HollowsHunter
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
params.h
Go to the documentation of this file.
1#pragma once
2#include <sstream>
3#include <codecvt>
4#include <locale>
5
6#include <pe_sieve_types.h>
7#include <paramkit.h>
8
9#include "pe_sieve_params_info.h"
10#include "../term_util.h"
11
12using namespace paramkit;
13using namespace pesieve;
14
15#define HH_URL "https://github.com/hasherezade/hollows_hunter"
16
17//scan options:
18#define PARAM_IAT "iat"
19#define PARAM_HOOKS "hooks"
20#define PARAM_SHELLCODE "shellc"
21#define PARAM_OBFUSCATED "obfusc"
22#define PARAM_THREADS "threads"
23#define PARAM_DATA "data"
24#define PARAM_MODULES_IGNORE "mignore"
25#define PARAM_PROCESSES_IGNORE "pignore"
26#define PARAM_PNAME "pname"
27#define PARAM_PID "pid"
28#define PARAM_LOOP "loop"
29#define PARAM_ETW "etw"
30#define PARAM_REFLECTION "refl"
31#define PARAM_CACHE "cache"
32#define PARAM_DOTNET_POLICY "dnet"
33#define PARAM_PTIMES "ptimes"
34
35//dump options:
36#define PARAM_IMP_REC "imp"
37#define PARAM_DUMP_MODE "dmode"
38#define PARAM_REBASE "rebase"
39
40//output options:
41#define PARAM_QUIET "quiet"
42#define PARAM_OUT_FILTER "ofilter"
43#define PARAM_RESULTS_FILTER "report"
44#define PARAM_SUSPEND "suspend"
45#define PARAM_KILL "kill"
46#define PARAM_UNIQUE_DIR "uniqd"
47#define PARAM_DIR "dir"
48#define PARAM_PATTERN "pattern"
49#define PARAM_MINIDUMP "minidmp"
50#define PARAM_LOG "log"
51#define PARAM_JSON "json"
52#define PARAM_JSON_LVL "jlvl"
53
54
55std::string version_to_str(DWORD version)
56{
57 BYTE *chunks = (BYTE*)&version;
58 std::stringstream stream;
59 stream << std::hex <<
60 (int)chunks[3] << "." <<
61 (int)chunks[2] << "." <<
62 (int)chunks[1] << "." <<
63 (int)chunks[0];
64
65 return stream.str();
66}
67
68void print_version(const std::string &version , WORD info_color = HILIGHTED_COLOR)
69{
70 WORD old_color = set_color(info_color);
71 std::cout << "HollowsHunter v." << version;
72 DWORD pesieve_ver = PESieve_version;
73#ifdef _WIN64
74 std::cout << " (x64)" << "\n";
75#else
76 std::cout << " (x86)" << "\n";
77#endif
78 std::cout << "Built on: " << __DATE__ << "\n\n";
79 std::cout << "using: PE-sieve v." << version_to_str(pesieve_ver);
80 set_color(old_color);
81 std::cout << std::endl;
82}
83
84std::wstring to_wstring(const std::string& stringToConvert)
85{
86 std::wstring wideString =
87 std::wstring_convert<std::codecvt_utf8<wchar_t>>().from_bytes(stringToConvert);
88 return wideString;
89}
90
91std::string cache_mode_to_id(const t_cache_mode mode)
92{
93 switch (mode) {
94 case CACHE_DISABLED:
95 return "D";
96 case CACHE_AUTO:
97 return "A";
98 case CACHE_ENABLED:
99 return "E";
100 }
101 return "";
102}
103
104std::string translate_cache_mode(const t_cache_mode mode)
105{
106 switch (mode) {
107 case CACHE_DISABLED:
108 return "cache always disabled";
109 case CACHE_AUTO:
110 return "automatically enable cache in continuous scanning mode (default)";
111 case CACHE_ENABLED:
112 return "cache always enabled";
113 }
114 return "";
115}
116
117class HHParams : public Params
118{
119public:
120 HHParams(const std::string &version)
121 : Params(version)
122 {
123 {
124 std::stringstream ss1;
125 ss1 << "Scan only processes with given PIDs";
126 std::stringstream ss2;
127 ss2 << INFO_SPACER << "Example: 5367" << PARAM_LIST_SEPARATOR << "0xa90";
128 this->addParam(new IntListParam(PARAM_PID, false, PARAM_LIST_SEPARATOR));
129 this->setInfo(PARAM_PID, ss1.str(), ss2.str());
130 }
131 {
132 std::stringstream ss1;
133 ss1 << "Scan only processes with given names.";
134 std::stringstream ss2;
135 ss2 << INFO_SPACER << "Example: iexplore.exe" << PARAM_LIST_SEPARATOR << "firefox.exe";
136 this->addParam(new StringListParam(PARAM_PNAME, false, PARAM_LIST_SEPARATOR));
137 this->setInfo(PARAM_PNAME, ss1.str(), ss2.str());
138 }
139 {
140 std::stringstream ss1;
141 ss1 << "Make a unique, timestamped directory for the output of each scan.";
142 std::stringstream ss2;
143 ss2 << INFO_SPACER << "Prevents overwriting results from previous scans.";
144 this->addParam(new BoolParam(PARAM_UNIQUE_DIR, false));
145 this->setInfo(PARAM_UNIQUE_DIR, ss1.str(), ss2.str());
146 }
147 {
148 std::stringstream ss1;
149 ss1 << "Do not scan process/es with given name/s.";
150 std::stringstream ss2;
151 ss2 << INFO_SPACER << "Example: explorer.exe" << PARAM_LIST_SEPARATOR << "conhost.exe";
152 this->addParam(new StringListParam(PARAM_PROCESSES_IGNORE, false, PARAM_LIST_SEPARATOR));
153 this->setInfo(PARAM_PROCESSES_IGNORE, ss1.str(), ss2.str());
154 }
155
156 this->addParam(new IntParam(PARAM_PTIMES, false, IntParam::INT_BASE_DEC));
157 this->setInfo(PARAM_PTIMES, "Scan only processes created N seconds before HH, or later.");
158
159 this->addParam(new BoolParam(PARAM_SUSPEND, false));
160 this->setInfo(PARAM_SUSPEND, "Suspend processes detected as suspicious.");
161
162 this->addParam(new BoolParam(PARAM_LOG, false));
163 this->setInfo(PARAM_LOG, "Append each scan summary to the log.");
164
165 this->addParam(new BoolParam(PARAM_KILL, false));
166 this->setInfo(PARAM_KILL, "Kill processes detected as suspicious.");
167
168 this->addParam(new BoolParam(PARAM_HOOKS, false));
169 this->setInfo(PARAM_HOOKS, "Detect inline hooks and in-memory patches.");
170
171 this->addParam(new BoolParam(PARAM_LOOP, false));
172 this->setInfo(PARAM_LOOP, "Enable continuous scanning.");
173 BoolParam* etwParam = new BoolParam(PARAM_ETW, false);
174 if (etwParam) {
175 this->addParam(etwParam);
176 this->setInfo(PARAM_ETW, "Use ETW (requires Administrator privilege).");
177#ifndef USE_ETW
178 etwParam->setActive(false);
179 this->setInfo(PARAM_ETW, "Use ETW (disabled).");
180#endif //USE_ETW
181 }
182 EnumParam *enumParam = new EnumParam(PARAM_IMP_REC, "imprec_mode", false);
183 if (enumParam) {
184 this->addParam(enumParam);
185 this->setInfo(PARAM_IMP_REC, "Set in which mode the ImportTable should be recovered");
186 for (size_t i = 0; i < PE_IMPREC_MODES_COUNT; i++) {
187 t_imprec_mode mode = (t_imprec_mode)(i);
188 enumParam->addEnumValue(mode, imprec_mode_to_id(mode), translate_imprec_mode(mode));
189 }
190 }
191
192 enumParam = new EnumParam(PARAM_OUT_FILTER, "ofilter_id", false);
193 if (enumParam) {
194 this->addParam(enumParam);
195 this->setInfo(PARAM_OUT_FILTER, "Filter the dumped output.");
196 for (size_t i = 0; i < OUT_FILTERS_COUNT; i++) {
197 t_output_filter mode = (t_output_filter)(i);
198 enumParam->addEnumValue(mode, translate_out_filter(mode));
199 }
200 }
201
202 enumParam = new EnumParam(PARAM_RESULTS_FILTER, "result_type", false);
203 if (enumParam) {
204 this->addParam(enumParam);
205 this->setInfo(PARAM_RESULTS_FILTER, "Define what type of results are reported.");
206 for (size_t i = SHOW_SUSPICIOUS; i < SHOW_FILTERS_COUNT; i++) {
207 t_results_filter mode = (t_results_filter)(i);
208 std::string info = translate_results_filter(mode);
209 if (info.empty()) continue;
210 enumParam->addEnumValue(mode, results_filter_to_id(i), info);
211 }
212 }
213
214 this->addParam(new StringListParam(PARAM_MODULES_IGNORE, false, PARAM_LIST_SEPARATOR));
215 {
216 std::stringstream ss1;
217 ss1 << "Do not scan module/s with given name/s.";
218 std::stringstream ss2;
219 ss2 << "\t Example: kernel32.dll" << PARAM_LIST_SEPARATOR << "user32.dll";
220 this->setInfo(PARAM_MODULES_IGNORE, ss1.str(), ss2.str());
221 }
222
223 this->addParam(new BoolParam(PARAM_QUIET, false));
224 this->setInfo(PARAM_QUIET, "Print only the summary. Do not log on stdout during the scan.");
225
226 this->addParam(new BoolParam(PARAM_JSON, false));
227 this->setInfo(PARAM_JSON, "Print the JSON report as the summary.");
228 //
229 //PARAM_JSON_LVL
230 enumParam = new EnumParam(PARAM_JSON_LVL, "json_lvl", false);
231 if (enumParam) {
232 this->addParam(enumParam);
233 this->setInfo(PARAM_JSON_LVL, "Level of details of the JSON report.");
234 for (size_t i = 0; i < JSON_LVL_COUNT; i++) {
235 t_json_level mode = (t_json_level)(i);
236 enumParam->addEnumValue(mode, translate_json_level(mode));
237 }
238 }
239
240 this->addParam(new BoolParam(PARAM_MINIDUMP, false));
241 this->setInfo(PARAM_MINIDUMP, "Create a minidump of the full suspicious process.");
242
243 //PARAM_DUMP_MODE
244 this->addParam(new BoolParam(PARAM_REBASE, false));
245 this->setInfo(PARAM_REBASE, "Rebase the module to its original base (if known).");
246
247 //PARAM_SHELLCODE
248 enumParam = new EnumParam(PARAM_SHELLCODE, "shellc_mode", false);
249 if (enumParam) {
250 this->addParam(enumParam);
251 this->setInfo(PARAM_SHELLCODE, "Detect shellcode implants (by patterns or statistics). ");
252 for (size_t i = 0; i < SHELLC_COUNT; i++) {
253 t_shellc_mode mode = (t_shellc_mode)(i);
254 enumParam->addEnumValue(mode, shellc_mode_mode_to_id(mode), translate_shellc_mode(mode));
255 }
256 }
257
258 //PARAM_OBFUSCATED
259 enumParam = new EnumParam(PARAM_OBFUSCATED, "obfusc_mode", false);
260 if (enumParam) {
261 this->addParam(enumParam);
262 this->setInfo(PARAM_OBFUSCATED, "Detect encrypted content, and possible obfuscated shellcodes.");
263 for (size_t i = 0; i < OBFUSC_COUNT; i++) {
264 t_obfusc_mode mode = (t_obfusc_mode)(i);
265 enumParam->addEnumValue(mode, obfusc_mode_mode_to_id(mode), translate_obfusc_mode(mode));
266 }
267 }
268
269 //PARAM_THREADS
270 this->addParam(new BoolParam(PARAM_THREADS, false));
271 this->setInfo(PARAM_THREADS, "Scan threads' callstack. Detect shellcodes, incl. 'sleeping beacons'.");
272
273 //PARAM_REFLECTION
274 this->addParam(new BoolParam(PARAM_REFLECTION, false));
275 this->setInfo(PARAM_REFLECTION, "Make a process reflection before scan.", "\t This allows i.e. to force-read inaccessible pages.");
276
277 //PARAM_CACHE
278 enumParam = new EnumParam(PARAM_CACHE, "cache_mode", false);
279 if (enumParam) {
280 this->addParam(enumParam);
281 this->setInfo(PARAM_CACHE, "Use modules caching. This can speed up the scan (on the cost of memory consumption).\n");
282 for (size_t i = 0; i < CACHE_MODES_COUNT; i++) {
283 t_cache_mode mode = (t_cache_mode)(i);
284 enumParam->addEnumValue(mode, cache_mode_to_id(mode), translate_cache_mode(mode));
285 }
286 }
287
288 //PARAM_IAT
289 enumParam = new EnumParam(PARAM_IAT, "iat_scan_mode", false);
290 if (enumParam) {
291 this->addParam(enumParam);
292 this->setInfo(PARAM_IAT, "Scan for IAT hooks.");
293 for (size_t i = 0; i < PE_IATS_MODES_COUNT; i++) {
294 t_iat_scan_mode mode = (t_iat_scan_mode)(i);
295 enumParam->addEnumValue(mode, translate_iat_scan_mode(mode));
296 }
297 }
298
299 this->addParam(new StringParam(PARAM_PATTERN, false));
300 this->setInfo(PARAM_PATTERN, "Set additional shellcode patterns (file in the SIG format).");
301
302 //PARAM_DOTNET_POLICY
303 enumParam = new EnumParam(PARAM_DOTNET_POLICY, "dotnet_policy", false);
304 if (enumParam) {
305 this->addParam(enumParam);
306 this->setInfo(PARAM_DOTNET_POLICY, "Set the policy for scanning managed processes (.NET).");
307 for (size_t i = 0; i < PE_DNET_COUNT; i++) {
308 t_dotnet_policy mode = (t_dotnet_policy)(i);
309 enumParam->addEnumValue(mode, translate_dotnet_policy(mode));
310 }
311 }
312
313 //PARAM_DATA
314 enumParam = new EnumParam(PARAM_DATA, "data_scan_mode", false);
315 if (enumParam) {
316 this->addParam(enumParam);
317 this->setInfo(PARAM_DATA, "Set if non-executable pages should be scanned.");
318 for (size_t i = 0; i < PE_DATA_COUNT; i++) {
319 t_data_scan_mode mode = (t_data_scan_mode)(i);
320 enumParam->addEnumValue(mode, translate_data_mode(mode));
321 }
322 }
323
324 //PARAM_DUMP_MODE
325 enumParam = new EnumParam(PARAM_DUMP_MODE, "dump_mode", false);
326 if (enumParam) {
327 this->addParam(enumParam);
328 this->setInfo(PARAM_DUMP_MODE, "Set in which mode the detected PE files should be dumped.");
329 for (size_t i = 0; i < PE_DUMP_MODES_COUNT; i++) {
330 t_dump_mode mode = (t_dump_mode)(i);
331 enumParam->addEnumValue(mode, dump_mode_to_id(mode), translate_dump_mode(mode));
332 }
333 }
334 //PARAM_DIR
335 this->addParam(new StringParam(PARAM_DIR, false));
336 this->setInfo(PARAM_DIR, "Set a root directory for the output (default: \""+ std::string(HH_DEFAULT_DIR) + "\").");
337
338 //optional: group parameters
339 std::string str_group = "7. output options";
340 this->addGroup(new ParamGroup(str_group));
341 this->addParamToGroup(PARAM_DIR, str_group);
342 this->addParamToGroup(PARAM_JSON, str_group);
343 this->addParamToGroup(PARAM_JSON_LVL, str_group);
344 this->addParamToGroup(PARAM_OUT_FILTER, str_group);
345 this->addParamToGroup(PARAM_RESULTS_FILTER, str_group);
346 this->addParamToGroup(PARAM_LOG, str_group);
347 this->addParamToGroup(PARAM_UNIQUE_DIR, str_group);
348
349 str_group = "2. scanner settings";
350 this->addGroup(new ParamGroup(str_group));
351 this->addParamToGroup(PARAM_QUIET, str_group);
352 this->addParamToGroup(PARAM_REFLECTION, str_group);
353 this->addParamToGroup(PARAM_CACHE, str_group);
354 this->addParamToGroup(PARAM_LOOP, str_group);
355
356 str_group = "4. scan options";
357 this->addGroup(new ParamGroup(str_group));
358 this->addParamToGroup(PARAM_DATA, str_group);
359 this->addParamToGroup(PARAM_IAT, str_group);
360 this->addParamToGroup(PARAM_SHELLCODE, str_group);
361 this->addParamToGroup(PARAM_OBFUSCATED, str_group);
362 this->addParamToGroup(PARAM_THREADS, str_group);
363 this->addParamToGroup(PARAM_HOOKS, str_group);
364 this->addParamToGroup(PARAM_PATTERN, str_group);
365 this->addParamToGroup(PARAM_ETW, str_group);
366
367 str_group = "5. dump options";
368 this->addGroup(new ParamGroup(str_group));
369 this->addParamToGroup(PARAM_MINIDUMP, str_group);
370 this->addParamToGroup(PARAM_IMP_REC, str_group);
371 this->addParamToGroup(PARAM_DUMP_MODE, str_group);
372 this->addParamToGroup(PARAM_REBASE, str_group);
373
374 str_group = "3. scan exclusions";
375 this->addGroup(new ParamGroup(str_group));
376 this->addParamToGroup(PARAM_DOTNET_POLICY, str_group);
377 this->addParamToGroup(PARAM_MODULES_IGNORE, str_group);
378 this->addParamToGroup(PARAM_PROCESSES_IGNORE, str_group);
379
380 str_group = "1. scan targets";
381 this->addGroup(new ParamGroup(str_group));
382 this->addParamToGroup(PARAM_PID, str_group);
383 this->addParamToGroup(PARAM_PNAME, str_group);
384 this->addParamToGroup(PARAM_PTIMES, str_group);
385
386 str_group = "6. post-scan actions";
387 this->addGroup(new ParamGroup(str_group));
388 this->addParamToGroup(PARAM_KILL, str_group);
389 this->addParamToGroup(PARAM_SUSPEND, str_group);
390 }
391
392 void printBanner()
393 {
394 char logo2[] = ""
395 "@@@ @@@ @@@@@@ @@@ @@@ @@@@@@ @@@ @@@ @@@ @@@@@@\n"
396 "@@! @@@ @@! @@@ @@! @@! @@! @@@ @@! @@! @@! !@@ \n"
397 "@!@!@!@! @!@ !@! @!! @!! @!@ !@! @!! !!@ @!@ !@@!! \n"
398 "!!: !!! !!: !!! !!: !!: !!: !!! !: !!: !! !:!\n"
399 " : : : : :. : : ::.: : : ::.: : : :. : ::.: ::: ::.: : \n"
400 " @@@ @@@ @@@ @@@ @@@ @@@ @@@@@@@ @@@@@@@@ @@@@@@@ \n"
401 " @@! @@@ @@! @@@ @@!@!@@@ @!! @@! @@! @@@ \n"
402 " @!@!@!@! @!@ !@! @!@@!!@! @!! @!!!:! @!@!!@! \n"
403 " !!: !!! !!: !!! !!: !!! !!: !!: !!: :!! \n"
404 " : : : :.:: : :: : : : :: :: : : : \n";
405 char *logo = logo2;
406 WORD logo_color = DARK_MAGENTA;
407
408 WORD curr_color = 0;
409 if (get_current_color(STD_OUTPUT_HANDLE, curr_color)) {
410 WORD current_bg = GET_BG_COLOR(curr_color);
411 if (current_bg == logo_color) {
412 logo_color = MAKE_COLOR(CYAN, current_bg);
413 }
414 }
415 WORD old_color = set_color(logo_color);
416 std::cout << "\n" << logo << std::endl;
417 set_color(old_color);
418 print_version(this->versionStr);
419 std::cout << std::endl;
420 std::cout << "Scans running processes. Recognizes and dumps a variety of in-memory implants:\nreplaced/implanted PEs, shellcodes, hooks, patches, etc.\n";
421 std::cout << "URL: " << HH_URL << std::endl;
422 }
423
424 void fillStruct(t_hh_params& ps)
425 {
426 fillPEsieveStruct(ps.pesieve_args);
427 bool hooks = false;
428 copyVal<BoolParam>(PARAM_HOOKS, hooks);
429 ps.pesieve_args.no_hooks = hooks ? false : true;
430
431 copyVal<EnumParam>(PARAM_CACHE, ps.cache_mode);
432 copyVal<BoolParam>(PARAM_UNIQUE_DIR, ps.unique_dir);
433 copyVal<BoolParam>(PARAM_SUSPEND, ps.suspend_suspicious);
434 copyVal<BoolParam>(PARAM_KILL, ps.kill_suspicious);
435#ifdef USE_ETW
436 copyVal<BoolParam>(PARAM_ETW, ps.etw_scan);
437#endif // USE_ETW
438 copyVal<BoolParam>(PARAM_LOOP, ps.loop_scanning);
439 copyVal<BoolParam>(PARAM_LOG, ps.log);
440 copyVal<BoolParam>(PARAM_QUIET, ps.quiet);
441 copyVal<IntParam>(PARAM_PTIMES, ps.ptimes);
442 copyVal<BoolParam>(PARAM_JSON, ps.json_output);
443 copyVal<StringParam>(PARAM_DIR, ps.out_dir);
444
445 StringListParam* myParam = dynamic_cast<StringListParam*>(this->getParam(PARAM_PNAME));
446 if (myParam && myParam->isSet()) {
447 std::set<std::string> names_list;
448 myParam->stripToElements(names_list);
449 for (auto itr = names_list.begin(); itr != names_list.end(); itr++) {
450 ps.names_list.insert(to_wstring(*itr));
451 }
452 }
453
454 myParam = dynamic_cast<StringListParam*>(this->getParam(PARAM_PROCESSES_IGNORE));
455 if (myParam && myParam->isSet()) {
456 std::set<std::string> ignored_names_list;
457 myParam->stripToElements(ignored_names_list);
458 for (auto itr = ignored_names_list.begin(); itr != ignored_names_list.end(); itr++) {
459 ps.ignored_names_list.insert(to_wstring(*itr));
460 }
461 }
462 IntListParam* myIntParam = dynamic_cast<IntListParam*>(this->getParam(PARAM_PID));
463 if (myIntParam && myIntParam->isSet()) {
464 myIntParam->stripToIntElements(ps.pids_list);
465 }
466
467 ps.pesieve_args.use_cache = false;
468 if (ps.cache_mode == CACHE_ENABLED) {
469 ps.pesieve_args.use_cache = true;
470 }
471 else if (ps.cache_mode == CACHE_AUTO) {
472 if (ps.loop_scanning || ps.etw_scan) {
473 //continuous scanning: enable cache
474 ps.pesieve_args.use_cache = true;
475 }
476 }
477 }
478
479 void freeStruct(t_hh_params& ps)
480 {
481 free_strparam(ps.pesieve_args.modules_ignored);
482 free_strparam(ps.pesieve_args.pattern_file);
483 }
484
485protected:
486
487 // Fill PE-sieve params
488
489 bool alloc_strparam(PARAM_STRING& strparam, size_t len)
490 {
491 if (strparam.buffer != nullptr) { // already allocated
492 return false;
493 }
494 strparam.buffer = (char*)calloc(len + 1, sizeof(char));
495 if (strparam.buffer) {
496 strparam.length = len;
497 return true;
498 }
499 return false;
500 }
501
502 void free_strparam(pesieve::PARAM_STRING& strparam)
503 {
504 if (strparam.buffer) {
505 free(strparam.buffer);
506 }
507 strparam.buffer = nullptr;
508 strparam.length = 0;
509 }
510
511 bool fillStringParam(const std::string& paramId, PARAM_STRING& strparam)
512 {
513 StringParam* myStr = dynamic_cast<StringParam*>(this->getParam(paramId));
514 if (!myStr || !myStr->isSet()) {
515 return false;
516 }
517 std::string val = myStr->valToString();
518 const size_t len = val.length();
519 if (!len) {
520 return false;
521 }
522 alloc_strparam(strparam, len);
523 bool is_copied = false;
524 if (strparam.buffer) {
525 is_copied = copyCStr<StringParam>(paramId, strparam.buffer, strparam.length);
526 }
527 return is_copied;
528 }
529
530 void fillPEsieveStruct(t_params& ps)
531 {
532 copyVal<EnumParam>(PARAM_IMP_REC, ps.imprec_mode);
533 copyVal<EnumParam>(PARAM_OUT_FILTER, ps.out_filter);
534 copyVal<EnumParam>(PARAM_RESULTS_FILTER, ps.results_filter);
535
536 fillStringParam(PARAM_MODULES_IGNORE, ps.modules_ignored);
537
538 copyVal<BoolParam>(PARAM_REBASE, ps.rebase);
539 copyVal<BoolParam>(PARAM_QUIET, ps.quiet);
540 copyVal<EnumParam>(PARAM_JSON_LVL, ps.json_lvl);
541
542 copyVal<BoolParam>(PARAM_MINIDUMP, ps.minidump);
543 copyVal<EnumParam>(PARAM_SHELLCODE, ps.shellcode);
544 copyVal<EnumParam>(PARAM_OBFUSCATED, ps.obfuscated);
545 copyVal<BoolParam>(PARAM_THREADS, ps.threads);
546 copyVal<BoolParam>(PARAM_REFLECTION, ps.make_reflection);
547
548 copyVal<EnumParam>(PARAM_IAT, ps.iat);
549 copyVal<EnumParam>(PARAM_DOTNET_POLICY, ps.dotnet_policy);
550 copyVal<EnumParam>(PARAM_DATA, ps.data);
551 copyVal<EnumParam>(PARAM_DUMP_MODE, ps.dump_mode);
552
553 fillStringParam(PARAM_PATTERN, ps.pattern_file);
554 }
555
556};
HHParams::HHParams
HHParams(const std::string &version)
Definition params.h:120
HHParams::free_strparam
void free_strparam(pesieve::PARAM_STRING &strparam)
Definition params.h:502
HHParams::fillStringParam
bool fillStringParam(const std::string &paramId, PARAM_STRING &strparam)
Definition params.h:511
HHParams::freeStruct
void freeStruct(t_hh_params &ps)
Definition params.h:479
HHParams::alloc_strparam
bool alloc_strparam(PARAM_STRING &strparam, size_t len)
Definition params.h:489
HHParams::printBanner
void printBanner()
Definition params.h:392
HHParams::fillStruct
void fillStruct(t_hh_params &ps)
Definition params.h:424
HHParams::fillPEsieveStruct
void fillPEsieveStruct(t_params &ps)
Definition params.h:530
HH_DEFAULT_DIR
#define HH_DEFAULT_DIR
Definition hh_params.h:8
t_cache_mode
t_cache_mode
Definition hh_params.h:11
CACHE_AUTO
@ CACHE_AUTO
autodetect if cache should be enabled
Definition hh_params.h:13
CACHE_ENABLED
@ CACHE_ENABLED
cache always enabled
Definition hh_params.h:14
CACHE_DISABLED
@ CACHE_DISABLED
cache always disabled
Definition hh_params.h:12
CACHE_MODES_COUNT
@ CACHE_MODES_COUNT
Definition hh_params.h:15
PARAM_PROCESSES_IGNORE
#define PARAM_PROCESSES_IGNORE
Definition params.h:25
PARAM_CACHE
#define PARAM_CACHE
Definition params.h:31
PARAM_LOOP
#define PARAM_LOOP
Definition params.h:28
PARAM_IAT
#define PARAM_IAT
Definition params.h:18
PARAM_RESULTS_FILTER
#define PARAM_RESULTS_FILTER
Definition params.h:43
PARAM_PATTERN
#define PARAM_PATTERN
Definition params.h:48
version_to_str
std::string version_to_str(DWORD version)
Definition params.h:55
PARAM_PTIMES
#define PARAM_PTIMES
Definition params.h:33
PARAM_MINIDUMP
#define PARAM_MINIDUMP
Definition params.h:49
translate_cache_mode
std::string translate_cache_mode(const t_cache_mode mode)
Definition params.h:104
PARAM_IMP_REC
#define PARAM_IMP_REC
Definition params.h:36
PARAM_OUT_FILTER
#define PARAM_OUT_FILTER
Definition params.h:42
cache_mode_to_id
std::string cache_mode_to_id(const t_cache_mode mode)
Definition params.h:91
PARAM_OBFUSCATED
#define PARAM_OBFUSCATED
Definition params.h:21
PARAM_LOG
#define PARAM_LOG
Definition params.h:50
PARAM_JSON
#define PARAM_JSON
Definition params.h:51
PARAM_HOOKS
#define PARAM_HOOKS
Definition params.h:19
PARAM_PID
#define PARAM_PID
Definition params.h:27
HH_URL
#define HH_URL
Definition params.h:15
PARAM_REBASE
#define PARAM_REBASE
Definition params.h:38
PARAM_DOTNET_POLICY
#define PARAM_DOTNET_POLICY
Definition params.h:32
PARAM_DATA
#define PARAM_DATA
Definition params.h:23
PARAM_MODULES_IGNORE
#define PARAM_MODULES_IGNORE
Definition params.h:24
PARAM_UNIQUE_DIR
#define PARAM_UNIQUE_DIR
Definition params.h:46
to_wstring
std::wstring to_wstring(const std::string &stringToConvert)
Definition params.h:84
PARAM_QUIET
#define PARAM_QUIET
Definition params.h:41
PARAM_PNAME
#define PARAM_PNAME
Definition params.h:26
print_version
void print_version(const std::string &version, WORD info_color=HILIGHTED_COLOR)
Definition params.h:68
PARAM_THREADS
#define PARAM_THREADS
Definition params.h:22
PARAM_SUSPEND
#define PARAM_SUSPEND
Definition params.h:44
PARAM_SHELLCODE
#define PARAM_SHELLCODE
Definition params.h:20
PARAM_JSON_LVL
#define PARAM_JSON_LVL
Definition params.h:52
PARAM_DIR
#define PARAM_DIR
Definition params.h:47
PARAM_ETW
#define PARAM_ETW
Definition params.h:29
PARAM_DUMP_MODE
#define PARAM_DUMP_MODE
Definition params.h:37
PARAM_REFLECTION
#define PARAM_REFLECTION
Definition params.h:30
PARAM_KILL
#define PARAM_KILL
Definition params.h:45
translate_shellc_mode
std::string translate_shellc_mode(const pesieve::t_shellc_mode &mode)
Definition pe_sieve_params_info.cpp:138
translate_imprec_mode
std::string translate_imprec_mode(const pesieve::t_imprec_mode imprec_mode)
Definition pe_sieve_params_info.cpp:59
translate_out_filter
std::string translate_out_filter(const pesieve::t_output_filter o_filter)
Definition pe_sieve_params_info.cpp:20
translate_dump_mode
std::string translate_dump_mode(const DWORD dump_mode)
Definition pe_sieve_params_info.cpp:5
obfusc_mode_mode_to_id
std::string obfusc_mode_mode_to_id(const pesieve::t_obfusc_mode &mode)
Definition pe_sieve_params_info.cpp:170
translate_iat_scan_mode
std::string translate_iat_scan_mode(const pesieve::t_iat_scan_mode mode)
Definition pe_sieve_params_info.cpp:78
shellc_mode_mode_to_id
std::string shellc_mode_mode_to_id(const pesieve::t_shellc_mode &mode)
Definition pe_sieve_params_info.cpp:123
translate_data_mode
std::string translate_data_mode(const pesieve::t_data_scan_mode &mode)
Definition pe_sieve_params_info.cpp:183
translate_obfusc_mode
std::string translate_obfusc_mode(const pesieve::t_obfusc_mode &mode)
Definition pe_sieve_params_info.cpp:155
translate_json_level
std::string translate_json_level(const pesieve::t_json_level &mode)
Definition pe_sieve_params_info.cpp:110
translate_results_filter
std::string translate_results_filter(const pesieve::t_results_filter r_filter)
Definition pe_sieve_params_info.cpp:33
results_filter_to_id
std::string results_filter_to_id(const DWORD r_filter)
Definition pe_sieve_params_info.cpp:46
translate_dotnet_policy
std::string translate_dotnet_policy(const pesieve::t_dotnet_policy &mode)
Definition pe_sieve_params_info.cpp:93
imprec_mode_to_id
std::string imprec_mode_to_id(const pesieve::t_imprec_mode imprec_mode)
Definition pe_sieve_params_info.cpp:217
dump_mode_to_id
std::string dump_mode_to_id(const DWORD dump_mode)
Definition pe_sieve_params_info.cpp:202
pe_sieve_params_info.h
hh_params
Definition hh_params.h:20
hh_params::pids_list
std::set< long > pids_list
Definition hh_params.h:34
hh_params::log
bool log
Definition hh_params.h:29
hh_params::json_output
bool json_output
Definition hh_params.h:30
hh_params::kill_suspicious
bool kill_suspicious
Definition hh_params.h:27
hh_params::ignored_names_list
std::set< std::wstring > ignored_names_list
Definition hh_params.h:35
hh_params::pesieve_args
pesieve::t_params pesieve_args
Definition hh_params.h:36
hh_params::out_dir
std::string out_dir
Definition hh_params.h:22
hh_params::etw_scan
bool etw_scan
Definition hh_params.h:25
hh_params::quiet
bool quiet
Definition hh_params.h:28
hh_params::names_list
std::set< std::wstring > names_list
Definition hh_params.h:33
hh_params::cache_mode
t_cache_mode cache_mode
Definition hh_params.h:32
hh_params::loop_scanning
bool loop_scanning
Definition hh_params.h:24
hh_params::suspend_suspicious
bool suspend_suspicious
Definition hh_params.h:26
hh_params::unique_dir
bool unique_dir
Definition hh_params.h:23
hh_params::ptimes
LONGLONG ptimes
Definition hh_params.h:31
set_color
WORD set_color(WORD color)
Definition term_util.cpp:20
get_current_color
bool get_current_color(int descriptor, WORD &color)
Definition term_util.cpp:11
term_util.h
MAKE_COLOR
#define MAKE_COLOR(fg_color, bg_color)
Definition term_util.h:26
DARK_MAGENTA
#define DARK_MAGENTA
Definition term_util.h:14
CYAN
#define CYAN
Definition term_util.h:20
GET_BG_COLOR
#define GET_BG_COLOR(color)
Definition term_util.h:27
Generated by doxygen 1.12.0