thread_scanner.h

Go to the documentation of this file.

#pragma once
 
#include <windows.h>
 
#include "module_scanner.h"
#include "../utils/threads_util.h"
#include "../utils/process_symbols.h"
#include "../stats/stats.h"
#include "../stats/entropy_stats.h"
 
namespace pesieve {
 
 
    class ThreadScanReport : public ModuleScanReport
    {
    public:
        static const DWORD THREAD_STATE_UNKNOWN = (-1);
        static const DWORD THREAD_STATE_WAITING = 5;
 
        static std::string translate_thread_state(DWORD thread_state);
        static std::string translate_wait_reason(DWORD thread_wait_reason);
        
        //---
 
        ThreadScanReport(DWORD _tid)
            : ModuleScanReport(0, 0), 
            tid(_tid), 
            susp_addr(0), protection(0), stack_ptr(0),
            thread_state(THREAD_STATE_UNKNOWN), thread_wait_reason(0), thread_wait_time(0)
        {
        }
 
        const virtual void fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
        {
            ModuleScanReport::_toJSON(outs, level);
            outs << ",\n";
            OUT_PADDED(outs, level, "\"thread_id\" : ");
            outs << std::dec << tid;
            if (susp_addr) {
                outs << ",\n";
                if (this->module && this->moduleSize) {
                    OUT_PADDED(outs, level, "\"susp_addr\" : ");
                }
                else {
                    OUT_PADDED(outs, level, "\"susp_return_addr\" : ");
                }
                outs << "\"" << std::hex << susp_addr << "\"";
            }
            if (stack_ptr) {
                outs << ",\n";
                OUT_PADDED(outs, level, "\"susp_callstack\" : ");
                outs << "\"" << std::hex << stack_ptr << "\"";
            }
            if (thread_state != THREAD_STATE_UNKNOWN) {
                outs << ",\n";
                OUT_PADDED(outs, level, "\"thread_state\" : ");
                outs << "\"" << translate_thread_state(thread_state) << "\"";
 
                if (thread_state == THREAD_STATE_WAITING) {
                    outs << ",\n";
                    OUT_PADDED(outs, level, "\"thread_wait_reason\" : ");
                    outs << "\"" << translate_wait_reason(thread_wait_reason) << "\"";
                }
            }
            if (susp_addr) {
                outs << ",\n";
                OUT_PADDED(outs, level, "\"protection\" : ");
                outs << "\"" << std::hex << protection << "\"";
                if (stats.isFilled()) {
                    outs << ",\n";
                    stats.toJSON(outs, level);
                }
            }
        }
 
        const virtual bool toJSON(std::stringstream& outs, size_t level, const pesieve::t_json_level &jdetails)
        {
            OUT_PADDED(outs, level, "\"thread_scan\" : {\n");
            fieldsToJSON(outs, level + 1, jdetails);
            outs << "\n";
            OUT_PADDED(outs, level, "}");
            return true;
        }
 
        DWORD tid;
        ULONGLONG susp_addr;
        DWORD protection;
        ULONGLONG stack_ptr;
        DWORD thread_state;
        DWORD thread_wait_reason;
        DWORD thread_wait_time;
        AreaEntropyStats stats;
    };
 
    typedef struct _ctx_details {
        bool is64b;
        ULONGLONG rip;
        ULONGLONG rsp;
        ULONGLONG rbp;
        ULONGLONG last_ret; // the last return address on the stack
        ULONGLONG ret_on_stack; // the last return address stored on the stack
        bool is_ret_as_syscall;
        bool is_ret_in_frame;
        bool is_managed; // does it contain .NET modules
        size_t stackFramesCount;
        std::set<ULONGLONG> shcCandidates;
 
        _ctx_details(bool _is64b = false, ULONGLONG _rip = 0, ULONGLONG _rsp = 0, ULONGLONG _rbp = 0, ULONGLONG _ret_addr = 0)
            : is64b(_is64b), rip(_rip), rsp(_rsp), rbp(_rbp), last_ret(_ret_addr), ret_on_stack(0), is_ret_as_syscall(false), is_ret_in_frame(false),
            stackFramesCount(0),
            is_managed(false)
        {
        }
 
        void init(bool _is64b = false, ULONGLONG _rip = 0, ULONGLONG _rsp = 0, ULONGLONG _rbp = 0, ULONGLONG _ret_addr = 0)
        {
            this->is64b = _is64b;
            this->rip = _rip;
            this->rsp = _rsp;
            this->rbp = _rbp;
            this->last_ret = _ret_addr;
        }
 
    } ctx_details;
 
    class ThreadScanner : public ProcessFeatureScanner {
    public:
        ThreadScanner(HANDLE hProc, bool _isReflection, const util::thread_info& _info, ModulesInfo& _modulesInfo, peconv::ExportsMapper* _exportsMap, ProcessSymbolsManager* _symbols)
            : ProcessFeatureScanner(hProc), isReflection(_isReflection),
            info(_info), modulesInfo(_modulesInfo), exportsMap(_exportsMap), symbols(_symbols)
        {
        }
 
        virtual ThreadScanReport* scanRemote();
 
    protected:
        bool scanRemoteThreadCtx(HANDLE hThread, ThreadScanReport* my_report);
        bool isAddrInShellcode(ULONGLONG addr);
        void printThreadInfo(const util::thread_info& threadi);
        bool printResolvedAddr(ULONGLONG addr);
        bool fetchThreadCtxDetails(IN HANDLE hProcess, IN HANDLE hThread, OUT ctx_details& c);
        size_t fillCallStackInfo(IN HANDLE hProcess, IN HANDLE hThread, IN LPVOID ctx, IN OUT ctx_details& cDetails);
        size_t analyzeCallStack(IN const std::vector<ULONGLONG> &stack_frame, IN OUT ctx_details& cDetails);
        bool checkReturnAddrIntegrity(IN const std::vector<ULONGLONG>& callStack);
        bool fillAreaStats(ThreadScanReport* my_report);
        bool reportSuspiciousAddr(ThreadScanReport* my_report, ULONGLONG susp_addr);
 
        bool isReflection;
        const util::thread_info& info;
        ModulesInfo& modulesInfo;
        peconv::ExportsMapper* exportsMap;
        ProcessSymbolsManager* symbols;
    };
 
}; //namespace pesieve