From 8895093fd805acb179891aa78fdab002d521cb75 Mon Sep 17 00:00:00 2001 From: hasherezade Date: Sun, 1 Sep 2024 08:30:34 -0700 Subject: [PATCH] [REFACT] Renamed a structure --- scanners/thread_scanner.cpp | 12 ++++++------ scanners/thread_scanner.h | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/scanners/thread_scanner.cpp b/scanners/thread_scanner.cpp index f65ed0284..12cd1242f 100644 --- a/scanners/thread_scanner.cpp +++ b/scanners/thread_scanner.cpp @@ -14,7 +14,7 @@ typedef struct _t_stack_enum_params { HANDLE hProcess; HANDLE hThread; LPVOID ctx; - const pesieve::thread_ctx* c; + const pesieve::ctx_details* c; std::vector stack_frame; bool is_ok; ProcessSymbolsManager* symbols; @@ -25,7 +25,7 @@ typedef struct _t_stack_enum_params { { } - _t_stack_enum_params(IN HANDLE hProcess, IN HANDLE hThread, IN LPVOID ctx, IN const pesieve::thread_ctx& c) + _t_stack_enum_params(IN HANDLE hProcess, IN HANDLE hThread, IN LPVOID ctx, IN const pesieve::ctx_details& c) { this->hProcess = hProcess; this->hThread = hThread; @@ -45,7 +45,7 @@ DWORD WINAPI enum_stack_thread(LPVOID lpParam) } size_t fetched = 0; bool in_shc = false; - const pesieve::thread_ctx& c = *(args->c); + const pesieve::ctx_details& c = *(args->c); #ifdef _WIN64 if (c.is64b) { STACKFRAME64 frame = { 0 }; @@ -136,7 +136,7 @@ std::string ThreadScanReport::translate_thread_state(DWORD thread_state) //--- -size_t pesieve::ThreadScanner::enumStackFrames(IN HANDLE hProcess, IN HANDLE hThread, IN LPVOID ctx, IN OUT thread_ctx& c) +size_t pesieve::ThreadScanner::enumStackFrames(IN HANDLE hProcess, IN HANDLE hThread, IN LPVOID ctx, IN OUT ctx_details& c) { // do it in a new thread to prevent stucking... t_stack_enum_params args(hProcess, hThread, ctx, c); @@ -204,7 +204,7 @@ size_t pesieve::ThreadScanner::enumStackFrames(IN HANDLE hProcess, IN HANDLE hTh return cntr; } -bool pesieve::ThreadScanner::fetchThreadCtx(IN HANDLE hProcess, IN HANDLE hThread, OUT thread_ctx& c) +bool pesieve::ThreadScanner::fetchThreadCtx(IN HANDLE hProcess, IN HANDLE hThread, OUT ctx_details& c) { bool is_ok = false; BOOL is_wow64 = FALSE; @@ -428,7 +428,7 @@ ThreadScanReport* pesieve::ThreadScanner::scanRemote() return nullptr; } - thread_ctx ctx = { 0 }; + ctx_details ctx = { 0 }; const bool is_ok = fetchThreadCtx(processHandle, hThread, ctx); DWORD exit_code = 0; diff --git a/scanners/thread_scanner.h b/scanners/thread_scanner.h index 5bc96d679..8f52c8002 100644 --- a/scanners/thread_scanner.h +++ b/scanners/thread_scanner.h @@ -78,14 +78,14 @@ namespace pesieve { }; //! A custom structure keeping a fragment of a thread context - typedef struct _thread_ctx { + typedef struct _ctx_details { bool is64b; ULONGLONG rip; ULONGLONG rsp; ULONGLONG rbp; ULONGLONG ret_addr; // the last return address on the stack (or the address of the first shellcode) bool is_managed; // does it contain .NET modules - } thread_ctx; + } ctx_details; //! A scanner for threads //! Stack-scan inspired by the idea presented here: https://github.com/thefLink/Hunt-Sleeping-Beacons @@ -104,8 +104,8 @@ namespace pesieve { bool isAddrInShellcode(ULONGLONG addr); void printInfo(const util::thread_info& threadi); bool resolveAddr(ULONGLONG addr); - bool fetchThreadCtx(IN HANDLE hProcess, IN HANDLE hThread, OUT thread_ctx& c); - size_t enumStackFrames(IN HANDLE hProcess, IN HANDLE hThread, IN LPVOID ctx, IN OUT thread_ctx& c); + bool fetchThreadCtx(IN HANDLE hProcess, IN HANDLE hThread, OUT ctx_details& c); + size_t enumStackFrames(IN HANDLE hProcess, IN HANDLE hThread, IN LPVOID ctx, IN OUT ctx_details& c); bool fillAreaStats(ThreadScanReport* my_report); bool reportSuspiciousAddr(ThreadScanReport* my_report, ULONGLONG susp_addr);