PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
pesieve::ResultsDumper Class Reference

#include <results_dumper.h>

Public Member Functions

 ResultsDumper (std::string _baseDir, bool _quiet)
 
ProcessDumpReportdumpDetectedModules (HANDLE hProcess, bool isRefl, ProcessScanReport &process_report, const pesieve::t_dump_mode dump_mode, const pesieve::t_imprec_mode imprec_mode)
 
bool dumpJsonReport (ProcessScanReport &process_report, const ProcessScanReport::t_report_filter &filter, const pesieve::t_json_level &jdetails)
 
bool dumpJsonReport (ProcessDumpReport &process_report)
 
std::string getOutputDir ()
 
std::string makeOutPath (const std::string &fname, const std::string &defaultExtension="")
 

Protected Member Functions

bool dumpModule (IN HANDLE processHandle, IN bool isRefl, IN const ModulesInfo &modulesInfo, IN ModuleScanReport *modReport, IN const peconv::ExportsMapper *exportsMap, IN const pesieve::t_dump_mode dump_mode, IN const pesieve::t_imprec_mode imprec_mode, OUT ProcessDumpReport &dumpReport)
 
std::string makeModuleDumpPath (ULONGLONG modBaseAddr, const std::string &fname, const std::string &defaultExtension)
 
std::string makeDirName (const DWORD process_id)
 
void makeAndJoinDirectories (std::stringstream &name_stream)
 
bool fillModuleCopy (IN ModuleScanReport *mod, IN OUT PeBuffer &module_buf)
 

Protected Attributes

std::string dumpDir
 
std::string baseDir
 
bool quiet
 

Detailed Description

Definition at line 11 of file results_dumper.h.

Constructor & Destructor Documentation

◆ ResultsDumper()

pesieve::ResultsDumper::ResultsDumper ( std::string _baseDir,
bool _quiet )
inline

Definition at line 15 of file results_dumper.h.

Member Function Documentation

◆ dumpDetectedModules()

pesieve::ProcessDumpReport * pesieve::ResultsDumper::dumpDetectedModules ( HANDLE hProcess,
bool isRefl,
ProcessScanReport & process_report,
const pesieve::t_dump_mode dump_mode,
const pesieve::t_imprec_mode imprec_mode )

Definition at line 177 of file results_dumper.cpp.

Here is the call graph for this function:

◆ dumpJsonReport() [1/2]

bool pesieve::ResultsDumper::dumpJsonReport ( ProcessDumpReport & process_report)

Definition at line 148 of file results_dumper.cpp.

Here is the call graph for this function:

◆ dumpJsonReport() [2/2]

bool pesieve::ResultsDumper::dumpJsonReport ( pesieve::ProcessScanReport & process_report,
const ProcessScanReport::t_report_filter & filter,
const pesieve::t_json_level & jdetails )

Definition at line 116 of file results_dumper.cpp.

Here is the call graph for this function:

◆ dumpModule()

bool pesieve::ResultsDumper::dumpModule ( IN HANDLE processHandle,
IN bool isRefl,
IN const ModulesInfo & modulesInfo,
IN ModuleScanReport * modReport,
IN const peconv::ExportsMapper * exportsMap,
IN const pesieve::t_dump_mode dump_mode,
IN const pesieve::t_imprec_mode imprec_mode,
OUT ProcessDumpReport & dumpReport )
protected
Parameters
processHandle: handle of the target process (from which the artefacts will be dumped)
isRefl: a flag indicating if this is a process reflection
modulesInfo: list the scanned modules, with their statuses
modReport: ModuleScanReport defining artefacts to be dumped
exportsMap: mapping of all the exported APIs available within the process (for imports reconstruction)
imprec_mode: mode in which imports reconstruction will be attempted
dumpReport: ProcessDumpReport to which reports from the current dump will be appended

Definition at line 230 of file results_dumper.cpp.

Here is the call graph for this function:

◆ fillModuleCopy()

bool pesieve::ResultsDumper::fillModuleCopy ( IN ModuleScanReport * mod,
IN OUT PeBuffer & module_buf )
protected

Definition at line 212 of file results_dumper.cpp.

Here is the call graph for this function:

◆ getOutputDir()

std::string pesieve::ResultsDumper::getOutputDir ( )
inline

Definition at line 28 of file results_dumper.h.

◆ makeAndJoinDirectories()

void pesieve::ResultsDumper::makeAndJoinDirectories ( std::stringstream & name_stream)
protected

Definition at line 390 of file results_dumper.cpp.

Here is the call graph for this function:

◆ makeDirName()

std::string pesieve::ResultsDumper::makeDirName ( const DWORD process_id)
protected

Definition at line 441 of file results_dumper.cpp.

Here is the call graph for this function:

◆ makeModuleDumpPath()

std::string pesieve::ResultsDumper::makeModuleDumpPath ( ULONGLONG modBaseAddr,
const std::string & fname,
const std::string & defaultExtension )
protected
Parameters
modBaseAddr: base address where this module was mapped
fname: known name of this module
defaultExtension: default extension - it will be used if no other extension was detected from the previous name

Definition at line 412 of file results_dumper.cpp.

Here is the call graph for this function:

◆ makeOutPath()

std::string pesieve::ResultsDumper::makeOutPath ( const std::string & fname,
const std::string & defaultExtension = "" )

Definition at line 426 of file results_dumper.cpp.

Here is the call graph for this function:

Member Data Documentation

◆ baseDir

std::string pesieve::ResultsDumper::baseDir
protected

Definition at line 70 of file results_dumper.h.

◆ dumpDir

std::string pesieve::ResultsDumper::dumpDir
protected

Definition at line 69 of file results_dumper.h.

◆ quiet

bool pesieve::ResultsDumper::quiet
protected

Definition at line 71 of file results_dumper.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.10.0