PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
process_symbols.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4#include <dbghelp.h>
5#pragma comment(lib, "dbghelp")
6
7class ProcessSymbolsManager
8{
9public:
10 ProcessSymbolsManager()
11 : hProcess(NULL), isInit(false)
12 {
13 }
14
19
20 bool InitSymbols(HANDLE _hProcess)
21 {
22 if (!_hProcess || _hProcess == INVALID_HANDLE_VALUE) {
23 return false;
24 }
25 if (!isInit) {
26 hProcess = _hProcess;
27 SymSetOptions(SYMOPT_UNDNAME | SYMOPT_DEBUG | SYMOPT_INCLUDE_32BIT_MODULES);
28 if (SymInitialize(hProcess, NULL, TRUE)) {
29 isInit = true;
30 }
31 }
32 return isInit;
33 }
34
35 bool IsInitialized()
36 {
37 return isInit;
38 }
39
40 //---
41
42 std::string funcNameFromAddr(const ULONG_PTR addr)
43 {
44 if (!isInit) return "";
45
46 CHAR buffer[sizeof(SYMBOL_INFO) + MAX_SYM_NAME] = { 0 };
47 PSYMBOL_INFO pSymbol = (PSYMBOL_INFO)buffer;
48 pSymbol->SizeOfStruct = sizeof(SYMBOL_INFO);
49 pSymbol->MaxNameLen = MAX_SYM_NAME;
50
51 DWORD64 Displacement = 0;
52 if (!SymFromAddr(hProcess, addr, &Displacement, pSymbol)) {
53 return "";
54 }
55 return pSymbol->Name;
56 }
57
58 bool dumpSymbolInfo(const ULONG_PTR addr)
59 {
60 if (!isInit) return false;
61
62 CHAR buffer[sizeof(SYMBOL_INFO) + MAX_SYM_NAME] = { 0 };
63 PSYMBOL_INFO pSymbol = (PSYMBOL_INFO)buffer;
64 pSymbol->SizeOfStruct = sizeof(SYMBOL_INFO);
65 pSymbol->MaxNameLen = MAX_SYM_NAME;
66
67 DWORD64 Displacement = 0;
68 BOOLEAN result = SymFromAddr(hProcess, addr, &Displacement, pSymbol);
69 std::cout << std::dec << "[" << GetProcessId(hProcess) << "] " << std::hex << addr;
70 if (result) {
71 std::cout << " Sym: " << pSymbol->ModBase << " : " << pSymbol->Name << " disp: " << Displacement
72 << " Flags: " << pSymbol->Flags << " Tag: " << pSymbol->Tag << std::endl;
73 if (pSymbol->Flags == SYMFLAG_CLR_TOKEN) std::cout << " CLR token!\n";
74 }
75 else {
76 std::cout << " UNK \n";
77 }
78 return true;
79 }
80
81protected:
82 bool FreeSymbols()
83 {
84 if (!isInit) return true;
85 if (SymCleanup(hProcess)) {
86 isInit = false;
87 return true;
88 }
89 return false;
90 }
91
92 HANDLE hProcess;
93 bool isInit;
94};
ProcessSymbolsManager::funcNameFromAddr
std::string funcNameFromAddr(const ULONG_PTR addr)
Definition process_symbols.h:42
ProcessSymbolsManager::dumpSymbolInfo
bool dumpSymbolInfo(const ULONG_PTR addr)
Definition process_symbols.h:58
ProcessSymbolsManager::InitSymbols
bool InitSymbols(HANDLE _hProcess)
Definition process_symbols.h:20
Generated by doxygen 1.12.0