PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
process_symbols.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4#include <dbghelp.h>
5#pragma comment(lib, "dbghelp")
6
7
8class ProcessSymbolsManager
9{
10public:
11 ProcessSymbolsManager()
12 : hProcess(NULL), isInit(false)
13 {
14 }
15
20
21 bool InitSymbols(HANDLE _hProcess)
22 {
23 if (!_hProcess || _hProcess == INVALID_HANDLE_VALUE) {
24 return false;
25 }
26 if (!isInit) {
27 hProcess = _hProcess;
28
29 SymSetOptions(SYMOPT_INCLUDE_32BIT_MODULES | SYMOPT_UNDNAME | SYMOPT_DEFERRED_LOADS | SYMOPT_FAIL_CRITICAL_ERRORS);
30 if (SymInitialize(hProcess, NULL, TRUE)) {
31 isInit = true;
32 }
33 }
34 return isInit;
35 }
36
37 bool IsInitialized()
38 {
39 return isInit;
40 }
41
42 //---
43
44 std::string normalizeSyscallPrefix(std::string& funcName)
45 {
46 if (funcName[0] == 'Z' && funcName[1] == 'w') {
47 funcName[0] = 'N';
48 funcName[1] = 't';
49 }
50 return funcName;
51 }
52
53 std::string funcNameFromAddr(IN const ULONG_PTR addr, OUT OPTIONAL size_t* displacement = nullptr)
54 {
55 if (!IsInitialized()) {
56 return "";
57 }
58 CHAR buffer[sizeof(SYMBOL_INFO) + MAX_SYM_NAME] = { 0 };
59 PSYMBOL_INFO pSymbol = (PSYMBOL_INFO)buffer;
60 pSymbol->SizeOfStruct = sizeof(SYMBOL_INFO);
61 pSymbol->MaxNameLen = MAX_SYM_NAME;
62
63 DWORD64 Displacement = 0;
64 if (!SymFromAddr(hProcess, addr, &Displacement, pSymbol)) {
65 return "";
66 }
67 if (displacement) {
68 (*displacement) = static_cast<size_t>(Displacement);
69 }
70 std::string funcName = pSymbol->Name;
71 return normalizeSyscallPrefix(funcName);
72 }
73
74 bool dumpSymbolInfo(const ULONG_PTR addr)
75 {
76 if (!IsInitialized()) return false;
77
78 CHAR buffer[sizeof(SYMBOL_INFO) + MAX_SYM_NAME] = { 0 };
79 PSYMBOL_INFO pSymbol = (PSYMBOL_INFO)buffer;
80 pSymbol->SizeOfStruct = sizeof(SYMBOL_INFO);
81 pSymbol->MaxNameLen = MAX_SYM_NAME;
82
83 DWORD64 Displacement = 0;
84 BOOLEAN result = SymFromAddr(hProcess, addr, &Displacement, pSymbol);
85 std::cout << std::dec << "[" << GetProcessId(hProcess) << "] " << std::hex << addr;
86 if (result) {
87 std::cout << " Sym: " << pSymbol->ModBase << " : " << pSymbol->Name << " disp: " << Displacement
88 << " Flags: " << pSymbol->Flags << " Tag: " << pSymbol->Tag << std::endl;
89 if (pSymbol->Flags == SYMFLAG_CLR_TOKEN) std::cout << " CLR token!\n";
90 }
91 else {
92 std::cout << " UNK \n";
93 }
94 return true;
95 }
96
97protected:
98 bool FreeSymbols()
99 {
100 if (!isInit) return true;
101 if (SymCleanup(hProcess)) {
102 isInit = false;
103 return true;
104 }
105 return false;
106 }
107
108 HANDLE hProcess;
109 bool isInit;
110};
ProcessSymbolsManager::dumpSymbolInfo
bool dumpSymbolInfo(const ULONG_PTR addr)
Definition process_symbols.h:74
ProcessSymbolsManager::InitSymbols
bool InitSymbols(HANDLE _hProcess)
Definition process_symbols.h:21
ProcessSymbolsManager::funcNameFromAddr
std::string funcNameFromAddr(IN const ULONG_PTR addr, OUT OPTIONAL size_t *displacement=nullptr)
Definition process_symbols.h:53
ProcessSymbolsManager::normalizeSyscallPrefix
std::string normalizeSyscallPrefix(std::string &funcName)
Definition process_symbols.h:44
Generated by doxygen 1.13.2