PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
mapping_scanner.h
Go to the documentation of this file.
1
2#pragma once
3
4#include <windows.h>
5
6#include "module_scanner.h"
7#include "../utils/path_util.h"
8#include "process_feature_scanner.h"
9
10namespace pesieve {
11
12 class MappingScanReport : public ModuleScanReport
13 {
14 public:
19
20 const virtual void fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
21 {
22 OUT_PADDED(outs, level, "\"module\" : ");
23 outs << "\"" << std::hex << (ULONGLONG)module << "\"" << ",\n";
24
25 OUT_PADDED(outs, level, "\"module_file\" : \"" << pesieve::util::escape_path_separators(this->moduleFile) << "\"");
26 outs << ",\n";
27 OUT_PADDED(outs, level, "\"mapped_file\" : \"" << pesieve::util::escape_path_separators(this->mappedFile) << "\"");
28
29 outs << ",\n";
30 OUT_PADDED(outs, level, "\"status\" : ");
31 outs << std::dec << status;
32 }
33
34 const virtual bool toJSON(std::stringstream& outs, size_t level, const pesieve::t_json_level &jdetails)
35 {
36 OUT_PADDED(outs, level, "\"mapping_scan\" : ");
37 outs << "{\n";
38 fieldsToJSON(outs, level + 1, jdetails);
39 outs << "\n";
40 OUT_PADDED(outs, level, "}");
41 return true;
42 }
43
44 std::string mappedFile;
45 };
46
47
60
61}; //namespace pesieve
pesieve::MappingScanReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition mapping_scanner.h:34
pesieve::MappingScanReport::MappingScanReport
MappingScanReport(HMODULE _module, size_t _moduleSize)
Definition mapping_scanner.h:15
pesieve::MappingScanReport::fieldsToJSON
virtual const void fieldsToJSON(std::stringstream &outs, size_t level, const pesieve::t_json_level &jdetails)
Definition mapping_scanner.h:20
pesieve::MappingScanner
A scanner for detection of inconsistencies in mapping. Checks if the mapped file name is different th...
Definition mapping_scanner.h:49
pesieve::MappingScanner::MappingScanner
MappingScanner(HANDLE hProc, ModuleData &moduleData)
Definition mapping_scanner.h:51
pesieve::MappingScanner::scanRemote
virtual MappingScanReport * scanRemote()
Definition mapping_scanner.cpp:8
pesieve::ModuleData
Loads a module from the disk, corresponding to the module in the scanned process' memory.
Definition module_data.h:15
pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26
pesieve::ProcessFeatureScanner
A base class for all the scanners checking appropriate process' features.
Definition process_feature_scanner.h:12
pesieve.t_json_level
Definition pesieve.py:82
OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12
module_scanner.h
pesieve::util::escape_path_separators
std::string escape_path_separators(std::string path)
Definition path_util.cpp:27
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
path_util.h
process_feature_scanner.h
Generated by doxygen 1.10.0