PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
dump_report.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4
5#include <iostream>
6#include <sstream>
7#include <string>
8#include <vector>
9
10#include <peconv.h>
11#include "../utils/path_util.h"
12#include "../utils/path_converter.h"
13
14namespace pesieve {
15
16 class ModuleDumpReport
17 {
18 public:
19
20 ModuleDumpReport(ULONGLONG module_start, size_t module_size)
21 : moduleStart(module_start), moduleSize(module_size),
22 isDumped(false), isReportDumped(false),
23 is_corrupt_pe(false),
24 is_shellcode(false)
25 {
26 }
27
28 const virtual bool toJSON(std::stringstream &outs, size_t level);
29
30 ULONGLONG moduleStart;
31 size_t moduleSize;
32 bool is_corrupt_pe;
33 bool is_shellcode;
34 std::string impRecMode;
35 bool isReportDumped;
36 bool isDumped;
37 std::string mode_info;
38 std::string dumpFileName;
39 std::string hooksTagFileName;
40 std::string patternsTagFileName;
41 std::string impListFileName;
42 std::string notRecoveredFileName;
43 std::string iatHooksFileName;
44 };
45
47 class ProcessDumpReport
48 {
49 public:
50 ProcessDumpReport(DWORD _pid)
51 : pid(_pid)
52 {
53 }
54
59
60 void appendReport(ModuleDumpReport *report)
61 {
62 if (!report) return;
63 moduleReports.push_back(report);
64 }
65
66 size_t countTotal() const
67 {
68 return moduleReports.size();
69 }
70
71 bool isFilled() const
72 {
73 if (countTotal()) return true;
74 if (this->minidumpPath.length()) return true;
75 return false;
76 }
77
78 size_t countDumped() const
79 {
80 size_t dumped = 0;
81 std::vector<ModuleDumpReport*>::const_iterator itr = moduleReports.begin();
82 for (; itr != moduleReports.end(); ++itr) {
83 ModuleDumpReport* module = *itr;
84 if (module->isDumped) {
85 dumped++;
86 }
87 }
88 return dumped;
89 }
90
91 virtual bool toJSON(std::stringstream &stream, size_t level) const;
92
93 DWORD getPid() const { return pid; }
94
95 std::string outputDir;
96 std::string minidumpPath;
97
98 protected:
99
100 std::string list_dumped_modules(size_t level) const;
101
102 void deleteModuleReports()
103 {
104 std::vector<ModuleDumpReport*>::iterator itr = moduleReports.begin();
105 for (; itr != moduleReports.end(); ++itr) {
106 ModuleDumpReport* module = *itr;
107 delete module;
108 }
109 moduleReports.clear();
110 }
111
112 DWORD pid;
113 std::vector<ModuleDumpReport*> moduleReports;
114
115 friend class ResultsDumper;
116 };
117
118};
119
pesieve::ModuleDumpReport::notRecoveredFileName
std::string notRecoveredFileName
Definition dump_report.h:42
pesieve::ModuleDumpReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level)
Definition dump_report.cpp:7
pesieve::ModuleDumpReport::ModuleDumpReport
ModuleDumpReport(ULONGLONG module_start, size_t module_size)
Definition dump_report.h:20
pesieve::ModuleDumpReport::patternsTagFileName
std::string patternsTagFileName
Definition dump_report.h:40
pesieve::ProcessDumpReport
The report aggregating the results of the performed dumps.
Definition dump_report.h:48
pesieve::ProcessDumpReport::toJSON
virtual bool toJSON(std::stringstream &stream, size_t level) const
Definition dump_report.cpp:59
pesieve::ProcessDumpReport::moduleReports
std::vector< ModuleDumpReport * > moduleReports
Definition dump_report.h:113
pesieve::ProcessDumpReport::list_dumped_modules
std::string list_dumped_modules(size_t level) const
Definition dump_report.cpp:89
pesieve::ProcessDumpReport::countTotal
size_t countTotal() const
Definition dump_report.h:66
pesieve::ProcessDumpReport::countDumped
size_t countDumped() const
Definition dump_report.h:78
pesieve::ProcessDumpReport::appendReport
void appendReport(ModuleDumpReport *report)
Definition dump_report.h:60
path_converter.h
path_util.h
report
Final summary about the scanned process.
Definition pe_sieve_types.h:137
Generated by doxygen 1.10.0