PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
process_minidump.cpp
Go to the documentation of this file.
1#include "process_minidump.h"
2#include "process_privilege.h"
3#include <dbghelp.h>
4
5namespace pesieve {
6 namespace util {
7
8 BOOL(CALLBACK *_MiniDumpWriteDump)(
9 HANDLE hProcess,
10 DWORD ProcessId,
11 HANDLE hFile,
12 MINIDUMP_TYPE DumpType,
13 PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
14 PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
15 PMINIDUMP_CALLBACK_INFORMATION CallbackParam
16 ) = NULL;
17
18 bool load_MiniDumpWriteDump()
19 {
20 if (_MiniDumpWriteDump != NULL) {
21 return true; // already loaded
22 }
23 HMODULE lib = LoadLibraryA("dbghelp.dll");
24 if (!lib) return false;
25
26 FARPROC proc = GetProcAddress(lib, "MiniDumpWriteDump");
27 if (!proc) {
28 FreeLibrary(lib);
29 return false;
30 }
31 _MiniDumpWriteDump = (BOOL(CALLBACK *)(
32 HANDLE,
33 DWORD,
34 HANDLE,
35 MINIDUMP_TYPE,
36 PMINIDUMP_EXCEPTION_INFORMATION,
37 PMINIDUMP_USER_STREAM_INFORMATION,
38 PMINIDUMP_CALLBACK_INFORMATION
39 )) proc;
40
41 if (_MiniDumpWriteDump != NULL) {
42 return true; // loaded
43 }
44 return false;
45 }
46
47 };
48};
49
50
51bool pesieve::util::make_minidump(DWORD pid, const std::string &out_file)
52{
53 if (!load_MiniDumpWriteDump()) return false;
54
55 HANDLE procHndl = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
56 if (procHndl == NULL) {
57 DWORD last_err = GetLastError();
58 if (last_err == ERROR_ACCESS_DENIED) {
59 if (set_debug_privilege()) {
60 procHndl = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
61 }
62 }
63 }
64 if (procHndl == NULL) {
65 return false;
66 }
67 HANDLE outFile = CreateFileA(out_file.c_str(), GENERIC_ALL, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
68 if (outFile == INVALID_HANDLE_VALUE) {
69 CloseHandle(procHndl);
70 return false;
71 }
72
73 BOOL isDumped = _MiniDumpWriteDump(procHndl, pid, outFile, MiniDumpWithFullMemory, NULL, NULL, NULL);
74
75 CloseHandle(outFile);
76 CloseHandle(procHndl);
77 return (isDumped) ? true : false;
78}
pesieve::util::make_minidump
bool make_minidump(DWORD pid, const std::string &out_file)
Definition process_minidump.cpp:51
pesieve::util::DumpType
DWORD HANDLE MINIDUMP_TYPE DumpType
Definition process_minidump.cpp:12
pesieve::util::ExceptionParam
DWORD HANDLE MINIDUMP_TYPE PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam
Definition process_minidump.cpp:13
pesieve::util::UserStreamParam
DWORD HANDLE MINIDUMP_TYPE PMINIDUMP_EXCEPTION_INFORMATION PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam
Definition process_minidump.cpp:14
pesieve::util::load_MiniDumpWriteDump
bool load_MiniDumpWriteDump()
Definition process_minidump.cpp:18
pesieve::util::BOOL
BOOL(CALLBACK *_MiniDumpWriteDump)(HANDLE hProcess
pesieve::util::hFile
DWORD HANDLE hFile
Definition process_minidump.cpp:11
pesieve::util::DWORD
DWORD(__stdcall *_PssCaptureSnapshot)(HANDLE ProcessHandle
pesieve::util::CallbackParam
DWORD HANDLE MINIDUMP_TYPE PMINIDUMP_EXCEPTION_INFORMATION PMINIDUMP_USER_STREAM_INFORMATION PMINIDUMP_CALLBACK_INFORMATION CallbackParam
Definition process_minidump.cpp:16
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
process_minidump.h
process_privilege.h
Generated by doxygen 1.10.0