PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
pesieve::ResultsDumper Class Reference

#include <results_dumper.h>

Public Member Functions

 ResultsDumper (std::string _baseDir, bool _quiet)
ProcessDumpReportdumpDetectedModules (HANDLE hProcess, bool isRefl, ProcessScanReport &process_report, const pesieve::t_dump_mode dump_mode, const t_imprec_mode imprec_mode, const bool rebase)
bool dumpJsonReport (ProcessScanReport &process_report, const t_results_filter &filter, const pesieve::t_json_level &jdetails)
bool dumpJsonReport (ProcessDumpReport &process_report)
bool dumpJsonReport (ErrorReport &error_report, const t_results_filter &filter)
std::string getOutputDir ()
std::string makeOutPath (const std::string &fname, const std::string &defaultExtension="")

Protected Member Functions

bool dumpModule (IN HANDLE processHandle, IN bool isRefl, IN const ModulesInfo &modulesInfo, IN ModuleScanReport *modReport, IN const peconv::ExportsMapper *exportsMap, IN const pesieve::t_dump_mode dump_mode, IN const pesieve::t_imprec_mode imprec_mode, IN bool rebase, OUT ProcessDumpReport &dumpReport)
std::string makeModuleDumpPath (ULONGLONG modBaseAddr, const std::string &fname, const std::string &defaultExtension)
std::string makeDirName (const DWORD process_id)
void makeAndJoinDirectories (std::stringstream &name_stream)
bool fillModuleCopy (IN ModuleScanReport *mod, IN OUT PeBuffer &module_buf)

Protected Attributes

std::string dumpDir
std::string baseDir
bool quiet

Detailed Description

Definition at line 11 of file results_dumper.h.

Constructor & Destructor Documentation

◆ ResultsDumper()

pesieve::ResultsDumper::ResultsDumper ( std::string _baseDir,
bool _quiet )
inline

Definition at line 15 of file results_dumper.h.

Member Function Documentation

◆ dumpDetectedModules()

pesieve::ProcessDumpReport * pesieve::ResultsDumper::dumpDetectedModules ( HANDLE hProcess,
bool isRefl,
ProcessScanReport & process_report,
const pesieve::t_dump_mode dump_mode,
const t_imprec_mode imprec_mode,
const bool rebase )

Definition at line 204 of file results_dumper.cpp.

Here is the call graph for this function:

◆ dumpJsonReport() [1/3]

bool pesieve::ResultsDumper::dumpJsonReport ( ErrorReport & error_report,
const t_results_filter & filter )

Definition at line 177 of file results_dumper.cpp.

Here is the call graph for this function:

◆ dumpJsonReport() [2/3]

bool pesieve::ResultsDumper::dumpJsonReport ( ProcessDumpReport & process_report)

Definition at line 148 of file results_dumper.cpp.

Here is the call graph for this function:

◆ dumpJsonReport() [3/3]

bool pesieve::ResultsDumper::dumpJsonReport ( pesieve::ProcessScanReport & process_report,
const t_results_filter & filter,
const pesieve::t_json_level & jdetails )

Definition at line 116 of file results_dumper.cpp.

Here is the call graph for this function:

◆ dumpModule()

bool pesieve::ResultsDumper::dumpModule ( IN HANDLE processHandle,
IN bool isRefl,
IN const ModulesInfo & modulesInfo,
IN ModuleScanReport * modReport,
IN const peconv::ExportsMapper * exportsMap,
IN const pesieve::t_dump_mode dump_mode,
IN const pesieve::t_imprec_mode imprec_mode,
IN bool rebase,
OUT ProcessDumpReport & dumpReport )
protected
Parameters
processHandle: handle of the target process (from which the artefacts will be dumped)
isRefl: a flag indicating if this is a process reflection
modulesInfo: list the scanned modules, with their statuses
modReport: ModuleScanReport defining artefacts to be dumped
exportsMap: mapping of all the exported APIs available within the process (for imports reconstruction)
imprec_mode: mode in which imports reconstruction will be attempted
out_base: the base to which the output module should be rebased, 0 if default
dumpReport: ProcessDumpReport to which reports from the current dump will be appended

Definition at line 262 of file results_dumper.cpp.

Here is the call graph for this function:

◆ fillModuleCopy()

bool pesieve::ResultsDumper::fillModuleCopy ( IN ModuleScanReport * mod,
IN OUT PeBuffer & module_buf )
protected

Definition at line 244 of file results_dumper.cpp.

Here is the call graph for this function:

◆ getOutputDir()

std::string pesieve::ResultsDumper::getOutputDir ( )
inline

Definition at line 37 of file results_dumper.h.

◆ makeAndJoinDirectories()

void pesieve::ResultsDumper::makeAndJoinDirectories ( std::stringstream & name_stream)
protected

Definition at line 433 of file results_dumper.cpp.

Here is the call graph for this function:

◆ makeDirName()

std::string pesieve::ResultsDumper::makeDirName ( const DWORD process_id)
protected

Definition at line 484 of file results_dumper.cpp.

◆ makeModuleDumpPath()

std::string pesieve::ResultsDumper::makeModuleDumpPath ( ULONGLONG modBaseAddr,
const std::string & fname,
const std::string & defaultExtension )
protected
Parameters
modBaseAddr: base address where this module was mapped
fname: known name of this module
defaultExtension: default extension - it will be used if no other extension was detected from the previous name

Definition at line 455 of file results_dumper.cpp.

Here is the call graph for this function:

◆ makeOutPath()

std::string pesieve::ResultsDumper::makeOutPath ( const std::string & fname,
const std::string & defaultExtension = "" )

Definition at line 469 of file results_dumper.cpp.

Here is the call graph for this function:

Member Data Documentation

◆ baseDir

std::string pesieve::ResultsDumper::baseDir
protected

Definition at line 81 of file results_dumper.h.

◆ dumpDir

std::string pesieve::ResultsDumper::dumpDir
protected

Definition at line 80 of file results_dumper.h.

◆ quiet

bool pesieve::ResultsDumper::quiet
protected

Definition at line 82 of file results_dumper.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.17.0