-
Notifications
You must be signed in to change notification settings - Fork 254
/
main.cpp
114 lines (98 loc) · 3.22 KB
/
main.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#define WIN32_LEAN_AND_MEAN
#ifndef _WIN64
#undef USE_ETW //ETW support works only for 64 bit
#endif //_WIN64
#if (_MSC_VER < 1900)
#undef USE_ETW //ETW not supported
#endif
#include <iostream>
#include <string>
#include "color_scheme.h"
#include "hh_scanner.h"
#include <pe_sieve_types.h>
#include <pe_sieve_return_codes.h>
#include "params_info/params.h"
#include "util/process_privilege.h"
#include "util/strings_util.h"
#include "hh_ver_short.h"
using namespace hhunter::util;
// Global arguments
t_hh_params g_hh_args;
#ifdef USE_ETW
#include "etw_listener.h"
#endif
void compatibility_alert()
{
print_in_color(WARNING_COLOR, "[!] Scanner mismatch! For a 64-bit OS, use the 64-bit version of the scanner!\n");
}
t_pesieve_res deploy_scan()
{
t_pesieve_res scan_res = PESIEVE_NOT_DETECTED;
hhunter::util::set_debug_privilege();
if (g_hh_args.pesieve_args.data >= pesieve::PE_DATA_SCAN_INACCESSIBLE && g_hh_args.pesieve_args.make_reflection == false) {
print_in_color(RED, "[WARNING] Scanning of inaccessible pages is enabled only in the reflection mode!\n");
}
if (g_hh_args.etw_scan)
{
#ifdef USE_ETW
const char profileIni[] = "HH_ETWProfile.ini";
ETWProfile profile;
profile.initProfile(profileIni);
if (!profile.isEnabled()) {
std::cerr << "Cannot start ETW: the profile (\"" << profileIni << "\") is empty\n";
return PESIEVE_ERROR;
}
std::cout << "ETWProfile defined by:\"" << profileIni << "\"\n";
if (!ETWstart(profile)) {
return PESIEVE_ERROR;
}
#else
std::cerr << "ETW support is disabled\n";
return PESIEVE_ERROR;
#endif
}
else
{
HHScanner hhunter(g_hh_args);
do {
HHScanReport *report = hhunter.scan();
if (report) {
hhunter.summarizeScan(report, g_hh_args.pesieve_args.results_filter);
if (report->countReports(pesieve::SHOW_SUSPICIOUS) > 0) {
scan_res = PESIEVE_DETECTED;
}
delete report;
}
if (!HHScanner::isScannerCompatibile()) {
compatibility_alert();
}
} while (g_hh_args.loop_scanning);
}
return scan_res;
}
int main(int argc, char *argv[])
{
g_hh_args.init();
bool info_req = false;
HHParams uParams(HH_VERSION_STR);
if (!uParams.parse(argc, argv)) {
return PESIEVE_INFO;
}
uParams.fillStruct(g_hh_args);
// if scanning of inaccessible pages was requested, auto-enable reflection mode:
if (g_hh_args.pesieve_args.data == pesieve::PE_DATA_SCAN_INACCESSIBLE || g_hh_args.pesieve_args.data == pesieve::PE_DATA_SCAN_INACCESSIBLE_ONLY) {
if (!g_hh_args.pesieve_args.make_reflection) {
g_hh_args.pesieve_args.make_reflection = true;
print_in_color(RED, "[WARNING] Scanning of inaccessible pages requested: auto-enabled reflection mode!\n");
}
}
print_version(HH_VERSION_STR);
std::cout << std::endl;
if (argc < 2) {
print_in_color(WHITE, "Default scan deployed.");
std::cout << std::endl;
}
const t_pesieve_res res = deploy_scan();
uParams.freeStruct(g_hh_args);
return res;
}