[REFACT] Refactored symbol manager

hasherezade · Sep 1, 2024 · f28d1ad · f28d1ad
1 parent 31c2333
commit f28d1ad
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 14 deletions.
diff --git a/scanners/scanner.cpp b/scanners/scanner.cpp
@@ -67,9 +67,10 @@ namespace pesieve {
 };
 
 pesieve::ProcessScanner::ProcessScanner(HANDLE procHndl, bool is_reflection, pesieve::t_params _args)
-	: args(_args), isDEP(false), isReflection(is_reflection), symbols(procHndl)
+	: processHandle(procHndl), isDEP(false), isReflection(is_reflection),
+	args(_args)
 {
-	this->processHandle = procHndl;
+	symbols.InitSymbols(this->processHandle);
 	if (validate_param_str(args.modules_ignored)) {
 		pesieve::util::string_to_list(args.modules_ignored.buffer, PARAM_LIST_SEPARATOR, ignoredModules);
 	}
@@ -469,7 +470,7 @@ size_t pesieve::ProcessScanner::scanModulesIATs(ProcessScanReport &pReport) //th
 
 size_t pesieve::ProcessScanner::scanThreads(ProcessScanReport& pReport) //throws exceptions
 {
-	if (!this->symbols.InitSymbols()) {
+	if (!this->symbols.IsInitialized()) {
 		std::cerr << "Failed to initialize symbols!\n";
 		return 0;
 	}
@@ -506,7 +507,7 @@ size_t pesieve::ProcessScanner::scanThreads(ProcessScanReport& pReport) //throws
 	for (auto itr = threads_info.begin(); itr != threads_info.end(); ++itr) {
 		const thread_info &info = itr->second;
 
-		ThreadScanner scanner(this->processHandle, this->isReflection, info,  pReport.modulesInfo, pReport.exportsMap);
+		ThreadScanner scanner(this->processHandle, this->isReflection, info,  pReport.modulesInfo, pReport.exportsMap, &symbols);
 		ThreadScanReport* report = scanner.scanRemote();
 		pReport.appendReport(report);
 	}

diff --git a/scanners/thread_scanner.cpp b/scanners/thread_scanner.cpp
@@ -17,9 +17,11 @@ typedef struct _t_stack_enum_params {
 	const pesieve::thread_ctx* c;
 	std::vector<ULONGLONG> stack_frame;
 	bool is_ok;
+	ProcessSymbolsManager* symbols;
 
 	_t_stack_enum_params()
-		: hProcess(NULL), hThread(NULL), ctx(NULL), c(NULL), is_ok(false)
+		: hProcess(NULL), hThread(NULL), ctx(NULL), c(NULL), is_ok(false),
+		symbols(NULL)
 	{
 	}
 
@@ -59,7 +61,10 @@ DWORD WINAPI enum_stack_thread(LPVOID lpParam)
 			//std::cout << "Next Frame start:" << std::hex << frame.AddrPC.Offset << "\n";
 			const ULONGLONG next_addr = frame.AddrPC.Offset;
 #ifdef _DEBUG
-			ProcessSymbolsManager::dumpSymbolInfo(args->hProcess, next_addr);
+			if (args->symbols) {
+				args->symbols->dumpSymbolInfo(next_addr);
+			}
+
 #endif
 			args->stack_frame.push_back(next_addr);
 			fetched++;
@@ -79,7 +84,9 @@ DWORD WINAPI enum_stack_thread(LPVOID lpParam)
 		while (StackWalk(IMAGE_FILE_MACHINE_I386, args->hProcess, args->hThread, &frame, args->ctx, NULL, SymFunctionTableAccess, SymGetModuleBase, NULL)) {
 			const ULONGLONG next_addr = frame.AddrPC.Offset;
 #ifdef _DEBUG
-			ProcessSymbolsManager::dumpSymbolInfo(args->hProcess, next_addr);
+			if (args->symbols) {
+				args->symbols->dumpSymbolInfo(next_addr);
+			}
 #endif
 			args->stack_frame.push_back(next_addr);
 			fetched++;
@@ -133,6 +140,8 @@ size_t pesieve::ThreadScanner::enumStackFrames(IN HANDLE hProcess, IN HANDLE hTh
 {
 	// do it in a new thread to prevent stucking...
 	t_stack_enum_params args(hProcess, hThread, ctx, c);
+	args.symbols = this->symbols;
+
 	const size_t max_wait = 1000;
 	{
 		HANDLE enumThread = CreateThread(
@@ -321,6 +330,7 @@ bool pesieve::ThreadScanner::reportSuspiciousAddr(ThreadScanReport* my_report, U
 	if (this->info.is_extended) {
 		my_report->thread_state = info.ext.state;
 		my_report->thread_wait_reason = info.ext.wait_reason;
+		my_report->thread_wait_time = info.ext.wait_time;
 	}
 	my_report->module = (HMODULE)base;
 	my_report->moduleSize = page_info.RegionSize;

diff --git a/scanners/thread_scanner.h b/scanners/thread_scanner.h
@@ -4,6 +4,7 @@
 
 #include "module_scanner.h"
 #include "../utils/threads_util.h"
+#include "../utils/process_symbols.h"
 #include "../stats/stats.h"
 #include "../stats/entropy_stats.h"
 
@@ -20,7 +21,7 @@ namespace pesieve {
 			: ModuleScanReport(0, 0), 
 			tid(_tid), 
 			susp_addr(0), protection(0),
-			thread_state(THREAD_STATE_UNKNOWN), thread_wait_reason(0)
+			thread_state(THREAD_STATE_UNKNOWN), thread_wait_reason(0), thread_wait_time(0)
 		{
 		}
 
@@ -68,6 +69,7 @@ namespace pesieve {
 		DWORD protection;
 		DWORD thread_state;
 		DWORD thread_wait_reason;
+		DWORD thread_wait_time;
 		AreaEntropyStats stats;
 
 	protected:
@@ -89,9 +91,9 @@ namespace pesieve {
 	//!  Stack-scan inspired by the idea presented here: https://github.com/thefLink/Hunt-Sleeping-Beacons
 	class ThreadScanner : public ProcessFeatureScanner {
 	public:
-		ThreadScanner(HANDLE hProc, bool _isReflection, const util::thread_info& _info, ModulesInfo& _modulesInfo, peconv::ExportsMapper* _exportsMap)
+		ThreadScanner(HANDLE hProc, bool _isReflection, const util::thread_info& _info, ModulesInfo& _modulesInfo, peconv::ExportsMapper* _exportsMap, ProcessSymbolsManager* _symbols)
 			: ProcessFeatureScanner(hProc), isReflection(_isReflection),
-			info(_info), modulesInfo(_modulesInfo), exportsMap(_exportsMap)
+			info(_info), modulesInfo(_modulesInfo), exportsMap(_exportsMap), symbols(_symbols)
 		{
 		}
 
@@ -111,6 +113,7 @@ namespace pesieve {
 		const util::thread_info& info;
 		ModulesInfo& modulesInfo;
 		peconv::ExportsMapper* exportsMap;
+		ProcessSymbolsManager* symbols;
 	};
 
 }; //namespace pesieve
diff --git a/utils/process_symbols.h b/utils/process_symbols.h
@@ -7,8 +7,8 @@
 class ProcessSymbolsManager
 {
 public:
-	ProcessSymbolsManager(HANDLE _hProcess)
-		: hProcess(_hProcess), isInit(false)
+	ProcessSymbolsManager()
+		: hProcess(NULL), isInit(false)
 	{
 	}
 
@@ -17,9 +17,13 @@ class ProcessSymbolsManager
 		FreeSymbols();
 	}
 
-	bool InitSymbols()
+	bool InitSymbols(HANDLE _hProcess)
 	{
+		if (!_hProcess || _hProcess == INVALID_HANDLE_VALUE) {
+			return false;
+		}
 		if (!isInit) {
+			hProcess = _hProcess;
 			SymSetOptions(SYMOPT_UNDNAME | SYMOPT_DEBUG | SYMOPT_INCLUDE_32BIT_MODULES);
 			if (SymInitialize(hProcess, NULL, TRUE)) {
 				isInit = true;
@@ -28,10 +32,17 @@ class ProcessSymbolsManager
 		return isInit;
 	}
 
+	bool IsInitialized()
+	{
+		return isInit;
+	}
+
 	//---
 
-	static bool dumpSymbolInfo(HANDLE hProcess, ULONG_PTR addr)
+	bool dumpSymbolInfo(ULONG_PTR addr)
 	{
+		if (!isInit) return false;
+
 		CHAR buffer[sizeof(SYMBOL_INFO) + MAX_SYM_NAME] = { 0 };
 		PSYMBOL_INFO pSymbol = (PSYMBOL_INFO)buffer;
 		pSymbol->SizeOfStruct = sizeof(SYMBOL_INFO);
@@ -55,6 +66,7 @@ class ProcessSymbolsManager
 	{
 		if (!isInit) return true;
 		if (SymCleanup(hProcess)) {
+			isInit = false;
 			return true;
 		}
 		return false;