PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
thread_scanner.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4
5#include "module_scanner.h"
6#include "../utils/threads_util.h"
7#include "../stats/stats.h"
8#include "../stats/entropy_stats.h"
9
10namespace pesieve {
11
13 class ThreadScanReport : public ModuleScanReport
14 {
15 public:
16 static const DWORD THREAD_STATE_UNKNOWN = (-1);
17 static const DWORD THREAD_STATE_WAITING = 5;
18
25
26 const virtual void fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
27 {
28 ModuleScanReport::_toJSON(outs, level);
29 outs << ",\n";
30
31 OUT_PADDED(outs, level, "\"thread_id\" : ");
32 outs << std::dec << tid;
33 outs << ",\n";
34 OUT_PADDED(outs, level, "\"thread_ip\" : ");
35 outs << "\"" << std::hex << thread_ip << "\"";
36 outs << ",\n";
37 if (thread_state != THREAD_STATE_UNKNOWN) {
38 OUT_PADDED(outs, level, "\"thread_state\" : ");
39 outs << "\"" << translate_thread_state(thread_state) << "\"";
40 outs << ",\n";
41
42 if (thread_state == THREAD_STATE_WAITING) {
43 OUT_PADDED(outs, level, "\"thread_wait_reason\" : ");
44 outs << "\"" << translate_wait_reason(thread_wait_reason) << "\"";
45 outs << ",\n";
46 }
47 }
48 OUT_PADDED(outs, level, "\"protection\" : ");
49 outs << "\"" << std::hex << protection << "\"";
50 if (stats.isFilled()) {
51 outs << ",\n";
52 stats.toJSON(outs, level);
53 }
54 }
55
56 const virtual bool toJSON(std::stringstream& outs, size_t level, const pesieve::t_json_level &jdetails)
57 {
58 OUT_PADDED(outs, level, "\"thread_scan\" : {\n");
59 fieldsToJSON(outs, level + 1, jdetails);
60 outs << "\n";
61 OUT_PADDED(outs, level, "}");
62 return true;
63 }
64
65 ULONGLONG thread_ip;
66 DWORD tid;
67 DWORD protection;
68 DWORD thread_state;
69 DWORD thread_wait_reason;
70 AreaEntropyStats stats;
71
72 protected:
73 static std::string translate_thread_state(DWORD thread_state);
74 static std::string translate_wait_reason(DWORD thread_wait_reason);
75 };
76
78 typedef struct _thread_ctx {
79 bool is64b;
80 ULONGLONG rip;
81 ULONGLONG rsp;
82 ULONGLONG rbp;
83 ULONGLONG ret_addr; // the last return address on the stack (or the address of the first shellcode)
84 bool is_managed; // does it contain .NET modules
85 } thread_ctx;
86
89 class ThreadScanner : public ProcessFeatureScanner {
90 public:
91 // neccessery to validly recognize stack frame
92 static bool InitSymbols(HANDLE hProc);
93 static bool FreeSymbols(HANDLE hProc);
94
100
101 virtual ThreadScanReport* scanRemote();
102
103 protected:
104
105 bool isAddrInShellcode(ULONGLONG addr);
106 bool resolveAddr(ULONGLONG addr);
107 bool fetchThreadCtx(IN HANDLE hProcess, IN HANDLE hThread, OUT thread_ctx& c);
108 size_t enumStackFrames(IN HANDLE hProcess, IN HANDLE hThread, IN LPVOID ctx, IN OUT thread_ctx& c);
109 bool fillAreaStats(ThreadScanReport* my_report);
110 bool reportSuspiciousAddr(ThreadScanReport* my_report, ULONGLONG susp_addr, thread_ctx& c);
111
112 bool isReflection;
113 const util::thread_info& info;
114 ModulesInfo& modulesInfo;
115 peconv::ExportsMapper* exportsMap;
116 };
117
118}; //namespace pesieve
pesieve::AreaStats::isFilled
bool isFilled() const
Definition stats.h:40
pesieve::AreaStats::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level)
Definition stats.h:49
pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26
pesieve::ModuleScanReport::_toJSON
virtual const bool _toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:70
pesieve::ModulesInfo
A container of all the process modules that were scanned.
Definition scanned_modules.h:84
pesieve::ProcessFeatureScanner
A base class for all the scanners checking appropriate process' features.
Definition process_feature_scanner.h:12
pesieve::ThreadScanReport
A report from the thread scan, generated by ThreadScanner.
Definition thread_scanner.h:14
pesieve::ThreadScanReport::fieldsToJSON
virtual const void fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition thread_scanner.h:26
pesieve::ThreadScanReport::translate_wait_reason
static std::string translate_wait_reason(DWORD thread_wait_reason)
Definition thread_scanner.cpp:92
pesieve::ThreadScanReport::THREAD_STATE_UNKNOWN
static const DWORD THREAD_STATE_UNKNOWN
Definition thread_scanner.h:16
pesieve::ThreadScanReport::THREAD_STATE_WAITING
static const DWORD THREAD_STATE_WAITING
Definition thread_scanner.h:17
pesieve::ThreadScanReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition thread_scanner.h:56
pesieve::ThreadScanReport::translate_thread_state
static std::string translate_thread_state(DWORD thread_state)
Definition thread_scanner.cpp:106
pesieve::ThreadScanner::ThreadScanner
ThreadScanner(HANDLE hProc, bool _isReflection, const util::thread_info &_info, ModulesInfo &_modulesInfo, peconv::ExportsMapper *_exportsMap)
Definition thread_scanner.h:95
pesieve::ThreadScanner::scanRemote
virtual ThreadScanReport * scanRemote()
Definition thread_scanner.cpp:382
pesieve::ThreadScanner::reportSuspiciousAddr
bool reportSuspiciousAddr(ThreadScanReport *my_report, ULONGLONG susp_addr, thread_ctx &c)
Definition thread_scanner.cpp:306
pesieve::ThreadScanner::enumStackFrames
size_t enumStackFrames(IN HANDLE hProcess, IN HANDLE hThread, IN LPVOID ctx, IN OUT thread_ctx &c)
Definition thread_scanner.cpp:127
pesieve::ThreadScanner::resolveAddr
bool resolveAddr(ULONGLONG addr)
Definition thread_scanner.cpp:250
pesieve::ThreadScanner::FreeSymbols
static bool FreeSymbols(HANDLE hProc)
Definition thread_scanner.cpp:344
pesieve::ThreadScanner::fillAreaStats
bool fillAreaStats(ThreadScanReport *my_report)
Definition thread_scanner.cpp:293
pesieve::ThreadScanner::isAddrInShellcode
bool isAddrInShellcode(ULONGLONG addr)
Definition thread_scanner.cpp:238
pesieve::ThreadScanner::exportsMap
peconv::ExportsMapper * exportsMap
Definition thread_scanner.h:115
pesieve::ThreadScanner::info
const util::thread_info & info
Definition thread_scanner.h:113
pesieve::ThreadScanner::InitSymbols
static bool InitSymbols(HANDLE hProc)
Definition thread_scanner.cpp:336
pesieve::ThreadScanner::fetchThreadCtx
bool fetchThreadCtx(IN HANDLE hProcess, IN HANDLE hThread, OUT thread_ctx &c)
Definition thread_scanner.cpp:193
pesieve.t_json_level
Definition pesieve.py:82
entropy_stats.h
OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12
module_scanner.h
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
pesieve::thread_ctx
struct pesieve::_thread_ctx thread_ctx
A custom structure keeping a fragment of a thread context.
pesieve::_thread_ctx
A custom structure keeping a fragment of a thread context.
Definition thread_scanner.h:78
pesieve::_thread_ctx::ret_addr
ULONGLONG ret_addr
Definition thread_scanner.h:83
pesieve::_thread_ctx::rsp
ULONGLONG rsp
Definition thread_scanner.h:81
pesieve::_thread_ctx::rip
ULONGLONG rip
Definition thread_scanner.h:80
pesieve::_thread_ctx::is64b
bool is64b
Definition thread_scanner.h:79
pesieve::_thread_ctx::rbp
ULONGLONG rbp
Definition thread_scanner.h:82
pesieve::_thread_ctx::is_managed
bool is_managed
Definition thread_scanner.h:84
pesieve::util::_thread_info
Definition threads_util.h:35
threads_util.h
Generated by doxygen 1.10.0