pe-sieve/workingset__scanner_8cpp_source.html

#include "workingset_scanner.h"

#include "module_data.h"

#include "artefact_scanner.h"

#include "scanner.h"


#include "../utils/path_converter.h"

#include "../utils/workingset_enum.h"

#include "../utils/artefacts_util.h"


#include <fstream>


using namespace pesieve;

using namespace pesieve::util;


namespace pesieve {


    inline bool is_by_stats(const t_shellc_mode& shellc_mode)

    {

        switch (shellc_mode) {

        case  SHELLC_STATS:

        case  SHELLC_PATTERNS_OR_STATS:

        case SHELLC_PATTERNS_AND_STATS:

            return true;

        }

        return false;

    }


    inline bool match_to_tag(std::ofstream& patch_report, const char delimiter, size_t start_offset, const sig_finder::Match &match)

    {

        if (patch_report.is_open() && match.sign) {

            patch_report << std::hex << match.offset + start_offset;

            patch_report << delimiter;

            patch_report << match.sign->name;

            patch_report << delimiter;

            patch_report << match.sign->size();

            patch_report << std::endl;

            return true;

        }

        return false;

    }


};


size_t WorkingSetScanReport::generateTags(const std::string& reportPath)

{

    if (this->custom_matched.size() == 0) {

        return 0;

    }

    std::ofstream patch_report;

    patch_report.open(reportPath);

    if (patch_report.is_open() == false) {

        return 0;

    }

    size_t count = 0;

    for (auto itr = custom_matched.begin(); itr != custom_matched.end(); ++itr) {

        sig_finder::Match m = *itr;

        if (match_to_tag(patch_report, ';', this->match_area_start, m)) count++;

    }

    if (patch_report.is_open()) {

        patch_report.close();

    }

    return count;

}


//---


bool pesieve::WorkingSetScanner::checkAreaContent(IN MemPageData& memPage, OUT WorkingSetScanReport* my_report)

{

    if (!memPage.load()) {

        return false;

    }


    const bool noPadding = true;


    bool isByStats = is_by_stats(this->args.shellcode);


    bool code = false;

    bool codeP = false;

    bool codeS = false;

    bool obfuscated = false;


    size_t custom_matched_count = 0;


    if (matcher::is_matcher_ready()) {

        std::vector<sig_finder::Match> allMatched;

        my_report->all_matched_count = matcher::find_all_patterns(memPage.getLoadedData(noPadding), memPage.getLoadedSize(noPadding), allMatched);

        custom_matched_count = matcher::filter_custom(allMatched, my_report->custom_matched);

        if (my_report->all_matched_count) {

            my_report->match_area_start = memPage.getStartOffset(noPadding);

            codeP = true;

            code = true;

            if (this->args.shellcode == SHELLC_PATTERNS_OR_STATS) {

                isByStats = false; // condition satisfied, no more checks required

            }

        }

        else {

            if (this->args.shellcode == SHELLC_PATTERNS_AND_STATS) {

                isByStats = false; // condition NOT satisfied, no more checks required

            }

        }

    }

#ifdef CALC_PAGE_STATS

    if (isByStats || this->args.obfuscated) {


        // fill default settings

        MultiStatsSettings settings;

        stats::fillCodeStrings(settings.watchedStrings);


        AreaStatsCalculator calc(memPage.loadedData);

        if (calc.fill(my_report->stats, &settings)) {


            pesieve::RuleMatchersSet codeMatcher(RuleMatcher::RULE_CODE);

            if (codeMatcher.findMatches(my_report->stats, my_report->area_info)) {

                codeS = true;

                code = true;

            }


            if (!codeS && (this->args.obfuscated != OBFUSC_NONE)) {

                int rules = 0;

                if (this->args.obfuscated == OBFUSC_ANY) rules = RuleMatcher::RULE_OBFUSCATED | RuleMatcher::RULE_ENCRYPTED;

                if (this->args.obfuscated == OBFUSC_STRONG_ENC) rules = RuleMatcher::RULE_ENCRYPTED;

                if (this->args.obfuscated == OBFUSC_WEAK_ENC) rules = RuleMatcher::RULE_OBFUSCATED;

                pesieve::RuleMatchersSet obfMatcher(rules);

                if (obfMatcher.findMatches(my_report->stats, my_report->area_info)) {

                    obfuscated = true;

                    // filter out cache:

                    if (memPage.mapping_type == MEM_MAPPED // mapped memory

                        && !util::is_executable(memPage.mapping_type, memPage.protection) // non executable page

                        && memPage.loadMappedName()) //named

                    {

                        obfuscated = false;

                    }

                }

            }

        }

    }

#endif


    if (this->args.shellcode == SHELLC_PATTERNS_AND_STATS) {

        code = (codeP && codeS);

    }

    else if (this->args.shellcode == SHELLC_PATTERNS_OR_STATS) {

        code = (codeP || codeS);

    }


    my_report->has_shellcode = code;


    if ( (obfuscated && this->args.obfuscated != OBFUSC_NONE)

        || (code && (this->args.shellcode != SHELLC_NONE || custom_matched_count) ))

    {

        my_report->status = SCAN_SUSPICIOUS;

    }

    if (my_report->status == SCAN_SUSPICIOUS) {

        my_report->data_cache = memPage.loadedData;

    }

    return true;

}


bool pesieve::WorkingSetScanner::isExecutable(MemPageData &memPage)

{

    if (pesieve::util::is_executable(memPage.mapping_type, memPage.protection)) {

        return true;

    }

    return isPotentiallyExecutable(memPage, this->args.data);

}


bool pesieve::WorkingSetScanner::isPotentiallyExecutable(MemPageData &memPage, const t_data_scan_mode &mode)

{

    if (mode == pesieve::PE_DATA_NO_SCAN) {

        return false;

    }


    // check preconditions:

    const bool is_managed = this->processReport.isManagedProcess();

    if (mode == pesieve::PE_DATA_SCAN_NO_DEP

        && this->pDetails.isDEP && !is_managed)

    {

        return false;

    }

    if (mode == pesieve::PE_DATA_SCAN_DOTNET

        && !is_managed)

    {

        return false;

    }

    // preconditions are fulfilled, now check the access:

    const bool is_page_readable = pesieve::util::is_readable(memPage.mapping_type, memPage.protection);

    if (mode != pesieve::PE_DATA_SCAN_INACCESSIBLE_ONLY) {

        if (is_page_readable) {

            return true;

        }

    }

    if ((mode >= pesieve::PE_DATA_SCAN_INACCESSIBLE) || (mode == pesieve::PE_DATA_SCAN_INACCESSIBLE_ONLY)) {

        if (this->pDetails.isReflection && (memPage.protection & PAGE_NOACCESS)) {

            return true;

        }

    }

    return false;

}


WorkingSetScanReport* pesieve::WorkingSetScanner::scanExecutableArea(MemPageData &_memPage)

{

    if (!_memPage.load()) {

        return nullptr;

    }

    // check for PE artifacts (regardless if it has shellcode patterns):

    if (!isScannedAsModule(_memPage)) {

        ArtefactScanner artefactScanner(this->processHandle, this->pDetails, _memPage, this->processReport);

        WorkingSetScanReport *my_report1 = artefactScanner.scanRemote();

        if (my_report1) {

            //pe artefacts found

            return my_report1;

        }

    }

    if ((!matcher::is_matcher_ready())

        && (this->args.obfuscated == OBFUSC_NONE))

    {

        // not a PE file, and we are not interested in patterns or obfuscated contents, so just finish it here

        return nullptr;

    }


    //report about shellcode:

    ULONGLONG region_start = _memPage.region_start;

    const size_t region_size = size_t(_memPage.region_end - region_start);

    WorkingSetScanReport* my_report = new WorkingSetScanReport((HMODULE)region_start, region_size, SCAN_NOT_SUSPICIOUS);

    if (!my_report) {

        return nullptr;

    }


    if (!checkAreaContent(_memPage, my_report)) { // check for shellcode patterns & stats

        my_report->status = SCAN_ERROR;

    }

    if (my_report->status == SCAN_NOT_SUSPICIOUS) {

        // do not keep reports for not suspicious areas

        delete my_report;

        return nullptr;

    }

    my_report->has_pe = isScannedAsModule(_memPage) && this->processReport.hasModule(_memPage.region_start);

    return my_report;

}


bool pesieve::WorkingSetScanner::isScannedAsModule(MemPageData &memPage)

{

    if (memPage.mapping_type != MEM_IMAGE) {

        return false;

    }

    if (this->processReport.hasModule((ULONGLONG)memPage.alloc_base)) {

        return true; // it was already scanned as a PE

    }

    return false;

}


bool pesieve::WorkingSetScanner::scanImg(MemPageData& memPage)

{

    if (!memPage.loadMappedName()) {

        //cannot retrieve the mapped name

        return false;

    }


    const HMODULE module_start = (HMODULE)memPage.alloc_base;


    if (!args.quiet) {

        std::cout << "[!] Scanning detached: " << std::hex << module_start << " : " << memPage.mapped_name << std::endl;

    }

    RemoteModuleData remoteModData(this->processHandle, this->pDetails.isReflection, module_start);

    if (!remoteModData.isInitialized()) {

        if (!args.quiet) {

            std::cout << "[-] Could not read the remote PE at: " << std::hex << module_start << std::endl;

        }

        return false;

    }


    //load module from file:

    ModuleData modData(processHandle, module_start, memPage.mapped_name, args.use_cache);

    if (!modData.loadOriginal()) {

        if (!args.quiet) {

            std::cerr << "[-] [" << std::hex << modData.moduleHandle << "] Could not read the module file" << std::endl;

        }

        processReport.appendReport(new UnreachableModuleReport(module_start, 0, memPage.mapped_name));

        return false;

    }

    t_scan_status scan_status = ProcessScanner::scanForHollows(processHandle, modData, remoteModData, processReport);

#ifdef _DEBUG

    std::cout << "[*] Scanned for hollows. Status: " << scan_status << std::endl;

#endif

    if (scan_status == SCAN_ERROR) {

        // failed scanning it as a loaded PE module

        return false;

    }

    if (scan_status == SCAN_SUSPICIOUS) {

        // detected as hollowed, no need for further scans

        return true;

    }

    if (!args.no_hooks) {

        const bool scan_data = (this->args.data >= pesieve::PE_DATA_SCAN_ALWAYS && this->args.data != PE_DATA_SCAN_INACCESSIBLE_ONLY)

            || (!this->pDetails.isDEP && (this->args.data == pesieve::PE_DATA_SCAN_NO_DEP));

        const bool scan_inaccessible = (this->pDetails.isReflection && (this->args.data >= pesieve::PE_DATA_SCAN_INACCESSIBLE));

        scan_status = ProcessScanner::scanForHooks(processHandle, modData, remoteModData, processReport, scan_data, scan_inaccessible);

#ifdef _DEBUG

        std::cout << "[*] Scanned for hooks. Status: " << scan_status << std::endl;

#endif

    }

    return true;

}


WorkingSetScanReport* pesieve::WorkingSetScanner::scanRemote()

{

    MemPageData memPage(this->processHandle, this->pDetails.isReflection, this->memRegion.base, 0);

    memPage.is_listed_module = this->processReport.hasModule(this->memRegion.base);


    if (!memPage.isInfoFilled() && !memPage.fillInfo()) {

#ifdef _DEBUG

        std::cout << "[!] Could not fill: " << std::hex << memPage.start_va << " to: " << memPage.region_end << "\n";

#endif

        return nullptr;

    }

    // sanity checks to make sure that we are scanning the same page that was previously collected:

    if (memPage.alloc_base != this->memRegion.alloc_base) {

#ifdef _DEBUG

        std::cerr << "WARNING: Alloc Base mismatch: " << std::hex << memPage.alloc_base << " vs " << this->memRegion.alloc_base << std::endl;

#endif

        return nullptr;

    }

    if ((memPage.region_end - memPage.region_start) != this->memRegion.size) {

#ifdef _DEBUG

        std::cerr << "WARNING: Size mismatch: " << std::hex << (memPage.region_end - memPage.region_start) << " vs " << this->memRegion.size << std::endl;

#endif

        return nullptr;

    }


    // is the page executable?

    const bool is_any_exec = isExecutable(memPage);

    if (!is_any_exec) {

        // probably not interesting

        return nullptr;

    }


    if (memPage.mapping_type == MEM_MAPPED && memPage.isRealMapping()) {

        //probably legit

        return nullptr;

    }


    if (memPage.mapping_type == MEM_IMAGE) {

        memPage.loadModuleName();

        memPage.loadMappedName();

        if (!isScannedAsModule(memPage)) {

            scanImg(memPage);

        }

        const size_t region_size = (memPage.region_end) ? (memPage.region_end - memPage.region_start) : 0;

        if (this->processReport.hasModuleContaining(memPage.region_start, region_size)) {

            // the area was already scanned

            return nullptr;

        }

    }

#ifdef _DEBUG

    std::cout << std::hex << memPage.start_va << ": Scanning executable area" << std::endl;

#endif

    WorkingSetScanReport* my_report = this->scanExecutableArea(memPage);

    if (!my_report) {

        return nullptr;

    }

    my_report->is_executable = true;

    my_report->protection = memPage.protection;

    my_report->mapping_type = memPage.mapping_type;

    my_report->mapped_name = memPage.mapped_name;

    return my_report;

}


artefact_scanner.h

artefacts_util.h

pesieve::AreaStatsCalculator
A class responsible for filling in the statistics with the data from the particular buffer.
Definition stats.h:73

pesieve::ArtefactScanner
A scanner for detection of artefacts related to PE implants in the process workingset.
Definition artefact_scanner.h:157

pesieve::MemPageData
Definition mempage_data.h:12

pesieve::MemPageData::loadMappedName
bool loadMappedName()
Definition mempage_data.cpp:44

pesieve::MemPageData::protection
DWORD protection
page protection
Definition mempage_data.h:42

pesieve::MemPageData::region_end
ULONGLONG region_end
Definition mempage_data.h:50

pesieve::MemPageData::alloc_base
ULONGLONG alloc_base
Definition mempage_data.h:48

pesieve::MemPageData::fillInfo
bool fillInfo()
Definition mempage_data.cpp:7

pesieve::MemPageData::loadModuleName
bool loadModuleName()
Definition mempage_data.cpp:30

pesieve::MemPageData::mapped_name
std::string mapped_name
if the region is mapped from a file, stores its file name
Definition mempage_data.h:52

pesieve::MemPageData::mapping_type
DWORD mapping_type
Definition mempage_data.h:45

pesieve::MemPageData::isInfoFilled
bool isInfoFilled()
Definition mempage_data.h:30

pesieve::MemPageData::start_va
ULONGLONG start_va
VA that was requested. May not be beginning of the region.
Definition mempage_data.h:40

pesieve::MemPageData::isRealMapping
bool isRealMapping()
Definition mempage_data.cpp:60

pesieve::MemPageData::region_start
ULONGLONG region_start
Definition mempage_data.h:49

pesieve::MemPageData::is_listed_module
bool is_listed_module
Definition mempage_data.h:46

pesieve::ModuleData
Loads a module from the disk, corresponding to the module in the scanned process' memory.
Definition module_data.h:15

pesieve::ProcessScanner::scanForHooks
static t_scan_status scanForHooks(HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report, bool scan_data, bool scan_inaccessible)
Definition scanner.cpp:134

pesieve::ProcessScanner::scanForHollows
static t_scan_status scanForHollows(HANDLE hProcess, ModuleData &modData, RemoteModuleData &remoteModData, ProcessScanReport &process_report)
Definition scanner.cpp:78

pesieve::RemoteModuleData
Buffers the data from the module loaded in the scanned process into the local memory.
Definition module_data.h:123

pesieve::RemoteModuleData::isInitialized
bool isInitialized()
Definition module_data.h:145

pesieve::RuleMatcher::RULE_CODE
@ RULE_CODE
Definition stats_analyzer.h:36

pesieve::RuleMatcher::RULE_ENCRYPTED
@ RULE_ENCRYPTED
Definition stats_analyzer.h:39

pesieve::RuleMatcher::RULE_OBFUSCATED
@ RULE_OBFUSCATED
Definition stats_analyzer.h:38

pesieve::UnreachableModuleReport
Definition module_scan_report.h:95

pesieve::WorkingSetScanReport
A report from the working set scan, generated by WorkingSetScanner.
Definition workingset_scanner.h:29

pesieve::WorkingSetScanReport::custom_matched
std::vector< sig_finder::Match > custom_matched
Definition workingset_scanner.h:102

pesieve::WorkingSetScanReport::match_area_start
size_t match_area_start
Definition workingset_scanner.h:104

pesieve::WorkingSetScanReport::generateTags
size_t generateTags(const std::string &reportPath)
Definition workingset_scanner.cpp:45

pesieve::WorkingSetScanner::scanExecutableArea
WorkingSetScanReport * scanExecutableArea(MemPageData &memPageData)
Definition workingset_scanner.cpp:201

pesieve::WorkingSetScanner::isPotentiallyExecutable
bool isPotentiallyExecutable(MemPageData &memPageData, const t_data_scan_mode &mode)
Definition workingset_scanner.cpp:168

pesieve::WorkingSetScanner::checkAreaContent
bool checkAreaContent(IN MemPageData &_memPage, OUT WorkingSetScanReport *my_report)
Definition workingset_scanner.cpp:68

pesieve::WorkingSetScanner::isScannedAsModule
bool isScannedAsModule(MemPageData &memPageData)
Definition workingset_scanner.cpp:242

pesieve::WorkingSetScanner::scanImg
bool scanImg(MemPageData &memPage)
Definition workingset_scanner.cpp:253

pesieve::WorkingSetScanner::isExecutable
bool isExecutable(MemPageData &memPageData)
Definition workingset_scanner.cpp:160

pesieve::WorkingSetScanner::scanRemote
virtual WorkingSetScanReport * scanRemote()
Definition workingset_scanner.cpp:306

pesieve.t_data_scan_mode
Definition pesieve.py:73

pesieve.t_shellc_mode
Definition pesieve.py:27

module_data.h

pesieve::matcher::find_all_patterns
size_t find_all_patterns(BYTE *loadedData, size_t loadedSize, std::vector< sig_finder::Match > &allMatches)
Definition artefacts_util.cpp:176

pesieve::matcher::filter_custom
size_t filter_custom(std::vector< sig_finder::Match > &allMatches, std::vector< sig_finder::Match > &customPatternMatches)
Definition artefacts_util.cpp:188

pesieve::matcher::is_matcher_ready
bool is_matcher_ready()
Definition artefacts_util.cpp:143

pesieve::stats::fillCodeStrings
size_t fillCodeStrings(OUT std::set< std::string > &codeStrings)
Definition stats_analyzer.cpp:118

pesieve::util
Definition artefact_scanner.cpp:12

pesieve::util::is_readable
bool is_readable(DWORD mapping_type, DWORD protection)
Definition artefacts_util.cpp:115

pesieve::util::is_executable
bool is_executable(DWORD mapping_type, DWORD protection)
Definition artefacts_util.cpp:106

pesieve
Definition pesieve.py:1

pesieve::SCAN_NOT_SUSPICIOUS
@ SCAN_NOT_SUSPICIOUS
Definition module_scan_report.h:20

pesieve::SCAN_SUSPICIOUS
@ SCAN_SUSPICIOUS
Definition module_scan_report.h:21

pesieve::SCAN_ERROR
@ SCAN_ERROR
Definition module_scan_report.h:19

pesieve::match_to_tag
bool match_to_tag(std::ofstream &patch_report, const char delimiter, size_t start_offset, const sig_finder::Match &match)
Definition workingset_scanner.cpp:29

pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31

pesieve::t_scan_status
enum pesieve::module_scan_status t_scan_status

pesieve::is_by_stats
bool is_by_stats(const t_shellc_mode &shellc_mode)
Definition workingset_scanner.cpp:18

path_converter.h

SHELLC_STATS
@ SHELLC_STATS
detect shellcodes by stats
Definition pe_sieve_types.h:33

SHELLC_NONE
@ SHELLC_NONE
do not detect shellcode
Definition pe_sieve_types.h:31

SHELLC_PATTERNS_OR_STATS
@ SHELLC_PATTERNS_OR_STATS
detect shellcodes by patterns or stats (any match)
Definition pe_sieve_types.h:34

SHELLC_PATTERNS_AND_STATS
@ SHELLC_PATTERNS_AND_STATS
detect shellcodes by patterns and stats (both match)
Definition pe_sieve_types.h:35

PE_DATA_SCAN_INACCESSIBLE_ONLY
@ PE_DATA_SCAN_INACCESSIBLE_ONLY
scan inaccessible pages (if running in reflection mode)
Definition pe_sieve_types.h:88

OBFUSC_ANY
@ OBFUSC_ANY
detect both: possible strong or weak encryption
Definition pe_sieve_types.h:43

OBFUSC_WEAK_ENC
@ OBFUSC_WEAK_ENC
detect areas possibly encrypted with weak encryption (lower entropy, possible XOR patterns)
Definition pe_sieve_types.h:42

OBFUSC_STRONG_ENC
@ OBFUSC_STRONG_ENC
detect areas possibly encrypted with strong encryption
Definition pe_sieve_types.h:41

OBFUSC_NONE
@ OBFUSC_NONE
do not detect obfuscated contents
Definition pe_sieve_types.h:40

scanner.h

pesieve::MultiStatsSettings
Settings defining what type of stats should be collected.
Definition multi_stats.h:18

pesieve::MultiStatsSettings::watchedStrings
std::set< std::string > watchedStrings
Definition multi_stats.h:50

pesieve::RuleMatchersSet
Definition stats_analyzer.h:125

workingset_enum.h

workingset_scanner.h