PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
module_scan_report.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4
5#include <iostream>
6#include <sstream>
7#include <string>
8#include <vector>
9
10#include <peconv.h>
11#include "pe_sieve_types.h"
12
13#include "../utils/path_util.h"
14#include "../utils/format_util.h"
15
16namespace pesieve {
17
23
25 class ElementScanReport
26 {
27 public:
28 ElementScanReport(t_scan_status _status = SCAN_NOT_SUSPICIOUS)
29 : status(_status)
30 {
31 }
32
33 static const size_t JSON_LEVEL = 1;
34
35 static t_scan_status get_scan_status(const ElementScanReport* report)
36 {
37 if (report == nullptr) {
38 return SCAN_ERROR;
39 }
40 return report->status;
41 }
42
43 t_scan_status status;
44
45 protected:
46 const virtual bool _toJSON(std::stringstream& outs, size_t level = JSON_LEVEL, const pesieve::t_json_level& jdetails = JSON_BASIC)
47 {
48 OUT_PADDED(outs, level, "\"status\" : ");
49 outs << std::dec << status;
50 return true;
51 }
52 };
53
55 class ModuleScanReport : public ElementScanReport
56 {
57 public:
58 ModuleScanReport(HMODULE _module, size_t _moduleSize, t_scan_status _status = SCAN_NOT_SUSPICIOUS)
59 : ElementScanReport(_status),
60 module(_module), moduleSize(_moduleSize), isDotNetModule(false),
61 origBase(0), relocBase((ULONGLONG)_module)
62 {
63 }
64
65 virtual ~ModuleScanReport() {}
66
67 virtual ULONGLONG getRelocBase()
68 {
69 return (ULONGLONG)this->module;
70 }
71
72 const virtual bool toJSON(std::stringstream &outs, size_t level = JSON_LEVEL, const pesieve::t_json_level &jdetails = JSON_BASIC) = 0;
73
74 HMODULE module;
75 size_t moduleSize;
76 bool isDotNetModule;
77 std::string moduleFile;
78 ULONGLONG origBase;
79 ULONGLONG relocBase;
80
81 protected:
82 const virtual bool _toJSON(std::stringstream& outs, size_t level = JSON_LEVEL, const pesieve::t_json_level& jdetails = JSON_BASIC)
83 {
84 ElementScanReport::_toJSON(outs, level, jdetails);
85 if (module) {
86 outs << ",\n";
87 OUT_PADDED(outs, level, "\"module\" : ");
88 outs << "\"" << std::hex << (ULONGLONG)module << "\"";
89 if (moduleSize) {
90 outs << ",\n";
91 OUT_PADDED(outs, level, "\"module_size\" : ");
92 outs << "\"" << std::hex << (ULONGLONG)moduleSize << "\"";
93 }
94 }
95#ifdef _DEBUG
96 if (origBase) {
97 outs << ",\n";
98 OUT_PADDED(outs, level, "\"original_base\" : ");
99 outs << std::hex << "\"" << origBase << "\"";
100 }
101#endif //_DEBUG
102 if (relocBase && relocBase != (ULONGLONG)module) {
103 outs << ",\n";
104 OUT_PADDED(outs, level, "\"reloc_base\" : ");
105 outs << std::hex << "\"" << relocBase << "\"";
106 }
107 if (moduleFile.length()) {
108 outs << ",\n";
109 OUT_PADDED(outs, level, "\"module_file\" : ");
110 outs << "\"" << pesieve::util::escape_path_separators(moduleFile) << "\"";
111 }
112 if (isDotNetModule) {
113 outs << ",\n";
114 OUT_PADDED(outs, level, "\"is_dot_net\" : \"");
115 outs << isDotNetModule << "\"";
116 }
117 return true;
118 }
119
120 };
121
122 class UnreachableModuleReport : public ModuleScanReport
123 {
124 public:
125 UnreachableModuleReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)
126 : ModuleScanReport(_module, _moduleSize, SCAN_ERROR)
127 {
128 moduleFile = _moduleFile;
129 }
130
131 const virtual bool toJSON(std::stringstream &outs, size_t level = JSON_LEVEL, const pesieve::t_json_level &jdetails = JSON_BASIC)
132 {
133 OUT_PADDED(outs, level, "\"unreachable_scan\" : ");
134 outs << "{\n";
135 ModuleScanReport::_toJSON(outs, level + 1);
136 outs << "\n";
137 OUT_PADDED(outs, level, "}");
138 return true;
139 }
140 };
141
142 class SkippedModuleReport : public ModuleScanReport
143 {
144 public:
145 SkippedModuleReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)
146 : ModuleScanReport(_module, _moduleSize, SCAN_NOT_SUSPICIOUS)
147 {
148 moduleFile = _moduleFile;
149 }
150
151 const virtual bool toJSON(std::stringstream &outs, size_t level = JSON_LEVEL, const pesieve::t_json_level &jdetails = JSON_BASIC)
152 {
153 OUT_PADDED(outs, level, "\"skipped_scan\" : ");
154 outs << "{\n";
155 ModuleScanReport::_toJSON(outs, level + 1);
156 outs << "\n";
157 OUT_PADDED(outs, level, "}");
158 return true;
159 }
160 };
161
162 class MalformedHeaderReport : public ModuleScanReport
163 {
164 public:
165 MalformedHeaderReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)
166 : ModuleScanReport(_module, _moduleSize, SCAN_SUSPICIOUS)
167 {
168 moduleFile = _moduleFile;
169 }
170
171 const virtual bool toJSON(std::stringstream &outs, size_t level = JSON_LEVEL, const pesieve::t_json_level &jdetails = JSON_BASIC)
172 {
173 OUT_PADDED(outs, level, "\"malformed_header\" : ");
174 outs << "{\n";
175 ModuleScanReport::_toJSON(outs, level + 1);
176 outs << "\n";
177 OUT_PADDED(outs, level, "}");
178 return true;
179 }
180 };
181
182}; //namespace pesieve
pesieve::ElementScanReport::_toJSON
virtual const bool _toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:46
pesieve::ElementScanReport::JSON_LEVEL
static const size_t JSON_LEVEL
Definition module_scan_report.h:33
pesieve::ElementScanReport::get_scan_status
static t_scan_status get_scan_status(const ElementScanReport *report)
Definition module_scan_report.h:35
pesieve::ElementScanReport::ElementScanReport
ElementScanReport(t_scan_status _status=SCAN_NOT_SUSPICIOUS)
Definition module_scan_report.h:28
pesieve::MalformedHeaderReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:171
pesieve::MalformedHeaderReport::MalformedHeaderReport
MalformedHeaderReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)
Definition module_scan_report.h:165
pesieve::ModuleScanReport::_toJSON
virtual const bool _toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:82
pesieve::ModuleScanReport::getRelocBase
virtual ULONGLONG getRelocBase()
Definition module_scan_report.h:67
pesieve::ModuleScanReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)=0
pesieve::ModuleScanReport::ModuleScanReport
ModuleScanReport(HMODULE _module, size_t _moduleSize, t_scan_status _status=SCAN_NOT_SUSPICIOUS)
Definition module_scan_report.h:58
pesieve::SkippedModuleReport::SkippedModuleReport
SkippedModuleReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)
Definition module_scan_report.h:145
pesieve::SkippedModuleReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:151
pesieve::UnreachableModuleReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:131
pesieve::UnreachableModuleReport::UnreachableModuleReport
UnreachableModuleReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)
Definition module_scan_report.h:125
pesieve.t_json_level
Definition pesieve.py:83
format_util.h
OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12
pesieve::util::escape_path_separators
std::string escape_path_separators(std::string path)
Definition path_util.cpp:27
pesieve::t_scan_status
enum pesieve::module_scan_status t_scan_status
path_util.h
pe_sieve_types.h
The types used by PE-sieve API.
JSON_BASIC
@ JSON_BASIC
basic
Definition pe_sieve_types.h:104
report
Final summary about the scanned process.
Definition pe_sieve_types.h:151
Generated by doxygen 1.17.0