PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
module_scan_report.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4
5#include <iostream>
6#include <sstream>
7#include <string>
8#include <vector>
9
10#include <peconv.h>
11#include "pe_sieve_types.h"
12
13#include "../utils/path_util.h"
14#include "../utils/format_util.h"
15
16namespace pesieve {
17
23
25 class ModuleScanReport
26 {
27 public:
28 static const size_t JSON_LEVEL = 1;
29
30 static t_scan_status get_scan_status(const ModuleScanReport *report)
31 {
32 if (report == nullptr) {
33 return SCAN_ERROR;
34 }
35 return report->status;
36 }
37
38
39 ModuleScanReport(HMODULE _module, size_t _moduleSize, t_scan_status _status = SCAN_NOT_SUSPICIOUS)
40 : module(_module), moduleSize(_moduleSize), isDotNetModule(false),
41 origBase(0), relocBase((ULONGLONG)_module),
42 status(_status)
43 {
44 }
45
46 virtual ~ModuleScanReport() {}
47
48 virtual ULONGLONG getRelocBase()
49 {
50 return (ULONGLONG)this->module;
51 }
52
53 const virtual bool toJSON(std::stringstream &outs, size_t level = JSON_LEVEL, const pesieve::t_json_level &jdetails = JSON_BASIC) = 0;
54
55 HMODULE module;
56 size_t moduleSize;
57 bool isDotNetModule;
58 std::string moduleFile;
59 ULONGLONG origBase;
60 ULONGLONG relocBase;
61 t_scan_status status;
62
63 protected:
64 const virtual bool _toJSON(std::stringstream& outs, size_t level = JSON_LEVEL, const pesieve::t_json_level& jdetails = JSON_BASIC)
65 {
66 if (module) {
67 OUT_PADDED(outs, level, "\"module\" : ");
68 outs << "\"" << std::hex << (ULONGLONG)module << "\"" << ",\n";
69 if (moduleSize) {
70 OUT_PADDED(outs, level, "\"module_size\" : ");
71 outs << "\"" << std::hex << (ULONGLONG)moduleSize << "\"" << ",\n";
72 }
73 }
74#ifdef _DEBUG
75 if (origBase) {
76 OUT_PADDED(outs, level, "\"original_base\" : ");
77 outs << std::hex << "\"" << origBase << "\"" << ",\n";
78 }
79#endif //_DEBUG
80 if (relocBase != (ULONGLONG)module) {
81 OUT_PADDED(outs, level, "\"reloc_base\" : ");
82 outs << std::hex << "\"" << relocBase << "\"" << ",\n";
83 }
84 if (moduleFile.length()) {
85 OUT_PADDED(outs, level, "\"module_file\" : ");
86 outs << "\"" << pesieve::util::escape_path_separators(moduleFile) << "\"" << ",\n";
87 }
88 OUT_PADDED(outs, level, "\"status\" : ");
89 outs << std::dec << status;
90 if (isDotNetModule) {
91 outs << ",\n";
92 OUT_PADDED(outs, level, "\"is_dot_net\" : \"");
93 outs << isDotNetModule << "\"";
94 }
95 return true;
96 }
97
98 };
99
100 class UnreachableModuleReport : public ModuleScanReport
101 {
102 public:
103 UnreachableModuleReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)
104 : ModuleScanReport(_module, _moduleSize, SCAN_ERROR)
105 {
106 moduleFile = _moduleFile;
107 }
108
109 const virtual bool toJSON(std::stringstream &outs, size_t level = JSON_LEVEL, const pesieve::t_json_level &jdetails = JSON_BASIC)
110 {
111 OUT_PADDED(outs, level, "\"unreachable_scan\" : ");
112 outs << "{\n";
113 ModuleScanReport::_toJSON(outs, level + 1);
114 outs << "\n";
115 OUT_PADDED(outs, level, "}");
116 return true;
117 }
118 };
119
120 class SkippedModuleReport : public ModuleScanReport
121 {
122 public:
123 SkippedModuleReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)
124 : ModuleScanReport(_module, _moduleSize, SCAN_NOT_SUSPICIOUS)
125 {
126 moduleFile = _moduleFile;
127 }
128
129 const virtual bool toJSON(std::stringstream &outs, size_t level = JSON_LEVEL, const pesieve::t_json_level &jdetails = JSON_BASIC)
130 {
131 OUT_PADDED(outs, level, "\"skipped_scan\" : ");
132 outs << "{\n";
133 ModuleScanReport::_toJSON(outs, level + 1);
134 outs << "\n";
135 OUT_PADDED(outs, level, "}");
136 return true;
137 }
138 };
139
140 class MalformedHeaderReport : public ModuleScanReport
141 {
142 public:
143 MalformedHeaderReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)
144 : ModuleScanReport(_module, _moduleSize, SCAN_SUSPICIOUS)
145 {
146 moduleFile = _moduleFile;
147 }
148
149 const virtual bool toJSON(std::stringstream &outs, size_t level = JSON_LEVEL, const pesieve::t_json_level &jdetails = JSON_BASIC)
150 {
151 OUT_PADDED(outs, level, "\"malformed_header\" : ");
152 outs << "{\n";
153 ModuleScanReport::_toJSON(outs, level + 1);
154 outs << "\n";
155 OUT_PADDED(outs, level, "}");
156 return true;
157 }
158 };
159
160}; //namespace pesieve
pesieve::MalformedHeaderReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:149
pesieve::MalformedHeaderReport::MalformedHeaderReport
MalformedHeaderReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)
Definition module_scan_report.h:143
pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26
pesieve::ModuleScanReport::_toJSON
virtual const bool _toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:64
pesieve::ModuleScanReport::getRelocBase
virtual ULONGLONG getRelocBase()
Definition module_scan_report.h:48
pesieve::ModuleScanReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)=0
pesieve::ModuleScanReport::ModuleScanReport
ModuleScanReport(HMODULE _module, size_t _moduleSize, t_scan_status _status=SCAN_NOT_SUSPICIOUS)
Definition module_scan_report.h:39
pesieve::ModuleScanReport::JSON_LEVEL
static const size_t JSON_LEVEL
Definition module_scan_report.h:28
pesieve::ModuleScanReport::get_scan_status
static t_scan_status get_scan_status(const ModuleScanReport *report)
Definition module_scan_report.h:30
pesieve::SkippedModuleReport::SkippedModuleReport
SkippedModuleReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)
Definition module_scan_report.h:123
pesieve::SkippedModuleReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:129
pesieve::UnreachableModuleReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:109
pesieve::UnreachableModuleReport::UnreachableModuleReport
UnreachableModuleReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)
Definition module_scan_report.h:103
pesieve.t_json_level
Definition pesieve.py:82
format_util.h
OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12
pesieve::util::escape_path_separators
std::string escape_path_separators(std::string path)
Definition path_util.cpp:27
pesieve::t_scan_status
enum pesieve::module_scan_status t_scan_status
path_util.h
pe_sieve_types.h
The types used by PE-sieve API.
JSON_BASIC
@ JSON_BASIC
basic
Definition pe_sieve_types.h:104
report
Final summary about the scanned process.
Definition pe_sieve_types.h:150
Generated by doxygen 1.12.0