[FEATURE] Report the name of the hook's target module

hasherezade · Dec 16, 2018 · 2a8345b · 2a8345b
1 parent 8d9e209
commit 2a8345b
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 12 deletions.
diff --git a/pe_sieve.h b/pe_sieve.h
@@ -8,8 +8,8 @@
 #include "scanners/scan_report.h"
 #include "postprocessors/report_formatter.h"
 
-static char PESIEVE_VERSION[] = "0.1.5.5";
-static DWORD PESIEVE_VERSION_ID = 0x00010505; // 00 01 05 05
+static char PESIEVE_VERSION[] = "0.1.5.6";
+static DWORD PESIEVE_VERSION_ID = 0x00010506; // 00 01 05 06
 static char PESIEVE_URL[] = "https://github.com/hasherezade/pe-sieve";
 
 std::string info();

diff --git a/scanners/patch_list.cpp b/scanners/patch_list.cpp
@@ -21,7 +21,15 @@ std::string PatchList::Patch::getFormattedName()
 	}
 	if (this->hookTargetModule) {
 		ULONGLONG diff = hookTargetVA - hookTargetModule;
-		stream << "[" << std::hex << hookTargetModule << "+" << diff << ":" << isTargetSuspicious << "]";
+		stream << "[";
+		if (hookTargetModName.length() > 0) {
+			stream << hookTargetModName;
+		}
+		else {
+			stream << std::hex << hookTargetModule;
+		}
+		stream << "+" << diff << ":" << isTargetSuspicious;
+		stream << "]";
 	}
 	return stream.str();
 }

diff --git a/scanners/patch_list.h b/scanners/patch_list.h
@@ -33,13 +33,14 @@ class PatchList {
 			return hookTargetVA;
 		}
 
-		bool setHookTargetInfo(ULONGLONG targetModuleBase, bool isSuspiocious)
+		bool setHookTargetInfo(ULONGLONG targetModuleBase, bool isSuspiocious, std::string targetModuleName)
 		{
 			if (!isHook || targetModuleBase == 0 || targetModuleBase > this->hookTargetVA) {
 				return false;
 			}
 			this->hookTargetModule = targetModuleBase;
 			this->isTargetSuspicious = isSuspiocious;
+			this->hookTargetModName = targetModuleName;
 			return true;
 		}
 
@@ -61,6 +62,7 @@ class PatchList {
 
 		ULONGLONG hookTargetModule;
 		bool isTargetSuspicious;
+		std::string hookTargetModName;
 
 	friend class PatchList;
 	friend class PatchAnalyzer;

diff --git a/scanners/scanner.cpp b/scanners/scanner.cpp
@@ -66,35 +66,37 @@ struct ScannedModuleInfo {
 	ULONGLONG moduleAddr;
 	size_t moduleSize;
 	bool isSuspicious;
+	std::string moduleName;
 };
 
 bool findModuleByAddr(std::map<ULONGLONG, ScannedModuleInfo> &modulesMap, PatchList::Patch* currPatch)
 {
 	if (!currPatch) return nullptr;
 	ULONGLONG searchedAddr = currPatch->getHookTargetVA();
 	if (searchedAddr == 0) return nullptr;
-
+#ifdef _DEBUG
 	std::cout << "Searching hook address: " << std::hex << searchedAddr << std::endl;
+#endif
 	std::map<ULONGLONG, ScannedModuleInfo>::iterator itr1;
 	std::map<ULONGLONG, ScannedModuleInfo>::iterator lastEl = modulesMap.lower_bound(searchedAddr);
 	for (itr1 = modulesMap.begin(); itr1 != lastEl; itr1++) {
 		ScannedModuleInfo &modInfo = itr1->second;
 		ULONGLONG begin = modInfo.moduleAddr;
 		ULONGLONG end = modInfo.moduleSize + begin;
-
+#ifdef _DEBUG
 		std::cout << "Searching hook in module: " << std::hex << begin << std::endl;
-
+#endif
 		if (searchedAddr >= begin && searchedAddr < end) {
 			DWORD searchedRVA = DWORD(searchedAddr - begin);
 			std::cout << "[+] Address found in module: " << std::hex << modInfo.moduleAddr << std::endl;
-			currPatch->setHookTargetInfo(modInfo.moduleAddr, modInfo.isSuspicious);
+			currPatch->setHookTargetInfo(modInfo.moduleAddr, modInfo.isSuspicious, modInfo.moduleName);
 			return true;
 		}
 	}
 	return false;
 }
 
-size_t mapScannedModules(IN ProcessScanReport& process_report, OUT std::map<ULONGLONG, ScannedModuleInfo> &modulesMap)
+size_t mapScannedModules(IN ProcessScanReport& process_report, IN HANDLE hProcess, OUT std::map<ULONGLONG, ScannedModuleInfo> &modulesMap)
 {
 	std::vector<ModuleScanReport*>::iterator modItr;
 	for (modItr = process_report.module_reports.begin(); modItr != process_report.module_reports.end(); modItr++) {
@@ -111,20 +113,22 @@ size_t mapScannedModules(IN ProcessScanReport& process_report, OUT std::map<ULON
 				continue; //already have this module listed as suspicious
 			}
 		}
+		char moduleName[MAX_PATH] = { 0 };
+		if (GetModuleBaseNameA(hProcess, (HMODULE)modInfo.moduleAddr, moduleName, sizeof(moduleName))) {
+			modInfo.moduleName = moduleName;
+		}
 		modulesMap[modInfo.moduleAddr] = modInfo;
 	}
 	return modulesMap.size();
 }
 
-
 bool ProcessScanner::resolveHooksTargets(ProcessScanReport& process_report)
 {
 	//map all the scanned modules:
 	std::map<ULONGLONG, ScannedModuleInfo> modulesMap;
-	if (!mapScannedModules(process_report, modulesMap)) {
+	if (!mapScannedModules(process_report, this->processHandle, modulesMap)) {
 		std::cout << "Failed to map modules!\n";
 	}
-	std::cout << "Modules mapped, processing code scans!\n";
 	//TODO: map all modules
 	const std::set<ModuleScanReport*> &code_reports = process_report.reportsByType[ProcessScanReport::REPORT_CODE_SCAN];
 	std::set<ModuleScanReport*>::iterator cItr;