Skip to content

Commit

Permalink
[FEATURE] Moved symbols initialization into a separate class
Browse files Browse the repository at this point in the history
  • Loading branch information
@hasherezade
hasherezade committed Jun 14, 2024
1 parent 82fb0d5 commit 75b3bc5
Show file tree
Hide file tree
Showing 6 changed files with 83 additions and 29 deletions.
1 change: 1 addition & 0 deletions CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,7 @@ set (utils_hdrs
utils/byte_buffer.h
utils/code_patterns.h
utils/custom_mutex.h
utils/process_symbols.h
)

set (params_info_hdrs
Expand Down
10 changes: 6 additions & 4 deletions scanners/scanner.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ namespace pesieve {
};

pesieve::ProcessScanner::ProcessScanner(HANDLE procHndl, bool is_reflection, pesieve::t_params _args)
: args(_args), isDEP(false), isReflection(is_reflection)
: args(_args), isDEP(false), isReflection(is_reflection), symbols(procHndl)
{
this->processHandle = procHndl;
if (validate_param_str(args.modules_ignored)) {
Expand Down Expand Up @@ -470,6 +470,11 @@ size_t pesieve::ProcessScanner::scanModulesIATs(ProcessScanReport &pReport) //th

size_t pesieve::ProcessScanner::scanThreads(ProcessScanReport& pReport) //throws exceptions
{
if (!this->symbols.InitSymbols()) {
std::cerr << "Failed to initialize symbols!\n";
return 0;
}

const DWORD pid = pReport.pid; //original PID, not a reflection!

const bool is_64bit = pesieve::util::is_process_64bit(this->processHandle);
Expand All @@ -494,7 +499,6 @@ size_t pesieve::ProcessScanner::scanThreads(ProcessScanReport& pReport) //throws
}
}

ThreadScanner::InitSymbols(this->processHandle);
std::vector<thread_info>::iterator itr;
for (itr = threads_info.begin(); itr != threads_info.end(); ++itr) {
const thread_info &info = *itr;
Expand All @@ -503,8 +507,6 @@ size_t pesieve::ProcessScanner::scanThreads(ProcessScanReport& pReport) //throws
ThreadScanReport* report = scanner.scanRemote();
pReport.appendReport(report);
}
ThreadScanner::FreeSymbols(this->processHandle);

if (!args.quiet) {
const DWORD total_time = GetTickCount() - start_tick;
print_scan_time("Threads", total_time);
Expand Down
2 changes: 2 additions & 0 deletions scanners/scanner.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
#include <peconv.h>
#include "scan_report.h"
#include "module_data.h"
#include "../utils/process_symbols.h"

namespace pesieve {

Expand Down Expand Up @@ -50,6 +51,7 @@ namespace pesieve {
HANDLE processHandle;
bool isDEP;
const bool isReflection;
ProcessSymbolsManager symbols;
pesieve::t_params args;

std::set<std::string> ignoredModules;
Expand Down
30 changes: 9 additions & 21 deletions scanners/thread_scanner.cpp
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
#include "thread_scanner.h"
#include <peconv.h>
#include "mempage_data.h"
#include "../utils/process_util.h"
#include "../utils/ntddk.h"
#include "../stats/stats.h"
#include "mempage_data.h"

#include <dbghelp.h>
#pragma comment(lib, "dbghelp")
#include "../utils/process_symbols.h"

#define ENTROPY_TRESHOLD 3.0
//#define NO_ENTROPY_CHECK
Expand Down Expand Up @@ -35,6 +33,7 @@ typedef struct _t_stack_enum_params {
}
} t_stack_enum_params;

//---

DWORD WINAPI enum_stack_thread(LPVOID lpParam)
{
Expand All @@ -59,6 +58,9 @@ DWORD WINAPI enum_stack_thread(LPVOID lpParam)
while (StackWalk64(IMAGE_FILE_MACHINE_AMD64, args->hProcess, args->hThread, &frame, args->ctx, NULL, SymFunctionTableAccess64, SymGetModuleBase64, NULL)) {
//std::cout << "Next Frame start:" << std::hex << frame.AddrPC.Offset << "\n";
const ULONGLONG next_addr = frame.AddrPC.Offset;
#ifdef _DEBUG
ProcessSymbolsManager::dumpSymbolInfo(args->hProcess, next_addr);
#endif
args->stack_frame.push_back(next_addr);
fetched++;
}
Expand All @@ -76,6 +78,9 @@ DWORD WINAPI enum_stack_thread(LPVOID lpParam)

while (StackWalk(IMAGE_FILE_MACHINE_I386, args->hProcess, args->hThread, &frame, args->ctx, NULL, SymFunctionTableAccess, SymGetModuleBase, NULL)) {
const ULONGLONG next_addr = frame.AddrPC.Offset;
#ifdef _DEBUG
ProcessSymbolsManager::dumpSymbolInfo(args->hProcess, next_addr);
#endif
args->stack_frame.push_back(next_addr);
fetched++;
}
Expand Down Expand Up @@ -332,23 +337,6 @@ bool pesieve::ThreadScanner::reportSuspiciousAddr(ThreadScanReport* my_report, U
return true;
}


bool pesieve::ThreadScanner::InitSymbols(HANDLE hProc)
{
if (SymInitialize(hProc, NULL, TRUE)) {
return true;
}
return false;
}

bool pesieve::ThreadScanner::FreeSymbols(HANDLE hProc)
{
if (SymCleanup(hProc)) {
return true;
}
return false;
}

// if extended info given, allow to filter out from the scan basing on the thread state and conditions
bool should_scan(const util::thread_info& info)
{
Expand Down
4 changes: 0 additions & 4 deletions scanners/thread_scanner.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,10 +88,6 @@ namespace pesieve {
//! Stack-scan inspired by the idea presented here: https://github.com/thefLink/Hunt-Sleeping-Beacons
class ThreadScanner : public ProcessFeatureScanner {
public:
// neccessery to validly recognize stack frame
static bool InitSymbols(HANDLE hProc);
static bool FreeSymbols(HANDLE hProc);

ThreadScanner(HANDLE hProc, bool _isReflection, const util::thread_info& _info, ModulesInfo& _modulesInfo, peconv::ExportsMapper* _exportsMap)
: ProcessFeatureScanner(hProc), isReflection(_isReflection),
info(_info), modulesInfo(_modulesInfo), exportsMap(_exportsMap)
Expand Down
65 changes: 65 additions & 0 deletions utils/process_symbols.h
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
#pragma once

#include <windows.h>
#include <dbghelp.h>
#pragma comment(lib, "dbghelp")

class ProcessSymbolsManager
{
public:
ProcessSymbolsManager(HANDLE _hProcess)
: hProcess(_hProcess), isInit(false)
{
}

~ProcessSymbolsManager()
{
FreeSymbols();
}

bool InitSymbols()
{
if (!isInit) {
SymSetOptions(SYMOPT_UNDNAME | SYMOPT_DEBUG | SYMOPT_INCLUDE_32BIT_MODULES);
if (SymInitialize(hProcess, NULL, TRUE)) {
isInit = true;
}
}
return isInit;
}

//---

static bool dumpSymbolInfo(HANDLE hProcess, ULONG_PTR addr)
{
CHAR buffer[sizeof(SYMBOL_INFO) + MAX_SYM_NAME] = { 0 };
PSYMBOL_INFO pSymbol = (PSYMBOL_INFO)buffer;
pSymbol->SizeOfStruct = sizeof(SYMBOL_INFO);
pSymbol->MaxNameLen = MAX_SYM_NAME;
DWORD64 Displacement = { 0 };

BOOLEAN result = SymFromAddr(hProcess, addr, &Displacement, pSymbol);
if (result) {
std::cout << std::dec << "[" << GetProcessId(hProcess) << "]" << std::hex << addr << " Sym: " << pSymbol->ModBase << " : " << pSymbol->Name << " disp: " << Displacement
<< " Flags: " << pSymbol->Flags << " Tag: " << pSymbol->Tag << std::endl;
if (pSymbol->Flags == SYMFLAG_CLR_TOKEN) std::cout << "CLR token!\n";
}
else {
std::cout << std::dec << "[" << GetProcessId(hProcess) << "]" << std::hex << addr << " UNK \n";
}
return true;
}

protected:
bool FreeSymbols()
{
if (!isInit) return true;
if (SymCleanup(hProcess)) {
return true;
}
return false;
}

HANDLE hProcess;
bool isInit;
};

0 comments on commit 75b3bc5

Please sign in to comment.