8 case pesieve::PE_DUMP_AUTO:
9 return "autodetect (default)";
10 case pesieve::PE_DUMP_VIRTUAL:
11 return "virtual (as it is in the memory, no unmapping)";
12 case pesieve::PE_DUMP_UNMAP:
13 return "unmapped (converted to raw using sections' raw headers)";
14 case pesieve::PE_DUMP_REALIGN:
15 return "realigned raw (converted raw format to be the same as virtual)";
23 case pesieve::OUT_FULL:
24 return "no filter: dump everything (default)";
25 case pesieve::OUT_NO_DUMPS:
26 return "don't dump the modified PEs, but save the report";
27 case pesieve::OUT_NO_DIR:
28 return "don't dump any files";
36 case pesieve::SHOW_SUSPICIOUS:
37 return "only suspicious (default)";
38 case pesieve::SHOW_SUSPICIOUS_AND_ERRORS:
39 return "suspicious and errors";
40 case pesieve::SHOW_ALL:
49 case pesieve::SHOW_SUSPICIOUS:
51 case pesieve::SHOW_SUSPICIOUS_AND_ERRORS:
53 case pesieve::SHOW_ALL:
61 switch (imprec_mode) {
62 case pesieve::PE_IMPREC_NONE:
63 return "none: do not recover imports (default)";
64 case pesieve::PE_IMPREC_AUTO:
65 return "try to autodetect the most suitable mode";
66 case pesieve::PE_IMPREC_UNERASE:
67 return "unerase the erased parts of the partialy damaged ImportTable";
68 case pesieve::PE_IMPREC_REBUILD0:
69 return "build the ImportTable from scratch, basing on the found IATs:\n\t use only terminated blocks (restrictive mode)";
70 case pesieve::PE_IMPREC_REBUILD1:
71 return "build the ImportTable from scratch, basing on the found IATs:\n\t use terminated blocks, or blocks with more than 1 thunk";
72 case pesieve::PE_IMPREC_REBUILD2:
73 return "build the ImportTable from scratch, basing on the found IATs:\n\t use all found blocks (aggressive mode)";
81 case pesieve::PE_IATS_NONE:
82 return "none: do not scan for IAT Hooks (default)";
83 case pesieve::PE_IATS_CLEAN_SYS_FILTERED:
84 return "scan IAT, filter hooks that lead to unpatched system module";
85 case pesieve::PE_IATS_ALL_SYS_FILTERED:
86 return "scan IAT, filter hooks that lead to ANY system module";
87 case pesieve::PE_IATS_UNFILTERED:
88 return "unfiltered: scan for IAT Hooks, report all";
96 case pesieve::PE_DNET_NONE:
97 return "none: treat managed processes same as native";
98 case pesieve::PE_DNET_SKIP_MAPPING:
99 return "skip mapping mismatch (in .NET modules only)";
100 case pesieve::PE_DNET_SKIP_SHC:
101 return "skip shellcodes (in all modules within the managed process)";
102 case pesieve::PE_DNET_SKIP_HOOKS:
103 return "skip hooked modules (in all modules within the managed process)";
104 case pesieve::PE_DNET_SKIP_ALL:
105 return "skip all the above (mapping, shellcodes, hooks)";
113 case pesieve::JSON_BASIC:
115 case pesieve::JSON_DETAILS:
116 return "details #1 (list patches)";
117 case pesieve::JSON_DETAILS2:
118 return "details #2 (list patches: extended)";
126 case pesieve::SHELLC_PATTERNS:
128 case pesieve::SHELLC_STATS:
130 case pesieve::SHELLC_PATTERNS_OR_STATS:
132 case pesieve::SHELLC_PATTERNS_AND_STATS:
141 case pesieve::SHELLC_NONE:
142 return "none: do not detect shellcodes";
143 case pesieve::SHELLC_PATTERNS:
144 return "detect shellcodes by patterns";
145 case pesieve::SHELLC_STATS:
146 return "detect shellcodes by stats";
147 case pesieve::SHELLC_PATTERNS_OR_STATS:
148 return "detect shellcodes by patterns or stats (any match)";
149 case pesieve::SHELLC_PATTERNS_AND_STATS:
150 return "detect shellcodes by patterns and stats (both match)";
158 case pesieve::OBFUSC_NONE:
159 return "none: do not detect obfuscated areas";
160 case pesieve::OBFUSC_STRONG_ENC:
161 return "detect areas possibly encrypted with strong encryption";
162 case pesieve::OBFUSC_WEAK_ENC:
163 return "detect areas possibly encrypted with weak encryption (lower entropy, possible XOR patterns)";
164 case pesieve::OBFUSC_ANY:
165 return "detect any: possible strong or weak encryption";
173 case pesieve::OBFUSC_STRONG_ENC:
175 case pesieve::OBFUSC_WEAK_ENC:
177 case pesieve::OBFUSC_ANY:
186 case pesieve::PE_DATA_NO_SCAN:
187 return "none: do not scan non-executable pages";
188 case pesieve::PE_DATA_SCAN_DOTNET:
189 return ".NET: scan non-executable in .NET applications";
190 case pesieve::PE_DATA_SCAN_NO_DEP:
191 return "if no DEP: scan non-exec if DEP is disabled (or if is .NET)";
192 case pesieve::PE_DATA_SCAN_ALWAYS:
193 return "always: scan non-executable pages unconditionally";
194 case pesieve::PE_DATA_SCAN_INACCESSIBLE:
195 return "include inaccessible: scan non-executable pages unconditionally;\n\t in reflection mode (/refl): scan also inaccessible pages";
196 case pesieve::PE_DATA_SCAN_INACCESSIBLE_ONLY:
197 return "scan inaccessible pages, but exclude other non-executable;\n\t works in reflection mode (/refl) only";
205 case pesieve::PE_DUMP_AUTO:
207 case pesieve::PE_DUMP_VIRTUAL:
209 case pesieve::PE_DUMP_UNMAP:
211 case pesieve::PE_DUMP_REALIGN:
219 switch (imprec_mode) {
220 case pesieve::PE_IMPREC_NONE:
222 case pesieve::PE_IMPREC_AUTO:
224 case pesieve::PE_IMPREC_UNERASE:
226 case pesieve::PE_IMPREC_REBUILD0:
228 case pesieve::PE_IMPREC_REBUILD1:
230 case pesieve::PE_IMPREC_REBUILD2:
std::string translate_shellc_mode(const pesieve::t_shellc_mode &mode)
std::string translate_imprec_mode(const pesieve::t_imprec_mode imprec_mode)
std::string translate_out_filter(const pesieve::t_output_filter o_filter)
std::string translate_dump_mode(const DWORD dump_mode)
std::string obfusc_mode_mode_to_id(const pesieve::t_obfusc_mode &mode)
std::string translate_iat_scan_mode(const pesieve::t_iat_scan_mode mode)
std::string shellc_mode_mode_to_id(const pesieve::t_shellc_mode &mode)
std::string translate_data_mode(const pesieve::t_data_scan_mode &mode)
std::string translate_obfusc_mode(const pesieve::t_obfusc_mode &mode)
std::string translate_json_level(const pesieve::t_json_level &mode)
std::string translate_results_filter(const pesieve::t_results_filter r_filter)
std::string results_filter_to_id(const DWORD r_filter)
std::string translate_dotnet_policy(const pesieve::t_dotnet_policy &mode)
std::string imprec_mode_to_id(const pesieve::t_imprec_mode imprec_mode)
std::string dump_mode_to_id(const DWORD dump_mode)
1.12.0