workingset_scanner.h

Go to the documentation of this file.

#pragma once
 
#include <windows.h>
#include <psapi.h>
#include <map>
 
#include <peconv.h>
#include "module_scan_report.h"
#include "mempage_data.h"
#include "scan_report.h"
 
#include "../utils/format_util.h"
#include "../utils/workingset_enum.h"
#include "process_feature_scanner.h"
#include "process_details.h"
 
#define CALC_PAGE_STATS
#ifdef CALC_PAGE_STATS
#include "../stats/multi_stats.h"
#include "../stats/stats_analyzer.h"
#endif
 
#include <sig_finder.h>
 
namespace pesieve {
 
    class WorkingSetScanReport : public ModuleScanReport
    {
    public:
        WorkingSetScanReport(HMODULE _module, size_t _moduleSize, t_scan_status status)
            : ModuleScanReport(_module, _moduleSize, status)
        {
            is_executable = false;
            is_listed_module = false;
            protection = 0;
            has_pe = false; //not a PE file
            has_shellcode = true;
            mapping_type = 0;
            match_area_start = 0;
            all_matched_count = 0;
        }
 
        const virtual bool toJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
        {
            OUT_PADDED(outs, level, "\"workingset_scan\" : {\n");
            fieldsToJSON(outs, level + 1, jdetails);
            outs << "\n";
            OUT_PADDED(outs, level, "}");
            return true;
        }
 
        const virtual void fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
        {
            ModuleScanReport::_toJSON(outs, level);
            outs << ",\n";
            OUT_PADDED(outs, level, "\"has_pe\" : ");
            outs << std::dec << has_pe;
            outs << ",\n";
            OUT_PADDED(outs, level, "\"has_shellcode\" : ");
            outs << std::dec << has_shellcode;
            if (!is_executable) {
                outs << ",\n";
                OUT_PADDED(outs, level, "\"is_executable\" : ");
                outs << std::dec << is_executable;
            }
            outs << ",\n";
            OUT_PADDED(outs, level, "\"is_listed_module\" : ");
            outs << std::dec << is_listed_module;
            outs << ",\n";
            OUT_PADDED(outs, level, "\"protection\" : ");
            outs << "\"" << std::hex << protection << "\"";         
            outs << ",\n";
            OUT_PADDED(outs, level, "\"mapping_type\" : ");
            outs << "\"" << translate_mapping_type(mapping_type) << "\"";
            if (mapping_type == MEM_IMAGE || mapping_type == MEM_MAPPED) {
                outs << ",\n";
                OUT_PADDED(outs, level, "\"mapped_name\" : ");
                outs << "\"" << pesieve::util::escape_path_separators(mapped_name) << "\"";
            }
            patternsToJSON(outs, level, jdetails);
#ifdef CALC_PAGE_STATS
            if (stats.isFilled()) {
                outs << ",\n";
                stats.toJSON(outs, level);
                if (area_info.hasAnyMatch()) {
                    outs << ",\n";
                    area_info.toJSON(outs, level);
                }
            }
#endif
        }
 
        size_t generateTags(const std::string &reportPath);
 
        bool is_executable;
        bool is_listed_module;
        bool has_pe;
        bool has_shellcode;
 
        util::ByteBuffer data_cache;
        std::vector<sig_finder::Match> custom_matched;
        size_t all_matched_count;
        size_t match_area_start;
#ifdef CALC_PAGE_STATS
        AreaMultiStats stats;
        AreaInfo area_info;
#endif
        DWORD protection;
        DWORD mapping_type;
        std::string mapped_name; //if the region is mapped from a file
 
    protected:
        static std::string translate_mapping_type(DWORD type)
        {
            switch (type) {
            case MEM_PRIVATE: return "MEM_PRIVATE";
            case MEM_MAPPED: return "MEM_MAPPED";
            case MEM_IMAGE: return "MEM_IMAGE";
            }
            return "unknown";
        }
 
        const void patternsToJSON(std::stringstream& outs, size_t level, const pesieve::t_json_level& jdetails)
        {
            if (!all_matched_count) {
                return;
            }
            outs << ",\n";
            OUT_PADDED(outs, level, "\"patterns\" : {\n");
            const size_t level2 = level + 1;
            OUT_PADDED(outs, level2, "\"total_matched\" : ");
            outs << std::dec << all_matched_count;
            if (custom_matched.size()) {
                outs << ",\n";
                OUT_PADDED(outs, level2, "\"custom_matched\" : ");
                outs << std::dec << custom_matched.size();
            }
            outs << "\n";
            OUT_PADDED(outs, level, "}");
        }
    };
 
 
    class WorkingSetScanner : public ProcessFeatureScanner {
    public:
        WorkingSetScanner(HANDLE _procHndl, process_details _proc_details, const util::mem_region_info _mem_region, pesieve::t_params _args, ProcessScanReport& _process_report)
            : ProcessFeatureScanner(_procHndl), pDetails(_proc_details),
            memRegion(_mem_region),
            args(_args),
            processReport(_process_report)
        {
        }
 
        virtual ~WorkingSetScanner() {}
 
        virtual WorkingSetScanReport* scanRemote();
 
    protected:
        bool scanImg(MemPageData& memPage);
        bool isScannedAsModule(MemPageData &memPageData);
 
        bool isExecutable(MemPageData &memPageData);
        bool isPotentiallyExecutable(MemPageData &memPageData, const t_data_scan_mode &mode);
        bool checkAreaContent(IN MemPageData& _memPage, OUT WorkingSetScanReport* my_report);
        WorkingSetScanReport* scanExecutableArea(MemPageData &memPageData);
 
        const process_details pDetails;
        const util::mem_region_info memRegion;
 
        ProcessScanReport& processReport;
        pesieve::t_params args;
    };
 
}; //namespace pesieve