[REFACT] Refactored thread scanning function. Limit accepted wait rea…

…sons
hasherezade · Sep 2, 2024 · 18ac081 · 18ac081
1 parent f256c57
commit 18ac081
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 45 deletions.
diff --git a/scanners/thread_scanner.cpp b/scanners/thread_scanner.cpp
@@ -406,73 +406,40 @@ bool should_scan_context(const util::thread_info& info)
 	if (state == Terminated) {
 		return false;
 	}
-	if (state == Waiting) {
+	if (state == Waiting && info.ext.wait_reason <= WrQueue) {
 		return true;
 	}
 	return false;
 }
 
-ThreadScanReport* pesieve::ThreadScanner::scanRemote()
+bool pesieve::ThreadScanner::scanRemoteThreadCtx(HANDLE hThread, ThreadScanReport* my_report)
 {
-	ThreadScanReport* my_report = new ThreadScanReport(info.tid);
-	if (!my_report) return nullptr;
-
-#ifdef _SHOW_THREAD_INFO
-	printThreadInfo(info);
-#endif // _SHOW_THREAD_INFO
-
-	bool is_shc = isAddrInShellcode(info.start_addr);
-	if (is_shc) {
-		if (reportSuspiciousAddr(my_report, info.start_addr)) {
-			if (my_report->status == SCAN_SUSPICIOUS) {
-				return my_report;
-			}
-		}
-	}
-	if (!should_scan_context(info)) {
-		my_report->status = SCAN_NOT_SUSPICIOUS;
-		return my_report;
-	}
-	// proceed with detailed checks:
-	HANDLE hThread = OpenThread(
-		THREAD_GET_CONTEXT | THREAD_QUERY_INFORMATION | SYNCHRONIZE,
-		FALSE,
-		info.tid
-	);
-	if (!hThread) {
-#ifdef _DEBUG
-		std::cerr << "[-] Could not OpenThread. Error: " << GetLastError() << std::endl;
-#endif
-		my_report->status = SCAN_ERROR;
-		return my_report;
-	}
 	const DWORD tid = GetThreadId(hThread);
 	ctx_details cDetails = { 0 };
 	const bool is_ok = fetchThreadCtxDetails(processHandle, hThread, cDetails);
 
 	DWORD exit_code = 0;
 	GetExitCodeThread(hThread, &exit_code);
-	CloseHandle(hThread);
 
 	if (exit_code != STILL_ACTIVE) {
 #ifdef _DEBUG
 		std::cout << " ExitCode: " << std::dec << exit_code << "\n";
 #endif
 		my_report->status = SCAN_NOT_SUSPICIOUS;
-		return my_report;
+		return false;
 	}
 
 	if (!is_ok) {
 		// could not fetch the thread context and information
 		my_report->status = SCAN_ERROR;
-		return my_report;
+		return false;
 	}
 
-	is_shc = isAddrInShellcode(cDetails.rip);
+	bool is_shc = isAddrInShellcode(cDetails.rip);
 	if (is_shc) {
 		if (reportSuspiciousAddr(my_report, cDetails.rip)) {
 			if (my_report->status == SCAN_SUSPICIOUS) {
-				return my_report;
+				return true;
 			}
 		}
 	}
@@ -488,7 +455,7 @@ ThreadScanReport* pesieve::ThreadScanner::scanRemote()
 #ifdef _SHOW_THREAD_INFO
 				std::cout << "Found! " << std::hex << addr << "\n";
 #endif //_SHOW_THREAD_INFO
-				return my_report;
+				return true;
 			}
 		}
 	}
@@ -504,21 +471,21 @@ ThreadScanReport* pesieve::ThreadScanner::scanRemote()
 #endif //_SHOW_THREAD_INFO
 		if (is_shc && reportSuspiciousAddr(my_report, (ULONGLONG)ret_addr)) {
 			if (my_report->status == SCAN_SUSPICIOUS) {
-				return my_report;
+				return true;
 			}
 			my_report->status = SCAN_SUSPICIOUS;
 			my_report->stack_ptr = cDetails.rsp;
 			if (my_report->stats.entropy < 1) { // discard, do not dump
 				my_report->module = 0;
 				my_report->moduleSize = 0;
 			}
-			return my_report;
+			return true;
 		}
 	}
 
 	const bool hasEmptyGUI = has_empty_gui_info(tid);
-	if (hasEmptyGUI && 
-		cDetails.stackFramesCount == 1 
+	if (hasEmptyGUI &&
+		cDetails.stackFramesCount == 1
 		&& this->info.is_extended && info.ext.state == Waiting && info.ext.wait_reason == UserRequest)
 	{
 		my_report->thread_state = info.ext.state;
@@ -527,5 +494,45 @@ ThreadScanReport* pesieve::ThreadScanner::scanRemote()
 		my_report->stack_ptr = cDetails.rsp;
 		my_report->status = SCAN_SUSPICIOUS;
 	}
+	return true;
+}
+
+
+ThreadScanReport* pesieve::ThreadScanner::scanRemote()
+{
+	ThreadScanReport* my_report = new ThreadScanReport(info.tid);
+	if (!my_report) return nullptr;
+
+#ifdef _SHOW_THREAD_INFO
+	printThreadInfo(info);
+#endif // _SHOW_THREAD_INFO
+
+	bool is_shc = isAddrInShellcode(info.start_addr);
+	if (is_shc) {
+		if (reportSuspiciousAddr(my_report, info.start_addr)) {
+			if (my_report->status == SCAN_SUSPICIOUS) {
+				return my_report;
+			}
+		}
+	}
+	if (!should_scan_context(info)) {
+		my_report->status = SCAN_NOT_SUSPICIOUS;
+		return my_report;
+	}
+	// proceed with detailed checks:
+	HANDLE hThread = OpenThread(
+		THREAD_GET_CONTEXT | THREAD_QUERY_INFORMATION | SYNCHRONIZE,
+		FALSE,
+		info.tid
+	);
+	if (!hThread) {
+#ifdef _DEBUG
+		std::cerr << "[-] Could not OpenThread. Error: " << GetLastError() << std::endl;
+#endif
+		my_report->status = SCAN_ERROR;
+		return my_report;
+	}
+	scanRemoteThreadCtx(hThread, my_report);
+	CloseHandle(hThread);
 	return my_report;
 }
diff --git a/scanners/thread_scanner.h b/scanners/thread_scanner.h
@@ -139,7 +139,7 @@ namespace pesieve {
 		virtual ThreadScanReport* scanRemote();
 
 	protected:
-
+		bool scanRemoteThreadCtx(HANDLE hThread, ThreadScanReport* my_report);
 		bool isAddrInShellcode(ULONGLONG addr);
 		void printThreadInfo(const util::thread_info& threadi);
 		bool printResolvedAddr(ULONGLONG addr);