64 std::cout <<
ss.str() << std::endl;
70 : args(
_args), isDEP(
false), isReflection(is_reflection)
92 std::cout <<
"Arch mismatch, reloading..." << std::endl;
96 scan_report =
scanner.scanRemote();
119 std::cout <<
"Cannot scan replaced module for IAT hooks!\n";
161 std::set<ModuleScanReport*>::iterator
itr;
182 ||
this->args.dotnet_policy == pesieve::PE_DNET_NONE)
187 if (this->args.dotnet_policy == pesieve::PE_DNET_SKIP_MAPPING
188 ||
this->args.dotnet_policy == pesieve::PE_DNET_SKIP_ALL)
194 if (this->args.dotnet_policy == pesieve::PE_DNET_SKIP_HOOKS
195 ||
this->args.dotnet_policy == pesieve::PE_DNET_SKIP_ALL)
201 if (this->args.dotnet_policy == pesieve::PE_DNET_SKIP_SHC
202 ||
this->args.dotnet_policy == pesieve::PE_DNET_SKIP_ALL)
234 }
catch (std::exception &
e) {
243 }
catch (std::exception &
e) {
254 catch (std::exception&
e) {
266 catch (std::exception&
e) {
274 throw std::runtime_error(
errorsStr.str());
287 throw std::runtime_error(
"Could not query the working set. ");
296 std::cout <<
"Scanning workingset: " << std::dec <<
pages_count <<
" memory regions." << std::endl;
343 if (args.imprec_mode !=
PE_IMPREC_NONE || args.iat != pesieve::PE_IATS_NONE) {
344 pReport.exportsMap =
new peconv::ExportsMapper();
349 if (processHandle ==
nullptr)
break;
358 std::cout <<
"[!][" << args.pid <<
"] Suspicious: could not read the module file!" << std::endl;
376 std::cout <<
"[*] Skipping ignored: " << std::hex << (
ULONGLONG)
modData.moduleHandle <<
" : " <<
modData.szModName << std::endl;
383 std::cout <<
"[*] Scanning: " <<
modData.szModName;
385 std::cout <<
" (.NET) ";
387 std::cout << std::endl;
414 const bool scan_data = ((this->args.data >= pesieve::PE_DATA_SCAN_ALWAYS) && (this->args.data != pesieve::PE_DATA_SCAN_INACCESSIBLE_ONLY))
415 || (!this->isDEP && (this->args.data == pesieve::PE_DATA_SCAN_NO_DEP));
435 std::cout <<
"Scanning for IAT hooks: " <<
modules_count <<
" modules." << std::endl;
440 if (!processHandle)
break;
461 scanForIATHooks(processHandle,
modData, remoteModData,
pReport, this->args.iat);
477 if (is_64bit)
return 0;
481 std::cout <<
"Scanning threads." << std::endl;
491 std::cout <<
"[-] Failed enumerating threads." << std::endl;
498 std::vector<thread_info>::iterator
itr;
A report from the code scan, generated by CodeScanner.
A scanner for detection of patches in the code.
Processes the list of the collected patches (preprocessed by PatchAnalyzer), and for those of them th...
A report from an IAT scan, generated by IATScanner.
A scanner for detection of IAT hooking.
A scanner for detection of inconsistencies in mapping. Checks if the mapped file name is different th...
Loads a module from the disk, corresponding to the module in the scanned process' memory.
A base class of all the reports detailing on the output of the performed module's scan.
static t_scan_status get_scan_status(const ModuleScanReport *report)
The report aggregating the results of the performed scan.
size_t scanWorkingSet(ProcessScanReport &pReport)
size_t scanModules(ProcessScanReport &pReport)
size_t scanThreads(ProcessScanReport &pReport)
ProcessScanner(HANDLE procHndl, bool is_reflection, pesieve::t_params _args)
static t_scan_status scanForHooks(HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report, bool scan_data, bool scan_inaccessible)
size_t scanModulesIATs(ProcessScanReport &pReport)
static t_scan_status scanForHollows(HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report)
bool resolveHooksTargets(ProcessScanReport &process_report)
bool filterDotNetReport(ProcessScanReport &process_report)
ModuleScanReport * scanForMappingMismatch(ModuleData &modData, ProcessScanReport &process_report)
static t_scan_status scanForIATHooks(HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report, t_iat_scan_mode filter)
ProcessScanReport * scanRemote()
The main function of ProcessScanner, deploying the scan. Throws exceptions in case of a failure.
std::set< std::string > ignoredModules
Buffers the data from the module loaded in the scanned process into the local memory.
A report from the thread scan, generated by ThreadScanner.
static bool FreeSymbols(HANDLE hProc)
static bool InitSymbols(HANDLE hProc)
A report from the working set scan, generated by WorkingSetScanner.
A scanner for detection of code implants in the process workingset.
bool is_process_64bit(IN HANDLE process)
bool fetch_threads_info(DWORD pid, std::vector< thread_info > &threads_info)
size_t enum_modules(IN HANDLE hProcess, IN OUT HMODULE hMods[], IN const DWORD hModsMax, IN DWORD filters)
void print_scantime(std::stringstream &stream, size_t timeInMs)
BOOL is_process_wow64(IN HANDLE processHandle, OUT BOOL *isProcWow64)
bool is_DEP_enabled(HANDLE hProcess)
DWORD count_workingset_entries(HANDLE processHandle)
size_t string_to_list(IN::std::string s, IN char _delim, OUT std::set< std::string > &elements_list, bool to_lower=true)
std::string device_path_to_win32_path(const std::string &full_path)
size_t enum_workingset(HANDLE processHandle, std::set< mem_region_info > ®ions)
bool is_in_list(std::string searched_string, std::set< std::string > &string_list, bool to_lower=true)
BOOL(CALLBACK *_MiniDumpWriteDump)(HANDLE hProcess
DWORD(__stdcall *_PssCaptureSnapshot)(HANDLE ProcessHandle
bool fetch_threads_by_snapshot(DWORD pid, std::vector< thread_info > &threads_info)
bool validate_param_str(PARAM_STRING &strparam)
void print_scan_time(const char *scanned_element, size_t total_time)
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
std::string info()
The string with the basic information about the scanner.
enum pesieve::module_scan_status t_scan_status
#define PARAM_LIST_SEPARATOR
@ PE_DATA_SCAN_INACCESSIBLE
scan data unconditionally, and inaccessible pages (if running in reflection mode)
@ PE_IMPREC_NONE
do not try to recover imports
bool set_non_suspicious(const std::set< ModuleScanReport * > &scan_reports, bool dnet_modules_only)
Final summary about the scanned process.