts.peBaseOffset + shift_size;
41 if (!peconv::validate_ptr(vBuf, vBufSize, new_nt_ptr, hdrs_size)) {
42 return 0;
43 }
44 if (nt_offset < sizeof(IMAGE_NT_SIGNATURE)) {
45 return 0;
46 }
47 const size_t pe_offset = nt_offset - sizeof(IMAGE_NT_SIGNATURE);
48 IMAGE_DOS_HEADER dos_template = { 0 };
49 dos_template.e_magic = IMAGE_DOS_SIGNATURE;
50 dos_template.e_lfanew = LONG(pe_offset + shift_size);
51
52 //check mz signature:
53 BYTE *mz_ptr = vBuf + this->artefacts.peBaseOffset;
54 if (!peconv::validate_ptr(vBuf, vBufSize, mz_ptr, sizeof(IMAGE_DOS_HEADER))) {
55 return 0;
56 }
57 //check PE signature:
58 DWORD* pe_ptr = (DWORD*)(vBuf + this->artefacts.peBaseOffset + dos_template.e_lfanew);
59 if (!peconv::validate_ptr(vBuf, vBufSize, pe_ptr, sizeof(DWORD))) {
60 return 0;
61 }
62 //all checks passed, do the actual headers shift:
63 memmove(new_nt_ptr, (vBuf + this->artefacts.peBaseOffset), hdrs_size);
64
65 //write the DOS header:
66 memcpy(mz_ptr, &dos_template, sizeof(IMAGE_DOS_HEADER));
67
68 //write the PE signature:
69 *pe_ptr = IMAGE_NT_SIGNATURE;
70
71 shift_artefacts(this->artefacts, shift_size);
72 return shift_size;
73}
74
75bool pesieve::PeReconstructor::reconstruct()
76{
77 this->artefacts = origArtefacts;
78
79 ULONGLONG moduleBase = artefacts.regionStart + artefacts.peBaseOffset;
80 if (!peBuffer.readRemote(moduleBase, artefacts.calculatedImgSize)) {
81 return false;
82 }
83 size_t shift_size = shiftPeHeader();
84 if (shift_size) {
85 std::cout << "[!] The PE header was shifted by: " << std::hex << shift_size << std::endl;
86 }
87 bool is_pe_hdr = false;
88 if (this->artefacts.hasNtHdrs() && reconstructFileHdr()) {
89 is_pe_hdr = reconstructPeHdr();
90 }
91 if (!is_pe_hdr) {
92 return false;
93 }
94 //do not modify section headers if the PE is in raw format, or no unmapping requested
95 if (!peconv::is_pe_raw(peBuffer.vBuf, peBuffer.vBufSize)) {
96 if (!fixSectionsVirtualSize(peBuffer.processHndl) || !fixSectionsCharacteristics(peBuffer.processHndl)) {
97 return false;
98 }
99 }
100 return peBuffer.isValidPe();
101}
102
103bool pesieve::PeReconstructor::fixSectionsVirtualSize(HANDLE processHandle)
104{
105 BYTE *vBuf = this->peBuffer.vBuf;
106 const size_t vBufSize = this->peBuffer.vBufSize;
107 if (!vBuf) return false;
108
109 if (!this->artefacts.hasSectionHdrs()) {
110 return false;
111 }
112 ULONGLONG sec_offset = this->artefacts.dropPeBase(this->artefacts.secHdrsOffset);
113 BYTE *hdr_ptr = (sec_offset + vBuf);
114
115 size_t max_sec_size = 0;
116
117 IMAGE_SECTION_HEADER* prev_sec = nullptr;
118 IMAGE_SECTION_HEADER* curr_sec = (IMAGE_SECTION_HEADER*)(hdr_ptr);
119
120 const ULONGLONG pe_img_base = (ULONGLONG)artefacts.peImageBase();
121
122 const size_t hdr_sec_count = peconv::get_sections_count(vBuf, vBufSize);
123 const size_t sec_count = artefacts.secCount > hdr_sec_count ? artefacts.secCount : hdr_sec_count;
124
125 size_t i = 0;
126 for (i = 0; i < sec_count; i++, curr_sec++) {
127 if (!peconv::validate_ptr(vBuf, vBufSize, curr_sec, sizeof(IMAGE_SECTION_HEADER))) {
128 // buffer finished
129 break;
130 }
131 const DWORD sec_rva = curr_sec->VirtualAddress;
132 const DWORD sec_size = curr_sec->Misc.VirtualSize;
133
134 const ULONGLONG sec_va = pe_img_base + sec_rva;
135 size_t real_sec_size = peconv::fetch_region_size(processHandle, (PBYTE)sec_va);
136
137 // if the RVA is out of scope, and the calculated size is 0:
138 if (!peconv::validate_ptr(vBuf, vBufSize, vBuf + sec_rva, sizeof(BYTE)) && !real_sec_size) {
139#ifdef _DEBUG
140 std::cout << i << "# Invalid section found: " << std::hex
141 << sec_rva << " of size: " << sec_size << std::endl;
142#endif
143 break;
144 }
145
146 if (sec_size > real_sec_size) {
147 curr_sec->Misc.VirtualSize = DWORD(real_sec_size);
148#ifdef _DEBUG
149 std::cout << i << "# Fixed section " << std::hex << sec_rva << " size: " << std::hex
150 << sec_size << " vs real: " << real_sec_size << std::endl;
151#endif
152 }
153
154 max_sec_size = (real_sec_size > max_sec_size) ? real_sec_size : max_sec_size;
155
156 if (prev_sec && curr_sec->Misc.VirtualSize > 0) {
157 ULONGLONG prev_sec_end = prev_sec->VirtualAddress + prev_sec->Misc.VirtualSize;
158 if (prev_sec_end > curr_sec->VirtualAddress) {
159 if (curr_sec->VirtualAddress > prev_sec->VirtualAddress) {
160 DWORD diff = curr_sec->VirtualAddress - prev_sec->VirtualAddress;
161 prev_sec->Misc.VirtualSize = diff;
162#ifdef _DEBUG
163 std::cout << "Trimmed section: " << std::dec << i << std::endl;
164#endif
165 }
166 }
167 }
168 if (curr_sec->Misc.VirtualSize > 0) {
169 prev_sec = curr_sec;
170 }
171 }
172
173 IMAGE_FILE_HEADER* file_hdr = const_cast<IMAGE_FILE_HEADER*>(peconv::get_file_hdr(vBuf, vBufSize));
174 if (file_hdr && (i > 0)) {
175 // set the actual number of valid sections:
176 file_hdr->NumberOfSections = MASK_TO_WORD(i);
177 }
178
179 if (max_sec_size == 0) {
180 return false;
181 }
182 return true;
183}
184
185bool pesieve::PeReconstructor::fixSectionsCharacteristics(HANDLE processHandle)
186{
187 BYTE *vBuf = this->peBuffer.vBuf;
188 const size_t vBufSize = this->peBuffer.vBufSize;
189 if (!vBuf) return false;
190
191 if (!this->artefacts.hasSectionHdrs()) {
192 return false;
193 }
194
195 ULONGLONG sec_offset = this->artefacts.dropPeBase(this->artefacts.secHdrsOffset);
196 const BYTE *hdr_ptr = (sec_offset + vBuf);
197 IMAGE_SECTION_HEADER* curr_sec = (IMAGE_SECTION_HEADER*)(hdr_ptr);
198
199 const DWORD sec_all_flags = IMAGE_SCN_TYPE_NO_PAD
200 | IMAGE_SCN_CNT_CODE | IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_CNT_UNINITIALIZED_DATA
201 | IMAGE_SCN_LNK_NRELOC_OVFL | IMAGE_SCN_MEM_DISCARDABLE | IMAGE_SCN_MEM_NOT_CACHED
202 | IMAGE_SCN_MEM_NOT_PAGED | IMAGE_SCN_MEM_SHARED | IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ
203 | IMAGE_SCN_MEM_WRITE
204 | IMAGE_SCN_NO_DEFER_SPEC_EXC | IMAGE_SCN_GPREL;
205
206 for (size_t i = 0; i < artefacts.secCount; i++, curr_sec++) {
207 if (!is_valid_section(vBuf, vBufSize, (BYTE*)curr_sec, 0)) {
208 break;
209 }
210 //leave only the flags that are valid
211 const DWORD charact = curr_sec->Characteristics;
212 curr_sec->Characteristics = charact & sec_all_flags;
213#ifdef DEBUG
214 if (charact != curr_sec->Characteristics) {
215 std::cout << "Section characteristics overwriten\n";
216 }
217#endif
218 }
219 return true;
220}
221
222bool pesieve::PeReconstructor::reconstructFileHdr()
223{
224 BYTE *vBuf = this->peBuffer.vBuf;
225 const size_t vBufSize = this->peBuffer.vBufSize;
226 if (!vBuf) return false;
227
228 if (!this->artefacts.hasNtHdrs()) {
229 return false;
230 }
231 size_t nt_offset = this->artefacts.dropPeBase(this->artefacts.ntFileHdrsOffset);
232 BYTE* nt_ptr = (BYTE*)((ULONGLONG)vBuf + nt_offset);
233 if (is_valid_file_hdr(vBuf, vBufSize, nt_ptr, 0)) {
234 return true;
235 }
236 IMAGE_FILE_HEADER* hdr_candidate = (IMAGE_FILE_HEADER*)nt_ptr;
237 if (!peconv::validate_ptr(vBuf, vBufSize, hdr_candidate, sizeof(IMAGE_FILE_HEADER))) {
238 // probably buffer finished
239 return false;
240 }
241
242 size_t opt_hdr_size = 0;
243 if (artefacts.is64bit) {
244 hdr_candidate->Machine = IMAGE_FILE_MACHINE_AMD64;
245 opt_hdr_size = sizeof(IMAGE_OPTIONAL_HEADER64);
246 }
247 else {
248 hdr_candidate->Machine = IMAGE_FILE_MACHINE_I386;
249 opt_hdr_size = sizeof(IMAGE_OPTIONAL_HEADER32);
250 }
251 if (this->artefacts.secHdrsOffset) {
252 const size_t sec_offset = this->artefacts.dropPeBase(this->artefacts.secHdrsOffset);
253 size_t calc_offset = sec_offset - (nt_offset + sizeof(IMAGE_FILE_HEADER));
254
255 if (calc_offset != opt_hdr_size) {
256 std::cout << "[WARNING] Calculated sections header offset is different than the saved one!\n";
257 }
258 hdr_candidate->NumberOfSections = WORD(this->artefacts.secCount);
259 hdr_candidate->SizeOfOptionalHeader = WORD(calc_offset);
260 }
261 hdr_candidate->NumberOfSymbols = 0;
262 hdr_candidate->PointerToSymbolTable = 0;
263 return true;
264}
265
266bool pesieve::PeReconstructor::reconstructPeHdr()
267{
268 BYTE *vBuf = this->peBuffer.vBuf;
269 const size_t vBufSize = this->peBuffer.vBufSize;
270 if (!vBuf) return false;
271
272 if (!this->artefacts.hasNtHdrs()) {
273 return false;
274 }
275 ULONGLONG nt_offset = this->artefacts.dropPeBase(this->artefacts.ntFileHdrsOffset);
276 BYTE* nt_ptr = (BYTE*)((ULONGLONG)vBuf + nt_offset);
277 BYTE *pe_ptr = nt_ptr - sizeof(DWORD);
278
279 if (!peconv::validate_ptr(vBuf, vBufSize, pe_ptr, sizeof(DWORD))) {
280 return false;
281 }
282 IMAGE_NT_HEADERS32 *nt32 = (IMAGE_NT_HEADERS32*)pe_ptr;
283 //write signature:
284 nt32->Signature = IMAGE_NT_SIGNATURE;
285 IMAGE_FILE_HEADER *file_hdr = &nt32->FileHeader;
286
287 bool is64bit = (file_hdr->Machine == IMAGE_FILE_MACHINE_AMD64) ? true : false;
288
289 if (nt32->FileHeader.SizeOfOptionalHeader == 0) {
290 nt32->FileHeader.SizeOfOptionalHeader = is64bit ? sizeof(IMAGE_OPTIONAL_HEADER64) : sizeof(IMAGE_OPTIONAL_HEADER32);
291 }
292 LONG pe_offset = LONG((ULONGLONG)pe_ptr - (ULONGLONG)vBuf);
293 IMAGE_DOS_HEADER* dosHdr = (IMAGE_DOS_HEADER*) vBuf;
294 dosHdr->e_magic = IMAGE_DOS_SIGNATURE;
295 dosHdr->e_lfanew = pe_offset;
296
297 bool is_fixed = false;
298 if (is64bit) {
299 is_fixed = overwrite_opt_hdr<IMAGE_OPTIONAL_HEADER64>(vBuf, vBufSize, (IMAGE_OPTIONAL_HEADER64*)&nt32->OptionalHeader, this->artefacts);
300 }
301 else {
302 is_fixed = overwrite_opt_hdr<IMAGE_OPTIONAL_HEADER32>(vBuf, vBufSize, &nt32->OptionalHeader, this->artefacts);
303 }
304 if (!is_fixed) {
305 return false;
306 }
307 if (!peconv::get_nt_hdrs(vBuf, vBufSize)) {
308 return false;
309 }
310 return true;
311}
312
INVALID_OFFSET
#define INVALID_OFFSET
Definition artefact_scanner.h:13
pesieve::PeArtefacts
A report about the PE artefact detected in the workingset.
Definition artefact_scanner.h:22
pesieve::PeReconstructor::fixSectionsVirtualSize
bool fixSectionsVirtualSize(HANDLE processHandle)
Definition pe_reconstructor.cpp:103
pesieve::PeReconstructor::fixSectionsCharacteristics
bool fixSectionsCharacteristics(HANDLE processHandle)
Definition pe_reconstructor.cpp:185
pesieve::PeReconstructor::origArtefacts
const PeArtefacts origArtefacts
Definition pe_reconstructor.h:62
pesieve::is_valid_file_hdr
bool is_valid_file_hdr(BYTE *loadedData, size_t loadedSize, BYTE *hdr_ptr, DWORD charact)
Definition artefact_scanner.cpp:454
pesieve::overwrite_opt_hdr
bool overwrite_opt_hdr(BYTE *vBuf, size_t vBufSize, IMAGE_OPTIONAL_HEADER_T *opt_hdr_ptr, PeArtefacts &artefacts)
Definition pe_reconstructor.h:14
pesieve::shift_artefacts
bool shift_artefacts(PeArtefacts &artefacts, size_t shift_size)
Definition pe_reconstructor.cpp:8
pesieve::is_valid_section
bool is_valid_section(BYTE *loadedData, size_t loadedSize, BYTE *hdr_ptr, DWORD charact)
Definition artefact_scanner.cpp:102
pe_reconstructor.h
workingset_enum.h
Generated by doxygen 1.13.2