PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
main.cpp
Go to the documentation of this file.
1
6#include <windows.h>
7#include <psapi.h>
8#include <sstream>
9#include <fstream>
10
11#include "pe_sieve.h"
12#include "params.h"
13
14#include "utils/process_privilege.h"
15#include "params_info/pe_sieve_params_info.h"
16#include "utils/process_reflection.h"
17#include "utils/console_color.h"
18#include "color_scheme.h"
19
20
21using namespace pesieve;
22using namespace pesieve::util;
23
24
25void print_report(const pesieve::ReportEx& report, const t_params args)
26{
27 if (!report.scan_report) return;
28
29 std::string report_str;
30 if (args.json_output) {
31 report_str = report_to_json(report, pesieve::REPORT_ALL, ProcessScanReport::REPORT_SUSPICIOUS_AND_ERRORS, args.json_lvl);
32 } else {
33 report_str = scan_report_to_string(*report.scan_report);
34 }
35 //summary:
36 std::cout << report_str;
37 if (!args.json_output) {
38 std::cout << "---" << std::endl;
39 }
40}
41
42void free_params(t_params &args)
43{
44 free_strparam(args.modules_ignored);
45 free_strparam(args.pattern_file);
46}
47
48int main(int argc, char *argv[])
49{
50 t_params args = { 0 };
51
52 PEsieveParams uParams(PESIEVE_VERSION_STR);
53 if (argc < 2) {
54 uParams.printBanner();
55 uParams.printBriefInfo();
56 system("pause");
57 return PESIEVE_INFO;
58 }
59 if (!uParams.parse(argc, argv)) {
60 return PESIEVE_INFO;
61 }
62 uParams.fillStruct(args);
63 //---
64 // if scanning of inaccessible pages was requested, auto-enable reflection mode:
65 if (args.data == pesieve::PE_DATA_SCAN_INACCESSIBLE || args.data == pesieve::PE_DATA_SCAN_INACCESSIBLE_ONLY) {
66 if (!args.make_reflection) {
67 args.make_reflection = true;
68 if (!args.quiet) {
69 paramkit::print_in_color(paramkit::WARNING_COLOR, "[WARNING] Scanning of inaccessible pages requested: auto-enabled reflection mode!\n");
70 }
71 }
72 }
73 //print info about current settings:
74 if (!args.quiet) {
75 std::cout << "PID: " << args.pid << std::endl;
76 std::cout << "Output filter: " << translate_out_filter(args.out_filter) << std::endl;
77 std::cout << "Dump mode: " << translate_dump_mode(args.dump_mode) << std::endl;
78 }
79
80 pesieve::ReportEx* report = pesieve::scan_and_dump(args);
81 t_pesieve_res res = PESIEVE_ERROR;
82 if (report != nullptr) {
83 print_report(*report, args);
84
85 pesieve::t_report summary = report->scan_report->generateSummary();
86 if (summary.scanned > 0) {
87 res = (summary.suspicious > 0) ? PESIEVE_DETECTED : PESIEVE_NOT_DETECTED;
88 }
89 delete report;
90 report = nullptr;
91 }
92
93 free_params(args);
94#ifdef _DEBUG
95 system("pause");
96#endif
97 return res;
98}
PEsieveParams::printBanner
void printBanner()
Definition params.h:279
PEsieveParams::fillStruct
void fillStruct(t_params &ps)
Definition params.h:251
pesieve::ReportEx
The final report about the actions performed on the process: scanning and dumping.
Definition pe_sieve_report.h:17
pesieve.t_params
Definition pesieve.py:100
pesieve.t_report
Definition pesieve.py:123
color_scheme.h
console_color.h
main
int main(int argc, char *argv[])
Definition main.cpp:48
print_report
void print_report(const pesieve::ReportEx &report, const t_params args)
Definition main.cpp:25
free_params
void free_params(t_params &args)
Definition main.cpp:42
pesieve::scan_report_to_string
std::string scan_report_to_string(const ProcessScanReport &report)
Definition report_formatter.cpp:7
pesieve::translate_dump_mode
std::string translate_dump_mode(const DWORD dump_mode)
Definition pe_sieve_params_info.cpp:7
pesieve::translate_out_filter
std::string translate_out_filter(const pesieve::t_output_filter o_filter)
Definition pe_sieve_params_info.cpp:37
pesieve::report_to_json
std::string report_to_json(const pesieve::ReportEx &report, const t_report_type rtype, ProcessScanReport::t_report_filter filter, const pesieve::t_json_level &jdetails, size_t start_level=0)
Definition report_formatter.cpp:78
pesieve::scan_and_dump
ReportEx * scan_and_dump(IN const pesieve::t_params args)
The main action performed by PE-sieve: scanning the process and dumping the detected material.
Definition pe_sieve.cpp:197
free_strparam
void free_strparam(PARAM_STRING &strparam)
Definition params.h:49
pe_sieve.h
The root of the PE-sieve scanner.
pe_sieve_params_info.h
t_pesieve_res
t_pesieve_res
Definition pe_sieve_return_codes.h:9
PESIEVE_NOT_DETECTED
@ PESIEVE_NOT_DETECTED
the process was scanned successfuly, and NO suspicious indicators are detected
Definition pe_sieve_return_codes.h:12
PESIEVE_DETECTED
@ PESIEVE_DETECTED
the process was scanned successfuly, and some suspicious indicators are detected
Definition pe_sieve_return_codes.h:13
PESIEVE_ERROR
@ PESIEVE_ERROR
the scan has failed, PE-sieve returned an error
Definition pe_sieve_return_codes.h:10
PESIEVE_INFO
@ PESIEVE_INFO
PE-sieve was deployed in the info mode (i.e. displaying help)
Definition pe_sieve_return_codes.h:11
PESIEVE_VERSION_STR
#define PESIEVE_VERSION_STR
Definition pe_sieve_ver_short.h:8
process_privilege.h
process_reflection.h
report
Final summary about the scanned process.
Definition pe_sieve_types.h:137
Generated by doxygen 1.12.0