PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Types | Public Member Functions | Static Public Member Functions | Public Attributes | Protected Member Functions | Protected Attributes | Friends | List of all members
pesieve::ProcessScanReport Class Reference

The report aggregating the results of the performed scan. More...

#include <scan_report.h>

Public Types

enum  t_report_type {
  REPORT_MAPPING_SCAN , REPORT_HEADERS_SCAN , REPORT_CODE_SCAN , REPORT_MEMPAGE_SCAN ,
  REPORT_ARTEFACT_SCAN , REPORT_UNREACHABLE_SCAN , REPORT_SKIPPED_SCAN , REPORT_IAT_SCAN ,
  REPORT_THREADS_SCAN , REPORT_TYPES_COUNT
}
 
enum  t_report_filter {
  REPORT_ERRORS = 1 , REPORT_NOT_SUSPICIOUS = 2 , REPORT_SUSPICIOUS = 4 , REPORT_SUSPICIOUS_AND_ERRORS = REPORT_ERRORS | REPORT_SUSPICIOUS ,
  REPORT_ALL = REPORT_ERRORS | REPORT_NOT_SUSPICIOUS | REPORT_SUSPICIOUS
}
 

Public Member Functions

 ProcessScanReport (DWORD _pid, bool _is64bit, bool _isReflection, t_params *_usedParams)
 
 ~ProcessScanReport ()
 
void appendReport (ModuleScanReport *report)
 
size_t getScannedSize (ULONGLONG address) const
 
bool hasModule (ULONGLONG page_addr)
 
bool hasModuleContaining (ULONGLONG page_addr, size_t size)
 
bool isModuleReplaced (HMODULE module_base)
 
ScannedModulegetModuleContaining (ULONGLONG field_addr, size_t field_size=0) const
 
virtual const bool toJSON (std::stringstream &stream, size_t level, const t_report_filter &filter, const pesieve::t_json_level &jdetails) const
 
pesieve::t_report generateSummary () const
 
DWORD getPid ()
 
bool isManagedProcess ()
 

Static Public Member Functions

static t_report_type getReportType (ModuleScanReport *report)
 

Public Attributes

std::string mainImagePath
 
std::vector< ModuleScanReport * > moduleReports
 
peconv::ExportsMapper * exportsMap
 

Protected Member Functions

std::string listModules (size_t level, const ProcessScanReport::t_report_filter &filter, const t_json_level &jdetails) const
 
void deleteModuleReports ()
 
void appendToType (ModuleScanReport *report)
 
size_t countResultsPerType (const t_report_type type, const t_scan_status result) const
 
size_t countSuspiciousPerType (const t_report_type type) const
 
size_t countHdrsReplaced () const
 
bool hasAnyShownType (const ProcessScanReport::t_report_filter &filter)
 

Protected Attributes

DWORD pid
 
bool is64bit
 
bool isManaged
 
bool isReflection
 
t_paramsusedParams
 
size_t errorsCount
 
ModulesInfo modulesInfo
 
std::set< ModuleScanReport * > reportsByType [REPORT_TYPES_COUNT]
 

Friends

class ProcessScanner
 
class ResultsDumper
 

Detailed Description

The report aggregating the results of the performed scan.

Definition at line 18 of file scan_report.h.

Member Enumeration Documentation

◆ t_report_filter

enum pesieve::ProcessScanReport::t_report_filter
Enumerator
REPORT_ERRORS 
REPORT_NOT_SUSPICIOUS 
REPORT_SUSPICIOUS 
REPORT_SUSPICIOUS_AND_ERRORS 
REPORT_ALL 

Definition at line 34 of file scan_report.h.

◆ t_report_type

enum pesieve::ProcessScanReport::t_report_type
Enumerator
REPORT_MAPPING_SCAN 
REPORT_HEADERS_SCAN 
REPORT_CODE_SCAN 
REPORT_MEMPAGE_SCAN 
REPORT_ARTEFACT_SCAN 
REPORT_UNREACHABLE_SCAN 
REPORT_SKIPPED_SCAN 
REPORT_IAT_SCAN 
REPORT_THREADS_SCAN 
REPORT_TYPES_COUNT 

Definition at line 21 of file scan_report.h.

Constructor & Destructor Documentation

◆ ProcessScanReport()

pesieve::ProcessScanReport::ProcessScanReport ( DWORD _pid,
bool _is64bit,
bool _isReflection,
t_params * _usedParams )
inline

Definition at line 44 of file scan_report.h.

◆ ~ProcessScanReport()

pesieve::ProcessScanReport::~ProcessScanReport ( )
inline

Definition at line 50 of file scan_report.h.

Here is the call graph for this function:

Member Function Documentation

◆ appendReport()

void pesieve::ProcessScanReport::appendReport ( ModuleScanReport * report)
inline

Definition at line 56 of file scan_report.h.

Here is the call graph for this function:

◆ appendToType()

void pesieve::ProcessScanReport::appendToType ( ModuleScanReport * report)
protected

Definition at line 104 of file scan_report.cpp.

Here is the call graph for this function:

◆ countHdrsReplaced()

size_t pesieve::ProcessScanReport::countHdrsReplaced ( ) const
protected

Definition at line 132 of file scan_report.cpp.

Here is the call graph for this function:

◆ countResultsPerType()

size_t pesieve::ProcessScanReport::countResultsPerType ( const t_report_type type,
const t_scan_status result ) const
protected

Definition at line 88 of file scan_report.cpp.

Here is the call graph for this function:

◆ countSuspiciousPerType()

size_t pesieve::ProcessScanReport::countSuspiciousPerType ( const t_report_type type) const
inlineprotected

Definition at line 124 of file scan_report.h.

Here is the call graph for this function:

◆ deleteModuleReports()

void pesieve::ProcessScanReport::deleteModuleReports ( )
inlineprotected

Definition at line 111 of file scan_report.h.

Here is the call graph for this function:

◆ generateSummary()

pesieve::t_report pesieve::ProcessScanReport::generateSummary ( ) const

Definition at line 152 of file scan_report.cpp.

Here is the call graph for this function:

◆ getModuleContaining()

ScannedModule * pesieve::ProcessScanReport::getModuleContaining ( ULONGLONG field_addr,
size_t field_size = 0 ) const
inline

Definition at line 93 of file scan_report.h.

Here is the call graph for this function:

◆ getPid()

DWORD pesieve::ProcessScanReport::getPid ( )
inline

Definition at line 101 of file scan_report.h.

◆ getReportType()

pesieve::ProcessScanReport::t_report_type pesieve::ProcessScanReport::getReportType ( ModuleScanReport * report)
static

Definition at line 53 of file scan_report.cpp.

◆ getScannedSize()

size_t pesieve::ProcessScanReport::getScannedSize ( ULONGLONG address) const
inline

Definition at line 70 of file scan_report.h.

Here is the call graph for this function:

◆ hasAnyShownType()

bool pesieve::ProcessScanReport::hasAnyShownType ( const ProcessScanReport::t_report_filter & filter)
protected

Definition at line 38 of file scan_report.cpp.

Here is the call graph for this function:

◆ hasModule()

bool pesieve::ProcessScanReport::hasModule ( ULONGLONG page_addr)
inline

Definition at line 75 of file scan_report.h.

Here is the call graph for this function:

◆ hasModuleContaining()

bool pesieve::ProcessScanReport::hasModuleContaining ( ULONGLONG page_addr,
size_t size )
inline

Definition at line 83 of file scan_report.h.

Here is the call graph for this function:

◆ isManagedProcess()

bool pesieve::ProcessScanReport::isManagedProcess ( )
inline

Definition at line 102 of file scan_report.h.

◆ isModuleReplaced()

bool pesieve::ProcessScanReport::isModuleReplaced ( HMODULE module_base)

Definition at line 115 of file scan_report.cpp.

Here is the call graph for this function:

◆ listModules()

std::string pesieve::ProcessScanReport::listModules ( size_t level,
const ProcessScanReport::t_report_filter & filter,
const t_json_level & jdetails ) const
protected

Definition at line 185 of file scan_report.cpp.

Here is the call graph for this function:

◆ toJSON()

const bool pesieve::ProcessScanReport::toJSON ( std::stringstream & stream,
size_t level,
const t_report_filter & filter,
const pesieve::t_json_level & jdetails ) const
virtual

Definition at line 212 of file scan_report.cpp.

Here is the call graph for this function:

Friends And Related Symbol Documentation

◆ ProcessScanner

friend class ProcessScanner
friend

Definition at line 142 of file scan_report.h.

◆ ResultsDumper

friend class ResultsDumper
friend

Definition at line 143 of file scan_report.h.

Member Data Documentation

◆ errorsCount

size_t pesieve::ProcessScanReport::errorsCount
protected

Definition at line 137 of file scan_report.h.

◆ exportsMap

peconv::ExportsMapper* pesieve::ProcessScanReport::exportsMap

Definition at line 106 of file scan_report.h.

◆ is64bit

bool pesieve::ProcessScanReport::is64bit
protected

Definition at line 133 of file scan_report.h.

◆ isManaged

bool pesieve::ProcessScanReport::isManaged
protected

Definition at line 134 of file scan_report.h.

◆ isReflection

bool pesieve::ProcessScanReport::isReflection
protected

Definition at line 135 of file scan_report.h.

◆ mainImagePath

std::string pesieve::ProcessScanReport::mainImagePath

Definition at line 104 of file scan_report.h.

◆ moduleReports

std::vector<ModuleScanReport*> pesieve::ProcessScanReport::moduleReports

Definition at line 105 of file scan_report.h.

◆ modulesInfo

ModulesInfo pesieve::ProcessScanReport::modulesInfo
protected

Definition at line 139 of file scan_report.h.

◆ pid

DWORD pesieve::ProcessScanReport::pid
protected

Definition at line 132 of file scan_report.h.

◆ reportsByType

std::set<ModuleScanReport*> pesieve::ProcessScanReport::reportsByType[REPORT_TYPES_COUNT]
protected

Definition at line 140 of file scan_report.h.

◆ usedParams

t_params* pesieve::ProcessScanReport::usedParams
protected

Definition at line 136 of file scan_report.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.10.0