PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
module_scan_report.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4
5#include <iostream>
6#include <sstream>
7#include <string>
8#include <vector>
9
10#include <peconv.h>
11#include "pe_sieve_types.h"
12
13#include "../utils/path_util.h"
14#include "../utils/format_util.h"
15
16namespace pesieve {
17
23
25 class ModuleScanReport
26 {
27 public:
28 static const size_t JSON_LEVEL = 1;
29
30 static t_scan_status get_scan_status(const ModuleScanReport *report)
31 {
32 if (report == nullptr) {
33 return SCAN_ERROR;
34 }
35 return report->status;
36 }
37
38 ModuleScanReport(HMODULE _module, size_t _moduleSize, t_scan_status _status)
39 {
40 this->module = _module;
41 this->moduleSize = _moduleSize;
42 this->status = _status;
43 this->isDotNetModule = false;
44 }
45
46 ModuleScanReport(HMODULE _module, size_t _moduleSize)
47 {
48 this->module = _module;
49 this->moduleSize = _moduleSize;
50 this->isDotNetModule = false;
51 this->status = SCAN_NOT_SUSPICIOUS;
52 }
53
54 virtual ~ModuleScanReport() {}
55
56 virtual ULONGLONG getRelocBase()
57 {
58 return (ULONGLONG)this->module;
59 }
60
61 const virtual bool toJSON(std::stringstream &outs, size_t level = JSON_LEVEL, const pesieve::t_json_level &jdetails = JSON_BASIC) = 0;
62
63 HMODULE module;
64 size_t moduleSize;
65 bool isDotNetModule;
66 std::string moduleFile;
67 t_scan_status status;
68
69 protected:
70 const virtual bool _toJSON(std::stringstream& outs, size_t level = JSON_LEVEL, const pesieve::t_json_level& jdetails = JSON_BASIC)
71 {
72 OUT_PADDED(outs, level, "\"module\" : ");
73 outs << "\"" << std::hex << (ULONGLONG)module << "\"" << ",\n";
74 if (moduleSize){
75 OUT_PADDED(outs, level, "\"module_size\" : ");
76 outs << "\"" << std::hex << (ULONGLONG)moduleSize << "\"" << ",\n";
77 }
78 if (moduleFile.length()) {
79 OUT_PADDED(outs, level, "\"module_file\" : ");
80 outs << "\"" << pesieve::util::escape_path_separators(moduleFile) << "\"" << ",\n";
81 }
82 OUT_PADDED(outs, level, "\"status\" : ");
83 outs << std::dec << status;
84 if (isDotNetModule) {
85 outs << ",\n";
86 OUT_PADDED(outs, level, "\"is_dot_net\" : \"");
87 outs << isDotNetModule << "\"";
88 }
89 return true;
90 }
91
92 };
93
94 class UnreachableModuleReport : public ModuleScanReport
95 {
96 public:
102
103 const virtual bool toJSON(std::stringstream &outs, size_t level = JSON_LEVEL, const pesieve::t_json_level &jdetails = JSON_BASIC)
104 {
105 OUT_PADDED(outs, level, "\"unreachable_scan\" : ");
106 outs << "{\n";
107 ModuleScanReport::_toJSON(outs, level + 1);
108 outs << "\n";
109 OUT_PADDED(outs, level, "}");
110 return true;
111 }
112 };
113
114 class SkippedModuleReport : public ModuleScanReport
115 {
116 public:
122
123 const virtual bool toJSON(std::stringstream &outs, size_t level = JSON_LEVEL, const pesieve::t_json_level &jdetails = JSON_BASIC)
124 {
125 OUT_PADDED(outs, level, "\"skipped_scan\" : ");
126 outs << "{\n";
127 ModuleScanReport::_toJSON(outs, level + 1);
128 outs << "\n";
129 OUT_PADDED(outs, level, "}");
130 return true;
131 }
132 };
133
134 class MalformedHeaderReport : public ModuleScanReport
135 {
136 public:
142
143 const virtual bool toJSON(std::stringstream &outs, size_t level = JSON_LEVEL, const pesieve::t_json_level &jdetails = JSON_BASIC)
144 {
145 OUT_PADDED(outs, level, "\"malformed_header\" : ");
146 outs << "{\n";
147 ModuleScanReport::_toJSON(outs, level + 1);
148 outs << "\n";
149 OUT_PADDED(outs, level, "}");
150 return true;
151 }
152 };
153
154}; //namespace pesieve
pesieve::MalformedHeaderReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:143
pesieve::MalformedHeaderReport::MalformedHeaderReport
MalformedHeaderReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)
Definition module_scan_report.h:137
pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26
pesieve::ModuleScanReport::_toJSON
virtual const bool _toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:70
pesieve::ModuleScanReport::getRelocBase
virtual ULONGLONG getRelocBase()
Definition module_scan_report.h:56
pesieve::ModuleScanReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)=0
pesieve::ModuleScanReport::JSON_LEVEL
static const size_t JSON_LEVEL
Definition module_scan_report.h:28
pesieve::ModuleScanReport::get_scan_status
static t_scan_status get_scan_status(const ModuleScanReport *report)
Definition module_scan_report.h:30
pesieve::ModuleScanReport::ModuleScanReport
ModuleScanReport(HMODULE _module, size_t _moduleSize, t_scan_status _status)
Definition module_scan_report.h:38
pesieve::ModuleScanReport::ModuleScanReport
ModuleScanReport(HMODULE _module, size_t _moduleSize)
Definition module_scan_report.h:46
pesieve::SkippedModuleReport::SkippedModuleReport
SkippedModuleReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)
Definition module_scan_report.h:117
pesieve::SkippedModuleReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:123
pesieve::UnreachableModuleReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)
Definition module_scan_report.h:103
pesieve::UnreachableModuleReport::UnreachableModuleReport
UnreachableModuleReport(HMODULE _module, size_t _moduleSize, std::string _moduleFile)
Definition module_scan_report.h:97
pesieve.t_json_level
Definition pesieve.py:82
format_util.h
OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12
pesieve::util::escape_path_separators
std::string escape_path_separators(std::string path)
Definition path_util.cpp:27
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
pesieve::t_scan_status
enum pesieve::module_scan_status t_scan_status
path_util.h
pe_sieve_types.h
The types used by PE-sieve API.
JSON_BASIC
@ JSON_BASIC
basic
Definition pe_sieve_types.h:93
report
Final summary about the scanned process.
Definition pe_sieve_types.h:137
Generated by doxygen 1.10.0