PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
main.cpp
Go to the documentation of this file.
1
5
6#include <windows.h>
7#include <psapi.h>
8#include <sstream>
9#include <fstream>
10
11#include "pe_sieve.h"
12#include "params.h"
13
14#include "utils/process_privilege.h"
15#include "params_info/pe_sieve_params_info.h"
16#include "utils/process_reflection.h"
17#include "utils/console_color.h"
18#include "color_scheme.h"
19
20
21using namespace pesieve;
22using namespace pesieve::util;
23
24
25void print_report(const pesieve::ReportEx& report, const t_params args)
26{
27 if (!report.scan_report) return;
28
29 std::string report_str;
30 if (args.json_output) {
31 report_str = report_to_json(report, pesieve::REPORT_ALL, args.results_filter, args.json_lvl);
32 } else {
33 report_str = scan_report_to_string(*report.scan_report);
34 }
35 //summary:
36 std::cout << report_str;
37 if (!args.json_output) {
38 std::cout << "---" << std::endl;
39 }
40}
41
42void free_params(t_params &args)
43{
44 free_strparam(args.modules_ignored);
45 free_strparam(args.pattern_file);
46}
47
48int main(int argc, char *argv[])
49{
50 SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32 | LOAD_LIBRARY_SEARCH_USER_DIRS);
51
52 t_params args = { 0 };
53 args.results_filter = SHOW_SUSPICIOUS;
54
55 PEsieveParams uParams(PESIEVE_VERSION_STR);
56 if (argc < 2) {
57 uParams.printBanner();
58 uParams.printBriefInfo();
59 system("pause");
60 return PESIEVE_INFO;
61 }
62 if (!uParams.parse(argc, argv)) {
63 return PESIEVE_INFO;
64 }
65 uParams.fillStruct(args);
66 //---
67 // if scanning of inaccessible pages was requested, auto-enable reflection mode:
68 if (args.data == pesieve::PE_DATA_SCAN_INACCESSIBLE || args.data == pesieve::PE_DATA_SCAN_INACCESSIBLE_ONLY) {
69 if (!args.make_reflection) {
70 args.make_reflection = true;
71 if (!args.quiet) {
72 paramkit::print_in_color(paramkit::WARNING_COLOR, "[WARNING] Scanning of inaccessible pages requested: auto-enabled reflection mode!\n");
73 }
74 }
75 }
76 //print info about current settings:
77 if (!args.quiet) {
78 std::cout << "PID: " << args.pid << std::endl;
79 std::cout << "Output filter: " << translate_out_filter(args.out_filter) << std::endl;
80 std::cout << "Dump mode: " << translate_dump_mode(args.dump_mode) << std::endl;
81 }
82
83 pesieve::ReportEx* report = pesieve::scan_and_dump(args);
84 t_pesieve_res res = PESIEVE_ERROR;
85 if (report != nullptr) {
86 print_report(*report, args);
87 if (report->scan_report) {
88 pesieve::t_report summary = report->scan_report->generateSummary();
89 if (summary.scanned > 0) {
90 res = (summary.suspicious > 0) ? PESIEVE_DETECTED : PESIEVE_NOT_DETECTED;
91 }
92 }
93 delete report;
94 report = nullptr;
95 }
96
97 free_params(args);
98#ifdef _DEBUG
99 system("pause");
100#endif
101 return res;
102}
PEsieveParams::printBanner
void printBanner()
Definition params.h:308
PEsieveParams::fillStruct
void fillStruct(t_params &ps)
Definition params.h:277
pesieve::ReportEx
The final report about the actions performed on the process: scanning and dumping.
Definition pe_sieve_report.h:29
pesieve.t_params
Definition pesieve.py:110
pesieve.t_report
Definition pesieve.py:136
color_scheme.h
console_color.h
main
int main(int argc, char *argv[])
Definition main.cpp:48
print_report
void print_report(const pesieve::ReportEx &report, const t_params args)
Definition main.cpp:25
free_params
void free_params(t_params &args)
Definition main.cpp:42
pesieve::scan_report_to_string
std::string scan_report_to_string(const ProcessScanReport &report)
Definition report_formatter.cpp:7
pesieve::translate_dump_mode
std::string translate_dump_mode(const DWORD dump_mode)
Definition pe_sieve_params_info.cpp:7
pesieve::report_to_json
std::string report_to_json(const ReportEx &report, const t_report_type rtype, t_results_filter filter, const pesieve::t_json_level &jdetails, size_t start_level=0)
Definition report_formatter.cpp:106
pesieve::translate_out_filter
std::string translate_out_filter(const pesieve::t_output_filter o_filter)
Definition pe_sieve_params_info.cpp:37
pesieve::scan_and_dump
ReportEx * scan_and_dump(IN const pesieve::t_params args)
The main action performed by PE-sieve: scanning the process and dumping the detected material.
Definition pe_sieve.cpp:198
free_strparam
void free_strparam(PARAM_STRING &strparam)
Definition params.h:52
pe_sieve.h
The root of the PE-sieve scanner.
pe_sieve_params_info.h
t_pesieve_res
t_pesieve_res
Definition pe_sieve_return_codes.h:9
PESIEVE_NOT_DETECTED
@ PESIEVE_NOT_DETECTED
the process was scanned successfuly, and NO suspicious indicators are detected
Definition pe_sieve_return_codes.h:12
PESIEVE_DETECTED
@ PESIEVE_DETECTED
the process was scanned successfuly, and some suspicious indicators are detected
Definition pe_sieve_return_codes.h:13
PESIEVE_ERROR
@ PESIEVE_ERROR
the scan has failed, PE-sieve returned an error
Definition pe_sieve_return_codes.h:10
PESIEVE_INFO
@ PESIEVE_INFO
PE-sieve was deployed in the info mode (i.e. displaying help).
Definition pe_sieve_return_codes.h:11
SHOW_SUSPICIOUS
@ SHOW_SUSPICIOUS
report only suspicious
Definition pe_sieve_types.h:35
PESIEVE_VERSION_STR
#define PESIEVE_VERSION_STR
Definition pe_sieve_ver_short.h:8
process_privilege.h
process_reflection.h
report
Final summary about the scanned process.
Definition pe_sieve_types.h:151
Generated by doxygen 1.17.0