PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
|
The report aggregating the results of the performed scan. More...
#include <scan_report.h>
Public Types | |
enum | t_report_type { REPORT_MAPPING_SCAN , REPORT_HEADERS_SCAN , REPORT_CODE_SCAN , REPORT_MEMPAGE_SCAN , REPORT_ARTEFACT_SCAN , REPORT_UNREACHABLE_SCAN , REPORT_SKIPPED_SCAN , REPORT_IAT_SCAN , REPORT_THREADS_SCAN , REPORT_TYPES_COUNT } |
enum | t_report_filter { REPORT_ERRORS = 1 , REPORT_NOT_SUSPICIOUS = 2 , REPORT_SUSPICIOUS = 4 , REPORT_SUSPICIOUS_AND_ERRORS = REPORT_ERRORS | REPORT_SUSPICIOUS , REPORT_ALL = REPORT_ERRORS | REPORT_NOT_SUSPICIOUS | REPORT_SUSPICIOUS } |
Public Member Functions | |
ProcessScanReport (DWORD _pid, bool _is64bit, bool _isReflection, t_params *_usedParams) | |
~ProcessScanReport () | |
void | appendReport (ModuleScanReport *report) |
size_t | getScannedSize (ULONGLONG address) const |
bool | hasModule (ULONGLONG page_addr) |
bool | hasModuleContaining (ULONGLONG page_addr, size_t size) |
bool | isModuleReplaced (HMODULE module_base) |
ScannedModule * | getModuleContaining (ULONGLONG field_addr, size_t field_size=0) const |
virtual const bool | toJSON (std::stringstream &stream, size_t level, const t_report_filter &filter, const pesieve::t_json_level &jdetails) const |
pesieve::t_report | generateSummary () const |
DWORD | getPid () |
bool | isManagedProcess () |
Static Public Member Functions | |
static t_report_type | getReportType (ModuleScanReport *report) |
Public Attributes | |
std::string | mainImagePath |
std::vector< ModuleScanReport * > | moduleReports |
peconv::ExportsMapper * | exportsMap |
Protected Member Functions | |
std::string | listModules (size_t level, const ProcessScanReport::t_report_filter &filter, const t_json_level &jdetails) const |
void | deleteModuleReports () |
void | appendToType (ModuleScanReport *report) |
size_t | countResultsPerType (const t_report_type type, const t_scan_status result) const |
size_t | countSuspiciousPerType (const t_report_type type) const |
size_t | countHdrsReplaced () const |
bool | hasAnyShownType (const ProcessScanReport::t_report_filter &filter) |
Protected Attributes | |
DWORD | pid |
bool | is64bit |
bool | isManaged |
bool | isReflection |
t_params * | usedParams |
size_t | errorsCount |
ModulesInfo | modulesInfo |
std::set< ModuleScanReport * > | reportsByType [REPORT_TYPES_COUNT] |
Friends | |
class | ProcessScanner |
class | ResultsDumper |
The report aggregating the results of the performed scan.
Definition at line 18 of file scan_report.h.
Enumerator | |
---|---|
REPORT_ERRORS | |
REPORT_NOT_SUSPICIOUS | |
REPORT_SUSPICIOUS | |
REPORT_SUSPICIOUS_AND_ERRORS | |
REPORT_ALL |
Definition at line 34 of file scan_report.h.
Definition at line 21 of file scan_report.h.
|
inline |
Definition at line 44 of file scan_report.h.
|
inline |
|
inline |
|
protected |
|
protected |
|
protected |
|
inlineprotected |
|
inlineprotected |
pesieve::t_report pesieve::ProcessScanReport::generateSummary | ( | ) | const |
|
inline |
|
inline |
Definition at line 101 of file scan_report.h.
|
static |
Definition at line 53 of file scan_report.cpp.
|
protected |
|
inline |
Definition at line 102 of file scan_report.h.
|
protected |
|
virtual |
|
friend |
Definition at line 142 of file scan_report.h.
|
friend |
Definition at line 143 of file scan_report.h.
|
protected |
Definition at line 137 of file scan_report.h.
peconv::ExportsMapper* pesieve::ProcessScanReport::exportsMap |
Definition at line 106 of file scan_report.h.
|
protected |
Definition at line 133 of file scan_report.h.
|
protected |
Definition at line 134 of file scan_report.h.
|
protected |
Definition at line 135 of file scan_report.h.
std::string pesieve::ProcessScanReport::mainImagePath |
Definition at line 104 of file scan_report.h.
std::vector<ModuleScanReport*> pesieve::ProcessScanReport::moduleReports |
Definition at line 105 of file scan_report.h.
|
protected |
Definition at line 139 of file scan_report.h.
|
protected |
Definition at line 132 of file scan_report.h.
|
protected |
Definition at line 140 of file scan_report.h.
|
protected |
Definition at line 136 of file scan_report.h.