[FEATURE] Report address to suspicious callstack

hasherezade · Sep 2, 2024 · d7ad678 · d7ad678
1 parent bc2a245
commit d7ad678
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/scanners/thread_scanner.cpp b/scanners/thread_scanner.cpp
@@ -487,6 +487,7 @@ ThreadScanReport* pesieve::ThreadScanner::scanRemote()
 		my_report->thread_wait_reason = info.ext.wait_reason;
 		my_report->thread_wait_time = info.ext.wait_time;
 		my_report->susp_addr = 0;
+		my_report->stack_ptr = cDetails.rsp;
 		my_report->status = SCAN_SUSPICIOUS;
 	}
 	return my_report;

diff --git a/scanners/thread_scanner.h b/scanners/thread_scanner.h
@@ -45,7 +45,7 @@ namespace pesieve {
 			}
 			else {
 				OUT_PADDED(outs, level, "\"susp_callstack\" : ");
-				outs << "\"" << std::hex << 1 << "\"";
+				outs << "\"" << std::hex << stack_ptr << "\"";
 				outs << ",\n";
 			}
 			if (thread_state != THREAD_STATE_UNKNOWN) {
@@ -83,6 +83,7 @@ namespace pesieve {
 		DWORD tid;
 		ULONGLONG susp_addr;
 		DWORD protection;
+		ULONGLONG stack_ptr;
 		DWORD thread_state;
 		DWORD thread_wait_reason;
 		DWORD thread_wait_time;