PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
dump_report.cpp
Go to the documentation of this file.
1#include "dump_report.h"
2
3#include "../utils/format_util.h"
4
5using namespace pesieve::util;
6
7const bool pesieve::ModuleDumpReport::toJSON(std::stringstream &outs, size_t level)
8{
9 OUT_PADDED(outs, level, "\"module\" : ");
10 outs << "\"" << std::hex << moduleStart << "\"" << ",\n";
11 OUT_PADDED(outs, level, "\"module_size\" : ");
12 outs << "\"" << std::hex << moduleSize << "\"" << ",\n";
13 if (moduleStart != rebasedTo) {
14 OUT_PADDED(outs, level, "\"dump_base\" : ");
15 outs << "\"" << std::hex << rebasedTo << "\"" << ",\n";
16 }
17 if (dumpFileName.length()) {
18 OUT_PADDED(outs, level, "\"dump_file\" : ");
19 outs << "\"" << peconv::get_file_name(dumpFileName) << "\"" << ",\n";
20 }
21 if (hooksTagFileName.length()) {
22 OUT_PADDED(outs, level, "\"tags_file\" : ");
23 outs << "\"" << peconv::get_file_name(hooksTagFileName) << "\"" << ",\n";
24 }
25 if (patternsTagFileName.length()) {
26 OUT_PADDED(outs, level, "\"pattern_tags_file\" : ");
27 outs << "\"" << peconv::get_file_name(patternsTagFileName) << "\"" << ",\n";
28 }
29 if (impListFileName.length()) {
30 OUT_PADDED(outs, level, "\"imports_file\" : ");
31 outs << "\"" << peconv::get_file_name(impListFileName) << "\"" << ",\n";
32 }
33 if (impRecMode.length()) {
34 OUT_PADDED(outs, level, "\"imp_rec_result\" : ");
35 outs << "\"" << impRecMode << "\"" << ",\n";
36 if (notRecoveredFileName.length()) {
37 OUT_PADDED(outs, level, "\"imp_not_recovered_file\" : ");
38 outs << "\"" << peconv::get_file_name(notRecoveredFileName) << "\"" << ",\n";
39 }
40 }
41 if (this->iatHooksFileName.length()) {
42 OUT_PADDED(outs, level, "\"iat_hooks_file\" : ");
43 outs << "\"" << peconv::get_file_name(iatHooksFileName) << "\"" << ",\n";
44 }
45 if (mode_info.length()) {
46 OUT_PADDED(outs, level, "\"dump_mode\" : ");
47 outs << "\"" << mode_info << "\"" << ",\n";
48 }
49 OUT_PADDED(outs, level, "\"is_shellcode\" : ");
50 outs << std::dec << is_shellcode << ",\n";
51 if (is_corrupt_pe) {
52 OUT_PADDED(outs, level, "\"is_corrupt_pe\" : ");
53 outs << std::dec << is_corrupt_pe << ",\n";
54 }
55
56 OUT_PADDED(outs, level, "\"status\" : ");
57 outs << std::dec << this->isDumped;
58 return true;
59}
60
61// ProcessDumpReport
62
63bool pesieve::ProcessDumpReport::toJSON(std::stringstream &stream, size_t start_level) const
64{
65 size_t level = start_level + 1;
66 OUT_PADDED(stream, start_level, "{\n"); // beginning of the report
67
68 OUT_PADDED(stream, level, "\"pid\" : ");
69 stream << std::dec << getPid() << ",\n";
70
71 OUT_PADDED(stream, level, "\"output_dir\" : \"");
72 stream << escape_path_separators(outputDir) << "\",\n";
73 if (minidumpPath.length()) {
74 OUT_PADDED(stream, level, "\"minidump_path\" : \"");
75 stream << escape_path_separators(this->minidumpPath) << "\",\n";
76 }
77
78 OUT_PADDED(stream, level, "\"dumped\" : \n");
79 OUT_PADDED(stream, level, "{\n");
80 //stream << " {\n";
81 OUT_PADDED(stream, level + 1, "\"total\" : ");
82 stream << std::dec << countTotal() << ",\n";
83 OUT_PADDED(stream, level + 1, "\"dumped\" : ");
84 stream << std::dec << countDumped() << "\n";
85 OUT_PADDED(stream, level, "},\n"); // scanned
86 stream << list_dumped_modules(level);
87
88 OUT_PADDED(stream, start_level, "}"); // end of the report
89
90 return true;
91}
92
93std::string pesieve::ProcessDumpReport::list_dumped_modules(size_t level) const
94{
95 std::stringstream stream;
96 //summary:
97 OUT_PADDED(stream, level, "\"dumps\" : [\n");
98 bool is_first = true;
99 std::vector<ModuleDumpReport*>::const_iterator itr;
100 for (itr = moduleReports.begin(); itr != moduleReports.end(); ++itr) {
101 ModuleDumpReport *mod = *itr;
102 if (mod->isDumped || mod->isReportDumped) {
103 if (!is_first) {
104 stream << ",\n";
105 }
106 OUT_PADDED(stream, level + 1, "{\n");
107 if (mod->toJSON(stream, level + 2)) {
108 stream << "\n";
109 }
110 OUT_PADDED(stream, level + 1, "}");
111 is_first = false;
112 }
113 }
114 if (moduleReports.size()) {
115 stream << "\n";
116 }
117 OUT_PADDED(stream, level, "]\n");
118 return stream.str();
119}
pesieve::ModuleDumpReport::notRecoveredFileName
std::string notRecoveredFileName
Definition dump_report.h:43
pesieve::ModuleDumpReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level)
Definition dump_report.cpp:7
pesieve::ModuleDumpReport::patternsTagFileName
std::string patternsTagFileName
Definition dump_report.h:41
pesieve::ProcessDumpReport::toJSON
virtual bool toJSON(std::stringstream &stream, size_t level) const
Definition dump_report.cpp:63
pesieve::ProcessDumpReport::moduleReports
std::vector< ModuleDumpReport * > moduleReports
Definition dump_report.h:128
pesieve::ProcessDumpReport::list_dumped_modules
std::string list_dumped_modules(size_t level) const
Definition dump_report.cpp:93
pesieve::ProcessDumpReport::countTotal
size_t countTotal() const
Definition dump_report.h:67
pesieve::ProcessDumpReport::countDumped
size_t countDumped() const
Definition dump_report.h:79
dump_report.h
format_util.h
OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12
pesieve::util::escape_path_separators
std::string escape_path_separators(std::string path)
Definition path_util.cpp:27
Generated by doxygen 1.13.2