Merge branch 'no_mfilter'

hasherezade · Jun 13, 2021 · 4eb3521 · 4eb3521
2 parents 1171907 + af37392
commit 4eb3521
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 50 deletions.
diff --git a/include/pe_sieve_types.h b/include/pe_sieve_types.h
@@ -72,7 +72,6 @@ namespace pesieve {
 
 	typedef struct {
 		DWORD pid;
-		DWORD modules_filter;
 		t_dotnet_policy dotnet_policy; // policy for scanning .NET modules
 		t_imprec_mode imprec_mode; //import recovery mode
 		bool quiet; // do not print log on the stdout

diff --git a/main.cpp b/main.cpp
@@ -21,7 +21,6 @@
 #define PARAM_SHELLCODE "shellc"
 #define PARAM_DATA "data"
 #define PARAM_IAT "iat"
-#define PARAM_MODULES_FILTER "mfilter"
 #define PARAM_MODULES_IGNORE "mignore"
 #define PARAM_REFLECTION "refl"
 #define PARAM_DOTNET_POLICY "dnet"
@@ -228,16 +227,6 @@ void print_shellc_param(int param_color)
 	std::cout << "\t: Detect shellcode implants. (By default it detects PE only).\n";
 }
 
-void print_module_filter_param(int param_color)
-{
-	print_param_in_color(param_color, PARAM_MODULES_FILTER);
-	std::cout << " <*mfilter_id>\n\t: Filter the scanned modules.\n";
-	std::cout << "*mfilter_id:\n";
-	for (DWORD i = 0; i <= LIST_MODULES_ALL; i++) {
-		std::cout << "\t" << i << " - " << translate_modules_filter(i) << "\n";
-	}
-}
-
 void print_mignore_param(int param_color)
 {
 	print_param_in_color(param_color, PARAM_MODULES_IGNORE);
@@ -325,10 +314,6 @@ void print_help(const std::string &filter = "")
 	scan_params[PARAM_SHELLCODE] = print_shellc_param;
 	scan_params[PARAM_DATA] = print_data_param;
 
-#ifdef _WIN64
-	scan_exclusions[PARAM_MODULES_FILTER] = print_module_filter_param;
-#endif
-
 	scan_exclusions[PARAM_MODULES_IGNORE] = print_mignore_param;
 	scan_exclusions[PARAM_DOTNET_POLICY] = print_dnet_param;
 
@@ -419,7 +404,6 @@ int main(int argc, char *argv[])
 	//---
 	bool info_req = false;
 	t_params args = { 0 };
-	args.modules_filter = LIST_MODULES_ALL;
 
 	//Parse parameters
 	for (int i = 1; i < argc; i++) {
@@ -468,15 +452,6 @@ int main(int argc, char *argv[])
 		{
 			continue;
 		}
-		else if (get_int_param<DWORD>(argc, argv, param, i,
-			PARAM_MODULES_FILTER,
-			args.modules_filter,
-			LIST_MODULES_ALL,
-			info_req,
-			print_module_filter_param))
-		{
-			continue;
-		}
 		else if (get_cstr_param(argc, argv, param, i,
 			PARAM_MODULES_IGNORE,
 			args.modules_ignored,
@@ -616,7 +591,6 @@ int main(int argc, char *argv[])
 	//---
 	if (!args.quiet) {
 		std::cout << "PID: " << args.pid << std::endl;
-		std::cout << "Modules filter: " << translate_modules_filter(args.modules_filter) << std::endl;
 		std::cout << "Output filter: " << translate_out_filter(args.out_filter) << std::endl;
 		std::cout << "Dump mode: " << translate_dump_mode(args.dump_mode) << std::endl;
 	}

diff --git a/params_info/pe_sieve_params_info.cpp b/params_info/pe_sieve_params_info.cpp
@@ -65,21 +65,6 @@ std::string pesieve::translate_dotnet_policy(const pesieve::t_dotnet_policy &mod
 	return "undefined";
 }
 
-std::string pesieve::translate_modules_filter(DWORD m_filter)
-{
-	switch (m_filter) {
-	case LIST_MODULES_DEFAULT:
-		return "no filter (as the scanner)";
-	case LIST_MODULES_32BIT:
-		return "32bit only";
-	case LIST_MODULES_64BIT:
-		return "64bit only";
-	case LIST_MODULES_ALL:
-		return "all accessible (default)";
-	}
-	return "undefined";
-}
-
 std::string pesieve::translate_data_mode(const pesieve::t_data_scan_mode &mode)
 {
 	switch (mode) {

diff --git a/scanners/headers_scanner.h b/scanners/headers_scanner.h
@@ -22,6 +22,9 @@ namespace pesieve {
 			bool is_replaced = isHdrReplaced();
 			ModuleScanReport::toJSON(outs, level);
 			outs << ",\n";
+			OUT_PADDED(outs, level, "\"is_connected_to_peb\" : ");
+			outs << isInPEB;
+			outs << ",\n";
 			OUT_PADDED(outs, level, "\"is_pe_replaced\" : ");
 			outs << is_replaced;
 			outs << ",\n";
@@ -39,7 +42,6 @@ namespace pesieve {
 			outs << ",\n";
 			OUT_PADDED(outs, level, "\"sec_hdr_modified\" : ");
 			outs << secHdrModified;
-
 			if (archMismatch) {
 				outs << ",\n";
 				OUT_PADDED(outs, level, "\"arch_mismatch\" : ");
@@ -71,6 +73,7 @@ namespace pesieve {
 		bool secHdrModified;
 		bool archMismatch; // the loaded module is of different architecture than the module read from the corresponding path
 		DWORD is64; // is the remote module 64bit
+		bool isInPEB;
 	};
 
 	class HeadersScanner : public ModuleScanner {

diff --git a/scanners/module_data.h b/scanners/module_data.h
@@ -12,8 +12,8 @@ namespace pesieve {
 	class ModuleData {
 
 	public:
-		ModuleData(HANDLE _processHandle, HMODULE _module)
-			: processHandle(_processHandle), moduleHandle(_module),
+		ModuleData(HANDLE _processHandle, HMODULE _module, bool _isPEBConnected)
+			: processHandle(_processHandle), moduleHandle(_module), isPEBConnected(_isPEBConnected),
 			is_module_named(false), original_size(0), original_module(nullptr),
 			is_dot_net(false)
 		{
@@ -63,6 +63,11 @@ namespace pesieve {
 			return static_cast<DWORD>(diff);
 		}
 
+		bool isModuleInPEBList()
+		{
+			return isPEBConnected;
+		}
+
 		bool isInitialized()
 		{
 			return original_module != nullptr;
@@ -93,6 +98,7 @@ namespace pesieve {
 		bool loadModuleName();
 		bool isDotNetManagedCode();
 		bool is_dot_net;
+		bool isPEBConnected;
 
 		friend class PeSection;
 	};

diff --git a/scanners/scanner.cpp b/scanners/scanner.cpp
@@ -47,6 +47,7 @@ t_scan_status pesieve::ProcessScanner::scanForHollows(HANDLE processHandle, Modu
 		}
 	}
 	scan_report->moduleFile = modData.szModName;
+	scan_report->isInPEB = modData.isModuleInPEBList();
 
 	t_scan_status is_suspicious = ModuleScanReport::get_scan_status(scan_report);
 	if (is_suspicious && !scan_report->isHdrReplaced()) {
@@ -257,8 +258,8 @@ ModuleScanReport* pesieve::ProcessScanner::scanForMappingMismatch(ModuleData& mo
 
 size_t pesieve::ProcessScanner::scanModules(ProcessScanReport &pReport)  //throws exceptions
 {
-	HMODULE hMods[1024];
-	const size_t modules_count = enum_modules(this->processHandle, hMods, sizeof(hMods), args.modules_filter);
+	HMODULE hMods[1024] = { 0 };
+	const size_t modules_count = enum_modules(this->processHandle, hMods, sizeof(hMods), LIST_MODULES_ALL);
 	if (modules_count == 0) {
 		return 0;
 	}
@@ -271,7 +272,7 @@ size_t pesieve::ProcessScanner::scanModules(ProcessScanReport &pReport)  //throw
 		if (processHandle == nullptr) break;
 
 		//load module from file:
-		ModuleData modData(processHandle, hMods[counter]);
+		ModuleData modData(processHandle, hMods[counter], true);
 		ModuleScanReport *mappingScanReport = this->scanForMappingMismatch(modData, pReport);
 
 		//load the original file to make the comparisons:
@@ -342,7 +343,7 @@ size_t pesieve::ProcessScanner::scanModulesIATs(ProcessScanReport &pReport) //th
 		return 0; // this feature cannot work without Exports Map
 	}
 	HMODULE hMods[1024];
-	const size_t modules_count = enum_modules(this->processHandle, hMods, sizeof(hMods), args.modules_filter);
+	const size_t modules_count = enum_modules(this->processHandle, hMods, sizeof(hMods), LIST_MODULES_ALL);
 	if (modules_count == 0) {
 		return 0;
 	}
@@ -352,7 +353,7 @@ size_t pesieve::ProcessScanner::scanModulesIATs(ProcessScanReport &pReport) //th
 		if (processHandle == nullptr) break;
 
 		//load module from file:
-		ModuleData modData(processHandle, hMods[counter]);
+		ModuleData modData(processHandle, hMods[counter], true);
 
 		// Don't scan modules that are in the ignore list
 		std::string plainName = peconv::get_file_name(modData.szModName);