57 sig_finder::Match
m = *
itr;
70 if (!memPage.load()) {
81 bool obfuscated =
false;
103#ifdef CALC_PAGE_STATS
104 if (
isByStats || this->args.obfuscated) {
130 && memPage.loadMappedName())
149 if ( (obfuscated && this->args.obfuscated !=
OBFUSC_NONE)
155 my_report->data_cache = memPage.loadedData;
165 return isPotentiallyExecutable(memPage, this->args.data);
170 if (
mode == pesieve::PE_DATA_NO_SCAN) {
175 const bool is_managed = this->processReport.isManagedProcess();
176 if (
mode == pesieve::PE_DATA_SCAN_NO_DEP
177 && this->pDetails.isDEP && !is_managed)
181 if (
mode == pesieve::PE_DATA_SCAN_DOTNET
188 if (
mode != pesieve::PE_DATA_SCAN_INACCESSIBLE_ONLY) {
193 if ((
mode >= pesieve::PE_DATA_SCAN_INACCESSIBLE) || (
mode == pesieve::PE_DATA_SCAN_INACCESSIBLE_ONLY)) {
263 std::cout <<
"[!] Scanning detached: " << std::hex <<
module_start <<
" : " << memPage.
mapped_name << std::endl;
268 std::cout <<
"[-] Could not read the remote PE at: " << std::hex <<
module_start << std::endl;
277 std::cerr <<
"[-] [" << std::hex <<
modData.moduleHandle <<
"] Could not read the module file" << std::endl;
284 std::cout <<
"[*] Scanned for hollows. Status: " <<
scan_status << std::endl;
294 if (!args.no_hooks) {
296 || (!this->pDetails.isDEP && (
this->args.data == pesieve::PE_DATA_SCAN_NO_DEP));
297 const bool scan_inaccessible = (this->pDetails.isReflection && (this->args.data >= pesieve::PE_DATA_SCAN_INACCESSIBLE));
300 std::cout <<
"[*] Scanned for hooks. Status: " <<
scan_status << std::endl;
308 MemPageData memPage(this->processHandle, this->pDetails.isReflection,
this->memRegion.base, 0);
309 memPage.
is_listed_module = this->processReport.hasModule(this->memRegion.base);
313 std::cout <<
"[!] Could not fill: " << std::hex << memPage.
start_va <<
" to: " << memPage.
region_end <<
"\n";
320 std::cerr <<
"WARNING: Alloc Base mismatch: " << std::hex << memPage.
alloc_base <<
" vs " << this->memRegion.alloc_base << std::endl;
326 std::cerr <<
"WARNING: Size mismatch: " << std::hex << (memPage.
region_end - memPage.
region_start) <<
" vs " << this->memRegion.size << std::endl;
346 if (!isScannedAsModule(memPage)) {
356 std::cout << std::hex << memPage.
start_va <<
": Scanning executable area" << std::endl;
A class responsible for filling in the statistics with the data from the particular buffer.
A scanner for detection of artefacts related to PE implants in the process workingset.
DWORD protection
page protection
std::string mapped_name
if the region is mapped from a file, stores its file name
ULONGLONG start_va
VA that was requested. May not be beginning of the region.
Loads a module from the disk, corresponding to the module in the scanned process' memory.
static t_scan_status scanForHooks(HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report, bool scan_data, bool scan_inaccessible)
static t_scan_status scanForHollows(HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report)
Buffers the data from the module loaded in the scanned process into the local memory.
A report from the working set scan, generated by WorkingSetScanner.
std::vector< sig_finder::Match > custom_matched
size_t generateTags(const std::string &reportPath)
WorkingSetScanReport * scanExecutableArea(MemPageData &memPageData)
bool isPotentiallyExecutable(MemPageData &memPageData, const t_data_scan_mode &mode)
bool checkAreaContent(IN MemPageData &_memPage, OUT WorkingSetScanReport *my_report)
bool isScannedAsModule(MemPageData &memPageData)
bool scanImg(MemPageData &memPage)
bool isExecutable(MemPageData &memPageData)
virtual WorkingSetScanReport * scanRemote()
size_t find_all_patterns(BYTE *loadedData, size_t loadedSize, std::vector< sig_finder::Match > &allMatches)
size_t filter_custom(std::vector< sig_finder::Match > &allMatches, std::vector< sig_finder::Match > &customPatternMatches)
size_t fillCodeStrings(OUT std::set< std::string > &codeStrings)
bool is_readable(DWORD mapping_type, DWORD protection)
bool is_executable(DWORD mapping_type, DWORD protection)
bool match_to_tag(std::ofstream &patch_report, const char delimiter, size_t start_offset, const sig_finder::Match &match)
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
enum pesieve::module_scan_status t_scan_status
bool is_by_stats(const t_shellc_mode &shellc_mode)
@ SHELLC_STATS
detect shellcodes by stats
@ SHELLC_NONE
do not detect shellcode
@ SHELLC_PATTERNS_OR_STATS
detect shellcodes by patterns or stats (any match)
@ SHELLC_PATTERNS_AND_STATS
detect shellcodes by patterns and stats (both match)
@ PE_DATA_SCAN_INACCESSIBLE_ONLY
scan inaccessible pages (if running in reflection mode)
@ OBFUSC_ANY
detect both: possible strong or weak encryption
@ OBFUSC_WEAK_ENC
detect areas possibly encrypted with weak encryption (lower entropy, possible XOR patterns)
@ OBFUSC_STRONG_ENC
detect areas possibly encrypted with strong encryption
@ OBFUSC_NONE
do not detect obfuscated contents
Settings defining what type of stats should be collected.
std::set< std::string > watchedStrings