PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
process_util.cpp
Go to the documentation of this file.
1#include "process_util.h"
2#include <iostream>
3
4namespace pesieve {
5 namespace util {
6 HMODULE g_kernel32Hndl = nullptr;
7
8 BOOL(WINAPI *g_IsWow64Process)(IN HANDLE, OUT PBOOL) = nullptr;
9 BOOL(WINAPI *g_Wow64DisableWow64FsRedirection) (OUT PVOID* OldValue) = nullptr;
10 BOOL(WINAPI *g_Wow64RevertWow64FsRedirection) (IN PVOID OldValue) = nullptr;
11 BOOL(WINAPI *g_Wow64GetThreadContext)(IN HANDLE hThread, IN OUT PWOW64_CONTEXT lpContext) = nullptr;
12
13 HMODULE get_kernel32_hndl()
14 {
15 const char kernel32_dll[] = "kernel32.dll";
16 if (!g_kernel32Hndl) {
17 g_kernel32Hndl = GetModuleHandleA(kernel32_dll);
18 }
19 if (!g_kernel32Hndl) {
20 g_kernel32Hndl = LoadLibraryA(kernel32_dll);
21 }
22 return g_kernel32Hndl;
23 }
24 };
25};
26
27BOOL pesieve::util::is_process_wow64(IN HANDLE processHandle, OUT BOOL* isProcWow64)
28{
29 if (isProcWow64) {
30 (*isProcWow64) = FALSE; //set default output value: FALSE
31 }
32 if (!g_IsWow64Process) {
33 HMODULE kernelLib = get_kernel32_hndl();
34 if (!kernelLib) return FALSE;
35
36 FARPROC procPtr = GetProcAddress(kernelLib, "IsWow64Process");
37 if (!procPtr) return FALSE;
38
39 g_IsWow64Process = (BOOL(WINAPI *)(IN HANDLE, OUT PBOOL))procPtr;
40 }
41 if (!g_IsWow64Process) {
42 return FALSE;
43 }
44 return g_IsWow64Process(processHandle, isProcWow64);
45}
46
47bool pesieve::util::is_process_64bit(IN HANDLE process)
48{
49 BOOL isScanner32bit = TRUE;
50#ifdef _WIN64 //is the scanner 64 bit?
51 isScanner32bit = FALSE;
52#endif
53 BOOL isScannerWow64 = FALSE;
54 pesieve::util::is_process_wow64(GetCurrentProcess(), &isScannerWow64);
55
56 const BOOL isSystem64bit = !isScanner32bit || isScannerWow64;
57 if (!isSystem64bit) {
58 //the system is not 64 bit, so for sure the app is 32 bit
59 return false;
60 }
61
62 BOOL isProcessWow = FALSE;
63 pesieve::util::is_process_wow64(process, &isProcessWow);
64
65 if (isProcessWow) {
66 // the system is 64 bit, and the process runs as Wow64, so it is 32 bit
67 return false;
68 }
69 // the system is 64 bit, and the process runs NOT as Wow64, so it is 64 bit
70 return true;
71}
72
73bool pesieve::util::is_current_wow64()
74{
75#ifdef _WIN64
76 return false;
77#else
78 BOOL isWow64 = FALSE;
79 if (!is_process_wow64(GetCurrentProcess(), &isWow64)) {
80 return false;
81 }
82 return (bool)isWow64;
83#endif
84}
85
86BOOL pesieve::util::wow64_get_thread_context(IN HANDLE hThread, IN OUT PWOW64_CONTEXT lpContext)
87{
88#ifdef _WIN64
89 if (!g_Wow64GetThreadContext) {
90 HMODULE kernelLib = get_kernel32_hndl();
91 if (!kernelLib) return FALSE;
92
93 FARPROC procPtr = GetProcAddress(get_kernel32_hndl(), "Wow64GetThreadContext");
94 if (!procPtr) return FALSE;
95
96 g_Wow64GetThreadContext = (BOOL(WINAPI*)(IN HANDLE, IN OUT PWOW64_CONTEXT))procPtr;
97 }
98 return g_Wow64GetThreadContext(hThread, lpContext);
99#else
100 return FALSE;
101#endif
102}
103
104BOOL pesieve::util::wow64_disable_fs_redirection(OUT PVOID* OldValue)
105{
106 if (!g_Wow64DisableWow64FsRedirection) {
107 HMODULE kernelLib = get_kernel32_hndl();
108 if (!kernelLib) return FALSE;
109
110 FARPROC procPtr = GetProcAddress(kernelLib, "Wow64DisableWow64FsRedirection");
111 if (!procPtr) return FALSE;
112
113 g_Wow64DisableWow64FsRedirection = (BOOL(WINAPI *) (OUT PVOID*))procPtr;
114 }
115 if (!g_Wow64DisableWow64FsRedirection) {
116 return FALSE;
117 }
118 return g_Wow64DisableWow64FsRedirection(OldValue);
119}
120
121BOOL pesieve::util::wow64_revert_fs_redirection(IN PVOID OldValue)
122{
123 if (!g_Wow64RevertWow64FsRedirection) {
124 HMODULE kernelLib = get_kernel32_hndl();
125 if (!kernelLib) return FALSE;
126
127 FARPROC procPtr = GetProcAddress(kernelLib, "Wow64RevertWow64FsRedirection");
128 if (!procPtr) return FALSE;
129
130 g_Wow64RevertWow64FsRedirection = (BOOL(WINAPI *) (IN PVOID))procPtr;
131 }
132 if (!g_Wow64RevertWow64FsRedirection) {
133 return FALSE;
134 }
135 return g_Wow64RevertWow64FsRedirection(OldValue);
136}
pesieve::util::is_process_64bit
bool is_process_64bit(IN HANDLE process)
Definition process_util.cpp:47
pesieve::util::wow64_disable_fs_redirection
BOOL wow64_disable_fs_redirection(OUT PVOID *OldValue)
Definition process_util.cpp:104
pesieve::util::is_process_wow64
BOOL is_process_wow64(IN HANDLE processHandle, OUT BOOL *isProcWow64)
Definition process_util.cpp:27
pesieve::util::lpContext
IN OUT PWOW64_CONTEXT lpContext
Definition process_util.cpp:11
pesieve::util::get_kernel32_hndl
HMODULE get_kernel32_hndl()
Definition process_util.cpp:13
pesieve::util::is_current_wow64
bool is_current_wow64()
Definition process_util.cpp:73
pesieve::util::BOOL
BOOL(CALLBACK *_MiniDumpWriteDump)(HANDLE hProcess
pesieve::util::g_kernel32Hndl
HMODULE g_kernel32Hndl
Definition process_util.cpp:6
pesieve::util::wow64_get_thread_context
BOOL wow64_get_thread_context(IN HANDLE hThread, IN OUT PWOW64_CONTEXT lpContext)
Definition process_util.cpp:86
pesieve::util::wow64_revert_fs_redirection
BOOL wow64_revert_fs_redirection(IN PVOID OldValue)
Definition process_util.cpp:121
process_util.h
Generated by doxygen 1.17.0