pe-sieve/main_8cpp_source.html

#include <windows.h>

#include <psapi.h>

#include <sstream>

#include <fstream>


#include "pe_sieve.h"

#include "params.h"


#include "utils/process_privilege.h"

#include "params_info/pe_sieve_params_info.h"

#include "utils/process_reflection.h"

#include "utils/console_color.h"

#include "color_scheme.h"


using namespace pesieve;

using namespace pesieve::util;


void print_report(const pesieve::ReportEx& report, const t_params args)

{

    if (!report.scan_report) return;


    std::string report_str;

    if (args.json_output) {

        report_str = report_to_json(report, pesieve::REPORT_ALL, args.results_filter, args.json_lvl);

    } else {

        report_str = scan_report_to_string(*report.scan_report);

    }

    //summary:

    std::cout << report_str;

    if (!args.json_output) {

        std::cout << "---" << std::endl;

    }

}


void free_params(t_params &args)

{

    free_strparam(args.modules_ignored);

    free_strparam(args.pattern_file);

}


int main(int argc, char *argv[])

{

    t_params args = { 0 };

    args.results_filter = SHOW_SUSPICIOUS;


    PEsieveParams uParams(PESIEVE_VERSION_STR);

    if (argc < 2) {

        uParams.printBanner();

        uParams.printBriefInfo();

        system("pause");

        return PESIEVE_INFO;

    }

    if (!uParams.parse(argc, argv)) {

        return PESIEVE_INFO;

    }

    uParams.fillStruct(args);

    //---

    // if scanning of inaccessible pages was requested, auto-enable reflection mode:

    if (args.data == pesieve::PE_DATA_SCAN_INACCESSIBLE || args.data == pesieve::PE_DATA_SCAN_INACCESSIBLE_ONLY) {

        if (!args.make_reflection) {

            args.make_reflection = true;

            if (!args.quiet) {

                paramkit::print_in_color(paramkit::WARNING_COLOR, "[WARNING] Scanning of inaccessible pages requested: auto-enabled reflection mode!\n");

            }

        }

    }

    //print info about current settings:

    if (!args.quiet) {

        std::cout << "PID: " << args.pid << std::endl;

        std::cout << "Output filter: " << translate_out_filter(args.out_filter) << std::endl;

        std::cout << "Dump mode: " << translate_dump_mode(args.dump_mode) << std::endl;

    }


    pesieve::ReportEx* report = pesieve::scan_and_dump(args);

    t_pesieve_res res = PESIEVE_ERROR;

    if (report != nullptr) {

        print_report(*report, args);

        if (report->scan_report) {

            pesieve::t_report summary = report->scan_report->generateSummary();

            if (summary.scanned > 0) {

                res = (summary.suspicious > 0) ? PESIEVE_DETECTED : PESIEVE_NOT_DETECTED;

            }

        }

        delete report;

        report = nullptr;

    }


    free_params(args);

#ifdef _DEBUG

    system("pause");

#endif

    return res;

}


PEsieveParams
Definition params.h:59

PEsieveParams::printBanner
void printBanner()
Definition params.h:299

PEsieveParams::fillStruct
void fillStruct(t_params &ps)
Definition params.h:270

pesieve::ReportEx
The final report about the actions performed on the process: scanning and dumping.
Definition pe_sieve_report.h:29

pesieve.t_params
Definition pesieve.py:100

pesieve.t_report
Definition pesieve.py:123

color_scheme.h

console_color.h

main
int main(int argc, char *argv[])
Definition main.cpp:48

print_report
void print_report(const pesieve::ReportEx &report, const t_params args)
Definition main.cpp:25

free_params
void free_params(t_params &args)
Definition main.cpp:42

pesieve::util
Definition artefact_scanner.cpp:12

pesieve
Definition pesieve.py:1

pesieve::scan_report_to_string
std::string scan_report_to_string(const ProcessScanReport &report)
Definition report_formatter.cpp:7

pesieve::translate_dump_mode
std::string translate_dump_mode(const DWORD dump_mode)
Definition pe_sieve_params_info.cpp:7

pesieve::report_to_json
std::string report_to_json(const ReportEx &report, const t_report_type rtype, t_results_filter filter, const pesieve::t_json_level &jdetails, size_t start_level=0)
Definition report_formatter.cpp:106

pesieve::translate_out_filter
std::string translate_out_filter(const pesieve::t_output_filter o_filter)
Definition pe_sieve_params_info.cpp:37

pesieve::scan_and_dump
ReportEx * scan_and_dump(IN const pesieve::t_params args)
The main action performed by PE-sieve: scanning the process and dumping the detected material.
Definition pe_sieve.cpp:198

params.h

free_strparam
void free_strparam(PARAM_STRING &strparam)
Definition params.h:51

pe_sieve.h
The root of the PE-sieve scanner.

pe_sieve_params_info.h

t_pesieve_res
t_pesieve_res
Definition pe_sieve_return_codes.h:9

PESIEVE_NOT_DETECTED
@ PESIEVE_NOT_DETECTED
the process was scanned successfuly, and NO suspicious indicators are detected
Definition pe_sieve_return_codes.h:12

PESIEVE_DETECTED
@ PESIEVE_DETECTED
the process was scanned successfuly, and some suspicious indicators are detected
Definition pe_sieve_return_codes.h:13

PESIEVE_ERROR
@ PESIEVE_ERROR
the scan has failed, PE-sieve returned an error
Definition pe_sieve_return_codes.h:10

PESIEVE_INFO
@ PESIEVE_INFO
PE-sieve was deployed in the info mode (i.e. displaying help)
Definition pe_sieve_return_codes.h:11

SHOW_SUSPICIOUS
@ SHOW_SUSPICIOUS
Definition pe_sieve_types.h:34

PESIEVE_VERSION_STR
#define PESIEVE_VERSION_STR
Definition pe_sieve_ver_short.h:8

process_privilege.h

process_reflection.h

report
Final summary about the scanned process.
Definition pe_sieve_types.h:150