PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
results_dumper.cpp
Go to the documentation of this file.
1#include "results_dumper.h"
2
3#include <windows.h>
4#include <psapi.h>
5
6#include <fstream>
7
8#include "../utils/format_util.h"
9#include "../utils/workingset_enum.h"
10#include "pe_reconstructor.h"
11#include "imp_rec/imp_reconstructor.h"
12#include "../scanners/iat_scanner.h"
13#include "../scanners/code_scanner.h"
14
15#define DIR_SEPARATOR "\\"
16
17//---
18namespace pesieve {
19
20 std::string get_payload_ext(const ArtefactScanReport& artefactRepot)
21 {
22 if (!artefactRepot.has_pe) {
23 return "shc";
24 }
25 if (artefactRepot.artefacts.isDll) {
26 return "dll";
27 }
28 return "exe";
29 }
30
31 std::string get_dump_mode_name(peconv::t_pe_dump_mode dump_mode)
32 {
33 switch (dump_mode) {
34 case peconv::PE_DUMP_VIRTUAL:
35 return "VIRTUAL";
36 case peconv::PE_DUMP_UNMAP:
37 return "UNMAPPED";
38 case peconv::PE_DUMP_REALIGN:
39 return "REALIGNED";
40 }
41 return "";
42 }
43
44 std::string get_imprec_res_name(const ImpReconstructor::t_imprec_res &res)
45 {
46 switch (res) {
47 case ImpReconstructor::IMP_NOT_FOUND:
48 return "IMP_NOT_FOUND";
49 case ImpReconstructor::IMP_RECOVERY_ERROR:
50 return "IMP_RECOVERY_ERROR";
51 case ImpReconstructor::IMP_RECOVERY_NOT_APPLICABLE:
52 return "IMP_RECOVERY_NOT_APPLICABLE";
53 case ImpReconstructor::IMP_RECOVERY_SKIPPED:
54 return "";
55 case ImpReconstructor::IMP_ALREADY_OK:
56 return "IMP_ALREADY_OK";
57 case ImpReconstructor::IMP_DIR_FIXED:
58 return "IMP_DIR_FIXED";
59 case ImpReconstructor::IMP_FIXED:
60 return "IMP_FIXED";
61 case ImpReconstructor::IMP_RECREATED_FILTER0:
62 return "IMP_RECREATED_FILTER0";
63 case ImpReconstructor::IMP_RECREATED_FILTER1:
64 return "IMP_RECREATED_FILTER1";
65 case ImpReconstructor::IMP_RECREATED_FILTER2:
66 return "IMP_RECREATED_FILTER2";
67 }
68 return "Undefined";
69 }
70
71 peconv::t_pe_dump_mode convert_to_peconv_dump_mode(const pesieve::t_dump_mode dump_mode)
72 {
73 switch (dump_mode) {
74 case pesieve::PE_DUMP_AUTO:
75 return peconv::PE_DUMP_AUTO;
76
77 case pesieve::PE_DUMP_VIRTUAL:
78 return peconv::PE_DUMP_VIRTUAL;
79
80 case pesieve::PE_DUMP_UNMAP:
81 return peconv::PE_DUMP_UNMAP;
82
83 case pesieve::PE_DUMP_REALIGN:
84 return peconv::PE_DUMP_REALIGN;
85 }
86 return peconv::PE_DUMP_AUTO;
87 }
88
89 bool make_dump_dir(const std::string& directory)
90 {
91 if (directory.length() == 0) {
92 return true;
93 }
94 return util::create_dir_recursively(directory);
95 }
96
97 std::string get_module_file_name(HANDLE processHandle, const ModuleScanReport& mod)
98 {
99 if (mod.moduleFile.length() > 0) {
100 return peconv::get_file_name(mod.moduleFile);
101 }
102
103 char szModName[MAX_PATH] = { 0 };
104 memset(szModName, 0, MAX_PATH);
105
106 std::string modulePath = "";
107 if (GetModuleFileNameExA(processHandle, (HMODULE)mod.module, szModName, MAX_PATH)) {
108 modulePath = peconv::get_file_name(szModName);
109 }
110 return modulePath;
111 }
112 //---
113}; //namespace pesieve
114
115
116bool pesieve::ResultsDumper::dumpJsonReport(pesieve::ProcessScanReport &process_report, const ProcessScanReport::t_report_filter &filter, const pesieve::t_json_level &jdetails)
117{
118 std::stringstream stream;
119 size_t level = 1;
120
121 if (!process_report.hasAnyShownType(filter)) {
122 return false;
123 }
124 if (!process_report.toJSON(stream, level, filter, jdetails)) {
125 return false;
126 }
127 std::string report_all = stream.str();
128 if (report_all.length() == 0) {
129 return false;
130 }
131 //ensure that the directory is created:
132 this->dumpDir = pesieve::ResultsDumper::makeDirName(process_report.getPid());
133
134 std::ofstream json_report;
135 std::string report_path = makeOutPath("scan_report.json");
136 json_report.open(report_path);
137 if (json_report.is_open() == false) {
138 return false;
139 }
140 json_report << report_all << std::endl;
141 if (json_report.is_open()) {
142 json_report.close();
143 return true;
144 }
145 return false;
146}
147
148bool pesieve::ResultsDumper::dumpJsonReport(ProcessDumpReport &process_report)
149{
150 if (!process_report.isFilled()) {
151 return false;
152 }
153 std::stringstream stream;
154 size_t level = 1;
155 process_report.toJSON(stream, level);
156 std::string report_all = stream.str();
157 if (report_all.length() == 0) {
158 return false;
159 }
160 //ensure that the directory is created:
161 this->dumpDir = pesieve::ResultsDumper::makeDirName(process_report.getPid());
162
163 std::ofstream json_report;
164 std::string report_path = makeOutPath("dump_report.json");
165 json_report.open(report_path);
166 if (json_report.is_open() == false) {
167 return false;
168 }
169 json_report << report_all << std::endl;
170 if (json_report.is_open()) {
171 json_report.close();
172 return true;
173 }
174 return false;
175}
176
177pesieve::ProcessDumpReport* pesieve::ResultsDumper::dumpDetectedModules(
178 HANDLE processHandle,
179 bool isRefl,
180 ProcessScanReport &process_report,
181 const pesieve::t_dump_mode dump_mode,
182 const t_imprec_mode imprec_mode)
183{
184 if (processHandle == nullptr) {
185 return nullptr;
186 }
187 ProcessDumpReport *dumpReport = new ProcessDumpReport(process_report.getPid());
188 this->dumpDir = pesieve::ResultsDumper::makeDirName(process_report.getPid());
189
190 std::vector<ModuleScanReport*>::iterator itr;
191 for (itr = process_report.moduleReports.begin();
192 itr != process_report.moduleReports.end();
193 ++itr)
194 {
195 ModuleScanReport* mod = *itr;
196 if (mod->status != SCAN_SUSPICIOUS) {
197 continue;
198 }
199 dumpModule(processHandle,
200 isRefl,
201 process_report.modulesInfo,
202 mod,
203 process_report.exportsMap,
204 dump_mode,
205 imprec_mode,
206 *dumpReport
207 );
208 }
209 return dumpReport;
210}
211
212bool pesieve::ResultsDumper::fillModuleCopy(IN ModuleScanReport* mod, IN OUT PeBuffer& module_buf)
213{
214 if (!mod) return false;
215
216 bool filled = false;
217
218 // first try to use cache:
219 WorkingSetScanReport* wsReport = dynamic_cast<WorkingSetScanReport*>(mod);
220 if (wsReport && wsReport->data_cache.isFilled()) {
221 filled = module_buf.fillFromBuffer((ULONGLONG)mod->module, wsReport->data_cache);
222 }
223 // if no cache, or loading from cache failed, read from the process memory:
224 if (!filled) {
225 filled = module_buf.readRemote((ULONGLONG)mod->module, mod->moduleSize);
226 }
227 return filled;
228}
229
230bool pesieve::ResultsDumper::dumpModule(IN HANDLE processHandle,
231 IN bool isRefl,
232 IN const ModulesInfo &modulesInfo,
233 IN ModuleScanReport* mod,
234 IN const peconv::ExportsMapper *exportsMap,
235 IN const pesieve::t_dump_mode dump_mode,
236 IN const t_imprec_mode imprec_mode,
237 OUT ProcessDumpReport &dumpReport
238)
239{
240 if (!mod) return false;
241
242 const bool save_imp_report = true;
243 bool is_dumped = false;
244
245 peconv::t_pe_dump_mode curr_dump_mode = convert_to_peconv_dump_mode(dump_mode);
246
247 bool dump_shellcode = false;
248 std::string payload_ext = "";
249
250 PeBuffer module_buf(processHandle, isRefl);
251 bool is_corrupt_pe = false;
252 ArtefactScanReport* artefactReport = dynamic_cast<ArtefactScanReport*>(mod);
253 if (artefactReport) {
254 payload_ext = get_payload_ext(*artefactReport);
255 // whenever the artefactReport is available, use it to reconstruct a PE
256 if (artefactReport->has_shellcode) {
257 dump_shellcode = true;
258 }
259 if (artefactReport->has_pe) {
260 ULONGLONG found_pe_base = artefactReport->artefacts.peImageBase();
261 PeReconstructor peRec(artefactReport->artefacts, module_buf);
262 if (!peRec.reconstruct()) {
263 is_corrupt_pe = true;
264 payload_ext = "corrupt_" + payload_ext;
265 if (!this->quiet) {
266 std::cout << "[-] Reconstructing PE at: " << std::hex << (ULONGLONG)found_pe_base << " failed." << std::endl;
267 }
268 }
269 }
270 }
271 // if it is not an artefact report, or reconstructing by artefacts failed, read it from the memory:
272 if (!artefactReport || is_corrupt_pe) {
273 fillModuleCopy(mod, module_buf);
274 }
275 //if no extension selected yet, do it now:
276 if (payload_ext.length() == 0) {
277 payload_ext = module_buf.isValidPe() ? "dll" : "shc";
278 }
279 const std::string module_name = get_module_file_name(processHandle, *mod);
280
281 ModuleDumpReport *modDumpReport = new ModuleDumpReport(module_buf.getModuleBase(), module_buf.getBufferSize());
282 dumpReport.appendReport(modDumpReport);
283
284 modDumpReport->dumpFileName = makeModuleDumpPath(module_buf.getModuleBase(), module_name, payload_ext);
285 modDumpReport->is_corrupt_pe = is_corrupt_pe;
286 modDumpReport->is_shellcode = !module_buf.isValidPe() && module_buf.isCode();
287
288 peconv::ImpsNotCovered notCovered;
289
290 if (module_buf.isFilled()) {
291
292 // Try to fix imports:
293 ImpReconstructor impRec(module_buf);
294 ImpReconstructor::t_imprec_res imprec_res = impRec.rebuildImportTable(exportsMap, imprec_mode);
295 modDumpReport->impRecMode = get_imprec_res_name(imprec_res);
296
297
298 module_buf.setRelocBase(mod->getRelocBase());
299 if (imprec_mode == pesieve::PE_IMPREC_NONE) {
300 modDumpReport->isDumped = module_buf.dumpPeToFile(modDumpReport->dumpFileName, curr_dump_mode);
301 }
302 else {
303 modDumpReport->isDumped = module_buf.dumpPeToFile(modDumpReport->dumpFileName, curr_dump_mode, exportsMap, &notCovered);
304 }
305
306
307 if (!modDumpReport->isDumped) {
308 modDumpReport->isDumped = module_buf.dumpToFile(modDumpReport->dumpFileName);
309 curr_dump_mode = peconv::PE_DUMP_VIRTUAL;
310 }
311 modDumpReport->mode_info = get_dump_mode_name(curr_dump_mode);
312 bool iat_not_rebuilt = (imprec_res == ImpReconstructor::IMP_RECOVERY_ERROR) || (imprec_res == ImpReconstructor::IMP_RECOVERY_NOT_APPLICABLE);
313 if (iat_not_rebuilt || save_imp_report) {
314 std::string imports_file = modDumpReport->dumpFileName + ".imports.txt";
315 if (impRec.printFoundIATs(imports_file)) {
316 modDumpReport->impListFileName = imports_file;
317 }
318 }
319 std::string imports_not_rec_file = modDumpReport->dumpFileName + ".not_fixed_imports.txt";
320 if (IATScanReport::saveNotRecovered(imports_not_rec_file, processHandle, nullptr, notCovered, modulesInfo, exportsMap)) {
321 modDumpReport->notRecoveredFileName = imports_not_rec_file;
322 }
323 }
324
325 if (!modDumpReport->isDumped || dump_shellcode)
326 {
327 if (dump_shellcode) {
328 payload_ext = "shc";
329 }
330
331 fillModuleCopy(mod, module_buf);
332
333 modDumpReport = new ModuleDumpReport(module_buf.getModuleBase(), module_buf.getBufferSize());
334 dumpReport.appendReport(modDumpReport);
335
336 modDumpReport->is_shellcode = dump_shellcode;
337 modDumpReport->dumpFileName = makeModuleDumpPath(module_buf.getModuleBase(), module_name, payload_ext);
338 modDumpReport->isDumped = module_buf.dumpToFile(modDumpReport->dumpFileName);
339 curr_dump_mode = peconv::PE_DUMP_VIRTUAL;
340 modDumpReport->mode_info = get_dump_mode_name(curr_dump_mode);
341 }
342 if (modDumpReport->isDumped) {
343 is_dumped = true;
344 if (!this->quiet) {
345 std::string mode_info = modDumpReport->mode_info;
346 if (mode_info.length() > 0) mode_info = " as " + mode_info;
347 std::cout << "[*] Dumped module to: " + modDumpReport->dumpFileName + mode_info << "\n";
348 }
349 }
350 else {
351 if (!this->quiet) {
352 std::cerr << "[-] Failed dumping module!" << std::endl;
353 }
354 is_dumped = false;
355 }
356
357 pesieve::CodeScanReport *codeScanReport = dynamic_cast<pesieve::CodeScanReport*>(mod);
358 if (codeScanReport) {
359 std::string tags_file = modDumpReport->dumpFileName + ".tag";
360
361 if (codeScanReport->generateTags(tags_file)) {
362 modDumpReport->hooksTagFileName = tags_file;
363 modDumpReport->isReportDumped = true;
364 }
365 }
366
367 pesieve::WorkingSetScanReport* wsScanReport = dynamic_cast<pesieve::WorkingSetScanReport*>(mod);
368 if (wsScanReport) {
369 std::string tags_file = modDumpReport->dumpFileName + ".pattern.tag";
370
371 if (wsScanReport->generateTags(tags_file)) {
372 modDumpReport->patternsTagFileName = tags_file;
373 modDumpReport->isReportDumped = true;
374 }
375 }
376
377
378 IATScanReport* iatHooksReport = dynamic_cast<IATScanReport*>(mod);
379 if (iatHooksReport) {
380 std::string imports_not_rec_file = modDumpReport->dumpFileName + ".iat_hooks.txt";
381
382 if (iatHooksReport->generateList(imports_not_rec_file, processHandle, modulesInfo, exportsMap)) {
383 modDumpReport->iatHooksFileName = imports_not_rec_file;
384 modDumpReport->isReportDumped = true;
385 }
386 }
387 return is_dumped;
388}
389
390void pesieve::ResultsDumper::makeAndJoinDirectories(std::stringstream& stream)
391{
392 if (!make_dump_dir(this->baseDir)) {
393 this->baseDir = ""; // reset path
394 }
395 std::string inner_dir = this->dumpDir;
396 if (baseDir.length() > 0) {
397 inner_dir = this->baseDir + DIR_SEPARATOR + this->dumpDir;
398 }
399 if (!make_dump_dir(inner_dir)) {
400 this->dumpDir = ""; // reset path
401 }
402 if (baseDir.length() > 0) {
403 stream << baseDir;
404 stream << DIR_SEPARATOR;
405 }
406 if (this->dumpDir.length() > 0) {
407 stream << this->dumpDir;
408 stream << DIR_SEPARATOR;
409 }
410}
411
412std::string pesieve::ResultsDumper::makeModuleDumpPath(ULONGLONG modBaseAddr, const std::string &fname, const std::string &default_extension)
413{
414 std::stringstream stream;
415 makeAndJoinDirectories(stream);
416 stream << std::hex << modBaseAddr;
417 if (fname.length() > 0) {
418 stream << ".";
419 stream << fname;
420 } else {
421 stream << "." << default_extension;
422 }
423 return stream.str();
424}
425
426std::string pesieve::ResultsDumper::makeOutPath(const std::string &fname, const std::string& default_extension)
427{
428 std::stringstream stream;
429 makeAndJoinDirectories(stream);
430
431 if (fname.length() > 0) {
432 stream << fname;
433 }
434 else {
435 stream << std::dec << time(nullptr);
436 stream << default_extension;
437 }
438 return stream.str();
439}
440
441std::string pesieve::ResultsDumper::makeDirName(const DWORD process_id)
442{
443 std::stringstream stream;
444 stream << "process_";
445 stream << process_id;
446 return stream.str();
447}
pesieve::ArtefactScanReport
A report from the artefacts scan, generated by ArtefactScanner.
Definition artefact_scanner.h:118
pesieve::CodeScanReport
A report from the code scan, generated by CodeScanner.
Definition code_scanner.h:14
pesieve::IATScanReport
A report from an IAT scan, generated by IATScanner.
Definition iat_scanner.h:12
pesieve::IATScanReport::saveNotRecovered
static bool saveNotRecovered(IN std::string fileName, IN HANDLE hProcess, IN peconv::ImportsCollection *storedFunc, IN peconv::ImpsNotCovered &notCovered, IN const ModulesInfo &modulesInfo, IN const peconv::ExportsMapper *exportsMap)
Definition iat_scanner.cpp:92
pesieve::ImpReconstructor::t_imprec_res
enum pesieve::ImpReconstructor::imprec_res t_imprec_res
pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26
pesieve::ModulesInfo
A container of all the process modules that were scanned.
Definition scanned_modules.h:84
pesieve::ProcessDumpReport
The report aggregating the results of the performed dumps.
Definition dump_report.h:48
pesieve::ProcessScanReport
The report aggregating the results of the performed scan.
Definition scan_report.h:19
pesieve::ResultsDumper::makeModuleDumpPath
std::string makeModuleDumpPath(ULONGLONG modBaseAddr, const std::string &fname, const std::string &defaultExtension)
Definition results_dumper.cpp:412
pesieve::ResultsDumper::makeDirName
std::string makeDirName(const DWORD process_id)
Definition results_dumper.cpp:441
pesieve::ResultsDumper::fillModuleCopy
bool fillModuleCopy(IN ModuleScanReport *mod, IN OUT PeBuffer &module_buf)
Definition results_dumper.cpp:212
pesieve::ResultsDumper::makeAndJoinDirectories
void makeAndJoinDirectories(std::stringstream &name_stream)
Definition results_dumper.cpp:390
pesieve::ResultsDumper::makeOutPath
std::string makeOutPath(const std::string &fname, const std::string &defaultExtension="")
Definition results_dumper.cpp:426
pesieve::ResultsDumper::dumpDetectedModules
ProcessDumpReport * dumpDetectedModules(HANDLE hProcess, bool isRefl, ProcessScanReport &process_report, const pesieve::t_dump_mode dump_mode, const pesieve::t_imprec_mode imprec_mode)
Definition results_dumper.cpp:177
pesieve::ResultsDumper::dumpModule
bool dumpModule(IN HANDLE processHandle, IN bool isRefl, IN const ModulesInfo &modulesInfo, IN ModuleScanReport *modReport, IN const peconv::ExportsMapper *exportsMap, IN const pesieve::t_dump_mode dump_mode, IN const pesieve::t_imprec_mode imprec_mode, OUT ProcessDumpReport &dumpReport)
Definition results_dumper.cpp:230
pesieve::ResultsDumper::dumpJsonReport
bool dumpJsonReport(ProcessScanReport &process_report, const ProcessScanReport::t_report_filter &filter, const pesieve::t_json_level &jdetails)
Definition results_dumper.cpp:116
pesieve::WorkingSetScanReport
A report from the working set scan, generated by WorkingSetScanner.
Definition workingset_scanner.h:29
pesieve.t_dump_mode
Definition pesieve.py:51
pesieve.t_imprec_mode
Definition pesieve.py:42
pesieve.t_json_level
Definition pesieve.py:82
code_scanner.h
format_util.h
iat_scanner.h
imp_reconstructor.h
pesieve::util::create_dir_recursively
bool create_dir_recursively(const std::string &path)
Definition path_util.cpp:73
pesieve.MAX_PATH
int MAX_PATH
Definition pesieve.py:10
pesieve::get_imprec_res_name
std::string get_imprec_res_name(const ImpReconstructor::t_imprec_res &res)
Definition results_dumper.cpp:44
pesieve::get_payload_ext
std::string get_payload_ext(const ArtefactScanReport &artefactRepot)
Definition results_dumper.cpp:20
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
pesieve::convert_to_peconv_dump_mode
peconv::t_pe_dump_mode convert_to_peconv_dump_mode(const pesieve::t_dump_mode dump_mode)
Definition results_dumper.cpp:71
pesieve::get_module_file_name
std::string get_module_file_name(HANDLE processHandle, const ModuleScanReport &mod)
Definition results_dumper.cpp:97
pesieve::make_dump_dir
bool make_dump_dir(const std::string &directory)
Definition results_dumper.cpp:89
pesieve::get_dump_mode_name
std::string get_dump_mode_name(peconv::t_pe_dump_mode dump_mode)
Definition results_dumper.cpp:31
pe_reconstructor.h
DIR_SEPARATOR
#define DIR_SEPARATOR
Definition results_dumper.cpp:15
results_dumper.h
workingset_enum.h
Generated by doxygen 1.10.0