PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
syscall_extractor.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4#include <iostream>
5#include <string>
6#include <map>
7
8namespace pesieve {
9 namespace util {
10 size_t extract_syscall_table(OUT std::map<DWORD, std::string>& syscallToName);
11 }; //namespace util
12
13 struct SyscallTable {
14
15 static bool isSameSyscallFunc(std::string func1, std::string func2)
16 {
17 if (func1 == func2) return true;
18
19 std::string prefix1 = func1.substr(0, 2);
20 std::string prefix2 = func2.substr(0, 2);
21
22 if ((prefix1 == "Zw" || prefix1 == "Nt") && (prefix2 == "Zw" || prefix2 == "Nt")) {
23 std::string body1 = func1.substr(2);
24 std::string body2 = func2.substr(2);
25 if (body1 == body2) {
26 return true;
27 }
28 if (body1.length() == body2.length()) {
29 return false;
30 }
31 // the difference may be in the suffix
32 std::string* smaller_ptr = body1.length() < body2.length() ? &body1 : &body2;
33 size_t smaller_size = smaller_ptr->length();
34 if (body1.substr(0, smaller_size) == body2.substr(0, smaller_size)) {
35 std::string* bigger_ptr = body1.length() > body2.length() ? &body1 : &body2;
36 std::string suffix = bigger_ptr->substr(smaller_size);
37 if (suffix == "32") {
38 return true;
39 }
40 }
41 }
42 return false;
43 }
44
45 SyscallTable()
46 {
47 util::extract_syscall_table(this->syscallToName);
48#ifdef _DEBUG
49 std::cout << "Extracted syscalls: " << syscallToName.size() << "\n";
50#endif
51 }
52
53 bool isReady()
54 {
55 return syscallToName.size() ? true : false;
56 }
57
58 std::string getSyscallName(DWORD id)
59 {
60 auto itr = syscallToName.find(id);
61 if (itr != syscallToName.end()) {
62 return itr->second;
63 }
64 return "";
65 }
66
67 std::map<DWORD, std::string> syscallToName;
68 }; //struct SyscallTable
69
70}; // namespace pesieve
pesieve::util::extract_syscall_table
size_t extract_syscall_table(OUT std::map< DWORD, std::string > &syscallToName)
Definition syscall_extractor.cpp:82
pesieve::SyscallTable::isSameSyscallFunc
static bool isSameSyscallFunc(std::string func1, std::string func2)
Definition syscall_extractor.h:15
pesieve::SyscallTable::syscallToName
std::map< DWORD, std::string > syscallToName
Definition syscall_extractor.h:67
pesieve::SyscallTable::getSyscallName
std::string getSyscallName(DWORD id)
Definition syscall_extractor.h:58
Generated by doxygen 1.12.0