PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
dump_report.cpp
Go to the documentation of this file.
1#include "dump_report.h"
2
3#include "../utils/format_util.h"
4
5using namespace pesieve::util;
6
7const bool pesieve::ModuleDumpReport::toJSON(std::stringstream &outs, size_t level)
8{
9 OUT_PADDED(outs, level, "\"module\" : ");
10 outs << "\"" << std::hex << moduleStart << "\"" << ",\n";
11 OUT_PADDED(outs, level, "\"module_size\" : ");
12 outs << "\"" << std::hex << moduleSize << "\"" << ",\n";
13 if (dumpFileName.length()) {
14 OUT_PADDED(outs, level, "\"dump_file\" : ");
15 outs << "\"" << peconv::get_file_name(dumpFileName) << "\"" << ",\n";
16 }
17 if (hooksTagFileName.length()) {
18 OUT_PADDED(outs, level, "\"tags_file\" : ");
19 outs << "\"" << peconv::get_file_name(hooksTagFileName) << "\"" << ",\n";
20 }
21 if (patternsTagFileName.length()) {
22 OUT_PADDED(outs, level, "\"pattern_tags_file\" : ");
23 outs << "\"" << peconv::get_file_name(patternsTagFileName) << "\"" << ",\n";
24 }
25 if (impListFileName.length()) {
26 OUT_PADDED(outs, level, "\"imports_file\" : ");
27 outs << "\"" << peconv::get_file_name(impListFileName) << "\"" << ",\n";
28 }
29 if (impRecMode.length()) {
30 OUT_PADDED(outs, level, "\"imp_rec_result\" : ");
31 outs << "\"" << impRecMode << "\"" << ",\n";
32 if (notRecoveredFileName.length()) {
33 OUT_PADDED(outs, level, "\"imp_not_recovered_file\" : ");
34 outs << "\"" << peconv::get_file_name(notRecoveredFileName) << "\"" << ",\n";
35 }
36 }
37 if (this->iatHooksFileName.length()) {
38 OUT_PADDED(outs, level, "\"iat_hooks_file\" : ");
39 outs << "\"" << peconv::get_file_name(iatHooksFileName) << "\"" << ",\n";
40 }
41 if (mode_info.length()) {
42 OUT_PADDED(outs, level, "\"dump_mode\" : ");
43 outs << "\"" << mode_info << "\"" << ",\n";
44 }
45 OUT_PADDED(outs, level, "\"is_shellcode\" : ");
46 outs << std::dec << is_shellcode << ",\n";
47 if (is_corrupt_pe) {
48 OUT_PADDED(outs, level, "\"is_corrupt_pe\" : ");
49 outs << std::dec << is_corrupt_pe << ",\n";
50 }
51
52 OUT_PADDED(outs, level, "\"status\" : ");
53 outs << std::dec << this->isDumped;
54 return true;
55}
56
57// ProcessDumpReport
58
59bool pesieve::ProcessDumpReport::toJSON(std::stringstream &stream, size_t start_level) const
60{
61 size_t level = start_level + 1;
62 OUT_PADDED(stream, start_level, "{\n"); // beginning of the report
63
64 OUT_PADDED(stream, level, "\"pid\" : ");
65 stream << std::dec << getPid() << ",\n";
66
67 OUT_PADDED(stream, level, "\"output_dir\" : \"");
68 stream << escape_path_separators(outputDir) << "\",\n";
69 if (minidumpPath.length()) {
70 OUT_PADDED(stream, level, "\"minidump_path\" : \"");
71 stream << escape_path_separators(this->minidumpPath) << "\",\n";
72 }
73
74 OUT_PADDED(stream, level, "\"dumped\" : \n");
75 OUT_PADDED(stream, level, "{\n");
76 //stream << " {\n";
77 OUT_PADDED(stream, level + 1, "\"total\" : ");
78 stream << std::dec << countTotal() << ",\n";
79 OUT_PADDED(stream, level + 1, "\"dumped\" : ");
80 stream << std::dec << countDumped() << "\n";
81 OUT_PADDED(stream, level, "},\n"); // scanned
82 stream << list_dumped_modules(level);
83
84 OUT_PADDED(stream, start_level, "}"); // end of the report
85
86 return true;
87}
88
89std::string pesieve::ProcessDumpReport::list_dumped_modules(size_t level) const
90{
91 std::stringstream stream;
92 //summary:
93 OUT_PADDED(stream, level, "\"dumps\" : [\n");
94 bool is_first = true;
95 std::vector<ModuleDumpReport*>::const_iterator itr;
96 for (itr = moduleReports.begin(); itr != moduleReports.end(); ++itr) {
97 ModuleDumpReport *mod = *itr;
98 if (mod->isDumped || mod->isReportDumped) {
99 if (!is_first) {
100 stream << ",\n";
101 }
102 OUT_PADDED(stream, level + 1, "{\n");
103 if (mod->toJSON(stream, level + 2)) {
104 stream << "\n";
105 }
106 OUT_PADDED(stream, level + 1, "}");
107 is_first = false;
108 }
109 }
110 if (moduleReports.size()) {
111 stream << "\n";
112 }
113 OUT_PADDED(stream, level, "]\n");
114 return stream.str();
115}
pesieve::ModuleDumpReport::notRecoveredFileName
std::string notRecoveredFileName
Definition dump_report.h:42
pesieve::ModuleDumpReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level)
Definition dump_report.cpp:7
pesieve::ModuleDumpReport::patternsTagFileName
std::string patternsTagFileName
Definition dump_report.h:40
pesieve::ProcessDumpReport::toJSON
virtual bool toJSON(std::stringstream &stream, size_t level) const
Definition dump_report.cpp:59
pesieve::ProcessDumpReport::list_dumped_modules
std::string list_dumped_modules(size_t level) const
Definition dump_report.cpp:89
dump_report.h
format_util.h
OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12
pesieve::util::escape_path_separators
std::string escape_path_separators(std::string path)
Definition path_util.cpp:27
Generated by doxygen 1.10.0