PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
workingset_scanner.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4#include <psapi.h>
5#include <map>
6
7#include <peconv.h>
8#include "module_scan_report.h"
9#include "mempage_data.h"
10#include "scan_report.h"
11
12#include "../utils/format_util.h"
13#include "../utils/workingset_enum.h"
14#include "process_feature_scanner.h"
15#include "process_details.h"
16
17#define CALC_PAGE_STATS
18#ifdef CALC_PAGE_STATS
19#include "../stats/multi_stats.h"
20#include "../stats/stats_analyzer.h"
21#endif
22
23#include <sig_finder.h>
24
25namespace pesieve {
26
28 class WorkingSetScanReport : public ModuleScanReport
29 {
30 public:
31 WorkingSetScanReport(HMODULE _module, size_t _moduleSize, t_scan_status status)
32 : ModuleScanReport(_module, _moduleSize, status)
33 {
34 is_executable = false;
35 is_listed_module = false;
36 protection = 0;
37 has_pe = false; //not a PE file
38 has_shellcode = true;
39 mapping_type = 0;
40 match_area_start = 0;
41 all_matched_count = 0;
42 }
43
44 const virtual bool toJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
45 {
46 OUT_PADDED(outs, level, "\"workingset_scan\" : {\n");
47 fieldsToJSON(outs, level + 1, jdetails);
48 outs << "\n";
49 OUT_PADDED(outs, level, "}");
50 return true;
51 }
52
53 const virtual void fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
54 {
55 ModuleScanReport::_toJSON(outs, level);
56 outs << ",\n";
57 OUT_PADDED(outs, level, "\"has_pe\" : ");
58 outs << std::dec << has_pe;
59 outs << ",\n";
60 OUT_PADDED(outs, level, "\"has_shellcode\" : ");
61 outs << std::dec << has_shellcode;
62 if (!is_executable) {
63 outs << ",\n";
64 OUT_PADDED(outs, level, "\"is_executable\" : ");
65 outs << std::dec << is_executable;
66 }
67 outs << ",\n";
68 OUT_PADDED(outs, level, "\"is_listed_module\" : ");
69 outs << std::dec << is_listed_module;
70 outs << ",\n";
71 OUT_PADDED(outs, level, "\"protection\" : ");
72 outs << "\"" << std::hex << protection << "\"";
73 outs << ",\n";
74 OUT_PADDED(outs, level, "\"mapping_type\" : ");
75 outs << "\"" << translate_mapping_type(mapping_type) << "\"";
76 if (mapping_type == MEM_IMAGE || mapping_type == MEM_MAPPED) {
77 outs << ",\n";
78 OUT_PADDED(outs, level, "\"mapped_name\" : ");
79 outs << "\"" << pesieve::util::escape_path_separators(mapped_name) << "\"";
80 }
81 patternsToJSON(outs, level, jdetails);
82#ifdef CALC_PAGE_STATS
83 if (stats.isFilled()) {
84 outs << ",\n";
85 stats.toJSON(outs, level);
86 if (area_info.hasAnyMatch()) {
87 outs << ",\n";
88 area_info.toJSON(outs, level);
89 }
90 }
91#endif
92 }
93
94 size_t generateTags(const std::string &reportPath);
95
96 bool is_executable;
97 bool is_listed_module;
98 bool has_pe;
99 bool has_shellcode;
100
101 util::ByteBuffer data_cache;
102 std::vector<sig_finder::Match> custom_matched;
103 size_t all_matched_count;
104 size_t match_area_start;
105#ifdef CALC_PAGE_STATS
106 AreaMultiStats stats;
107 AreaInfo area_info;
108#endif
109 DWORD protection;
110 DWORD mapping_type;
111 std::string mapped_name; //if the region is mapped from a file
112
113 protected:
114 static std::string translate_mapping_type(DWORD type)
115 {
116 switch (type) {
117 case MEM_PRIVATE: return "MEM_PRIVATE";
118 case MEM_MAPPED: return "MEM_MAPPED";
119 case MEM_IMAGE: return "MEM_IMAGE";
120 }
121 return "unknown";
122 }
124
125 const void patternsToJSON(std::stringstream& outs, size_t level, const pesieve::t_json_level& jdetails)
126 {
127 if (!all_matched_count) {
128 return;
129 }
130 outs << ",\n";
131 OUT_PADDED(outs, level, "\"patterns\" : {\n");
132 const size_t level2 = level + 1;
133 OUT_PADDED(outs, level2, "\"total_matched\" : ");
134 outs << std::dec << all_matched_count;
135 if (custom_matched.size()) {
136 outs << ",\n";
137 OUT_PADDED(outs, level2, "\"custom_matched\" : ");
138 outs << std::dec << custom_matched.size();
139 }
140 outs << "\n";
141 OUT_PADDED(outs, level, "}");
142 }
143 };
144
145
147 class WorkingSetScanner : public ProcessFeatureScanner {
148 public:
149 WorkingSetScanner(HANDLE _procHndl, process_details _proc_details, const util::mem_region_info _mem_region, pesieve::t_params _args, ProcessScanReport& _process_report)
150 : ProcessFeatureScanner(_procHndl), pDetails(_proc_details),
151 memRegion(_mem_region),
152 args(_args),
153 processReport(_process_report)
154 {
155 }
156
157 virtual ~WorkingSetScanner() {}
158
159 virtual WorkingSetScanReport* scanRemote();
160
161 protected:
162 bool scanImg(MemPageData& memPage);
163 bool isScannedAsModule(MemPageData &memPageData);
164
165 bool isExecutable(MemPageData &memPageData);
166 bool isPotentiallyExecutable(MemPageData &memPageData, const t_data_scan_mode &mode);
167 bool checkAreaContent(IN MemPageData& _memPage, OUT WorkingSetScanReport* my_report);
168 WorkingSetScanReport* scanExecutableArea(MemPageData &memPageData);
169
170 const process_details pDetails;
171 const util::mem_region_info memRegion;
172
173 ProcessScanReport& processReport;
174 pesieve::t_params args;
175 };
176
177}; //namespace pesieve
pesieve::AreaStats::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level)
Definition stats.h:49
pesieve::MemPageData
Definition mempage_data.h:12
pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26
pesieve::ModuleScanReport::_toJSON
virtual const bool _toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:64
pesieve::ProcessFeatureScanner
A base class for all the scanners checking appropriate process' features.
Definition process_feature_scanner.h:12
pesieve::ProcessScanReport
The report aggregating the results of the performed scan.
Definition scan_report.h:19
pesieve::WorkingSetScanReport
A report from the working set scan, generated by WorkingSetScanner.
Definition workingset_scanner.h:29
pesieve::WorkingSetScanReport::custom_matched
std::vector< sig_finder::Match > custom_matched
Definition workingset_scanner.h:102
pesieve::WorkingSetScanReport::patternsToJSON
const void patternsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition workingset_scanner.h:125
pesieve::WorkingSetScanReport::translate_mapping_type
static std::string translate_mapping_type(DWORD type)
Definition workingset_scanner.h:114
pesieve::WorkingSetScanReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition workingset_scanner.h:44
pesieve::WorkingSetScanReport::generateTags
size_t generateTags(const std::string &reportPath)
Definition workingset_scanner.cpp:46
pesieve::WorkingSetScanReport::fieldsToJSON
virtual const void fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition workingset_scanner.h:53
pesieve::WorkingSetScanReport::WorkingSetScanReport
WorkingSetScanReport(HMODULE _module, size_t _moduleSize, t_scan_status status)
Definition workingset_scanner.h:31
pesieve::WorkingSetScanner
A scanner for detection of code implants in the process workingset.
Definition workingset_scanner.h:147
pesieve::WorkingSetScanner::scanExecutableArea
WorkingSetScanReport * scanExecutableArea(MemPageData &memPageData)
Definition workingset_scanner.cpp:202
pesieve::WorkingSetScanner::isPotentiallyExecutable
bool isPotentiallyExecutable(MemPageData &memPageData, const t_data_scan_mode &mode)
Definition workingset_scanner.cpp:169
pesieve::WorkingSetScanner::processReport
ProcessScanReport & processReport
Definition workingset_scanner.h:173
pesieve::WorkingSetScanner::pDetails
const process_details pDetails
Definition workingset_scanner.h:170
pesieve::WorkingSetScanner::checkAreaContent
bool checkAreaContent(IN MemPageData &_memPage, OUT WorkingSetScanReport *my_report)
Definition workingset_scanner.cpp:69
pesieve::WorkingSetScanner::isScannedAsModule
bool isScannedAsModule(MemPageData &memPageData)
Definition workingset_scanner.cpp:243
pesieve::WorkingSetScanner::WorkingSetScanner
WorkingSetScanner(HANDLE _procHndl, process_details _proc_details, const util::mem_region_info _mem_region, pesieve::t_params _args, ProcessScanReport &_process_report)
Definition workingset_scanner.h:149
pesieve::WorkingSetScanner::memRegion
const util::mem_region_info memRegion
Definition workingset_scanner.h:171
pesieve::WorkingSetScanner::scanImg
bool scanImg(MemPageData &memPage)
Definition workingset_scanner.cpp:254
pesieve::WorkingSetScanner::isExecutable
bool isExecutable(MemPageData &memPageData)
Definition workingset_scanner.cpp:161
pesieve::WorkingSetScanner::scanRemote
virtual WorkingSetScanReport * scanRemote()
Definition workingset_scanner.cpp:307
pesieve.t_data_scan_mode
Definition pesieve.py:73
pesieve.t_json_level
Definition pesieve.py:82
pesieve.t_params
Definition pesieve.py:100
format_util.h
OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12
mempage_data.h
module_scan_report.h
multi_stats.h
pesieve::util::escape_path_separators
std::string escape_path_separators(std::string path)
Definition path_util.cpp:27
pesieve::t_scan_status
enum pesieve::module_scan_status t_scan_status
process_details.h
process_feature_scanner.h
scan_report.h
stats_analyzer.h
pesieve::_process_details
Definition process_details.h:8
pesieve::AreaInfo::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level)
Definition stats_analyzer.h:97
pesieve::util::_mem_region_info
Definition workingset_enum.h:18
workingset_enum.h
Generated by doxygen 1.12.0