PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
params.h
Go to the documentation of this file.
1#pragma once
2#include <sstream>
3
4#include "pe_sieve.h"
5#include "params_info/pe_sieve_params_info.h"
6
7#include <paramkit.h>
8
9using namespace paramkit;
10using namespace pesieve;
11
12//scan options:
13#define PARAM_PID "pid"
14#define PARAM_SHELLCODE "shellc"
15#define PARAM_OBFUSCATED "obfusc"
16#define PARAM_THREADS "threads"
17#define PARAM_DATA "data"
18#define PARAM_IAT "iat"
19#define PARAM_MODULES_IGNORE "mignore"
20#define PARAM_REFLECTION "refl"
21#define PARAM_DOTNET_POLICY "dnet"
22
23//dump options:
24#define PARAM_IMP_REC "imp"
25#define PARAM_DUMP_MODE "dmode"
26#define PARAM_REBASE "rebase"
27//output options:
28#define PARAM_OUT_FILTER "ofilter"
29#define PARAM_RESULTS_FILTER "report"
30#define PARAM_QUIET "quiet"
31#define PARAM_JSON "json"
32#define PARAM_JSON_LVL "jlvl"
33#define PARAM_DIR "dir"
34#define PARAM_MINIDUMP "minidmp"
35#define PARAM_PATTERN "pattern"
36
37
38bool alloc_strparam(PARAM_STRING& strparam, ULONG len)
39{
40 if (strparam.buffer != nullptr) { // already allocated
41 return false;
42 }
43 strparam.buffer = (char*)calloc(len + 1, sizeof(char));
44 if (strparam.buffer) {
45 strparam.length = len;
46 return true;
47 }
48 return false;
49}
50
51void free_strparam(PARAM_STRING& strparam)
52{
53 free(strparam.buffer);
54 strparam.buffer = nullptr;
55 strparam.length = 0;
56}
57
58class PEsieveParams : public Params
59{
60public:
61 PEsieveParams(const std::string &version)
62 : Params(version)
63 {
64 this->addParam(new IntParam(PARAM_PID, true));
65 this->setInfo(PARAM_PID, "Set the PID of the target process.");
66
67 EnumParam *enumParam = new EnumParam(PARAM_IMP_REC, "imprec_mode", false);
68 if (enumParam) {
69 this->addParam(enumParam);
70 this->setInfo(PARAM_IMP_REC, "Set in which mode the ImportTable should be recovered");
71 for (size_t i = 0; i < PE_IMPREC_MODES_COUNT; i++) {
72 t_imprec_mode mode = (t_imprec_mode)(i);
73 enumParam->addEnumValue(mode, imprec_mode_to_id(mode), translate_imprec_mode(mode));
74 }
75 }
76
77 enumParam = new EnumParam(PARAM_OUT_FILTER, "ofilter_id", false);
78 if (enumParam) {
79 this->addParam(enumParam);
80 this->setInfo(PARAM_OUT_FILTER, "Filter the dumped output.");
81 for (size_t i = 0; i < OUT_FILTERS_COUNT; i++) {
82 t_output_filter mode = (t_output_filter)(i);
83 enumParam->addEnumValue(mode, translate_out_filter(mode));
84 }
85 }
86
87 enumParam = new EnumParam(PARAM_RESULTS_FILTER, "result_type", false);
88 if (enumParam) {
89 this->addParam(enumParam);
90 this->setInfo(PARAM_RESULTS_FILTER, "Define what type of results are reported.");
91 for (size_t i = SHOW_SUSPICIOUS; i < SHOW_FILTERS_COUNT; i++) {
92 t_results_filter mode = (t_results_filter)(i);
93 std::string info = translate_results_filter(mode);
94 if (info.empty()) continue;
95 enumParam->addEnumValue(mode, results_filter_to_id(i), info);
96 }
97 }
98
99 this->addParam(new StringListParam(PARAM_MODULES_IGNORE, false, PARAM_LIST_SEPARATOR));
100 {
101 std::stringstream ss1;
102 ss1 << "Do not scan module/s with given name/s.";
103 std::stringstream ss2;
104 ss2 << INFO_SPACER << "Example: kernel32.dll" << PARAM_LIST_SEPARATOR << "user32.dll";
105 this->setInfo(PARAM_MODULES_IGNORE, ss1.str(), ss2.str());
106 }
107
108 this->addParam(new BoolParam(PARAM_REBASE, false));
109 this->setInfo(PARAM_REBASE, "Rebase the module to its original base (if known).");
110
111 this->addParam(new BoolParam(PARAM_QUIET, false));
112 this->setInfo(PARAM_QUIET, "Print only the summary. Do not log on stdout during the scan.");
113
114 this->addParam(new BoolParam(PARAM_JSON, false));
115 this->setInfo(PARAM_JSON, "Print the JSON report as the summary.");
116 //
117 //PARAM_JSON_LVL
118 enumParam = new EnumParam(PARAM_JSON_LVL, "json_lvl", false);
119 if (enumParam) {
120 this->addParam(enumParam);
121 this->setInfo(PARAM_JSON_LVL, "Level of details of the JSON report.");
122 for (size_t i = 0; i < JSON_LVL_COUNT; i++) {
123 t_json_level mode = (t_json_level)(i);
124 enumParam->addEnumValue(mode, translate_json_level(mode));
125 }
126 }
127
128 this->addParam(new BoolParam(PARAM_MINIDUMP, false));
129 this->setInfo(PARAM_MINIDUMP, "Create a minidump of the full suspicious process.");
130
131 //PARAM_SHELLCODE
132 enumParam = new EnumParam(PARAM_SHELLCODE, "shellc_mode", false);
133 if (enumParam) {
134 this->addParam(enumParam);
135 this->setInfo(PARAM_SHELLCODE, "Detect shellcode implants (by patterns or statistics). ");
136 for (size_t i = 0; i < SHELLC_COUNT; i++) {
137 t_shellc_mode mode = (t_shellc_mode)(i);
138 enumParam->addEnumValue(mode, shellc_mode_mode_to_id(mode), translate_shellc_mode(mode));
139 }
140 }
141
142 this->addParam(new StringParam(PARAM_PATTERN, false));
143 this->setInfo(PARAM_PATTERN, "Set additional shellcode patterns (file in the SIG format).");
144
145 //PARAM_OBFUSCATED
146 enumParam = new EnumParam(PARAM_OBFUSCATED, "obfusc_mode", false);
147 if (enumParam) {
148 this->addParam(enumParam);
149 this->setInfo(PARAM_OBFUSCATED, "Detect encrypted content, and possible obfuscated shellcodes.");
150 for (size_t i = 0; i < OBFUSC_COUNT; i++) {
151 t_obfusc_mode mode = (t_obfusc_mode)(i);
152 enumParam->addEnumValue(mode, obfusc_mode_mode_to_id(mode), translate_obfusc_mode(mode));
153 }
154 }
155
156 //PARAM_THREADS
157 this->addParam(new BoolParam(PARAM_THREADS, false));
158 this->setInfo(PARAM_THREADS, "Scan threads' callstack. Detect shellcodes, incl. 'sleeping beacons'.");
159
160 //PARAM_REFLECTION
161 this->addParam(new BoolParam(PARAM_REFLECTION, false));
162 this->setInfo(PARAM_REFLECTION,
163 "Make a process reflection before scan.",
164 std::string(INFO_SPACER) + "This allows i.e. to force-read inaccessible pages."
165 );
166
167 //PARAM_IAT
168 enumParam = new EnumParam(PARAM_IAT, "iat_scan_mode", false);
169 if (enumParam) {
170 this->addParam(enumParam);
171 this->setInfo(PARAM_IAT, "Scan for IAT hooks.");
172 for (size_t i = 0; i < PE_IATS_MODES_COUNT; i++) {
173 t_iat_scan_mode mode = (t_iat_scan_mode)(i);
174 enumParam->addEnumValue(mode, translate_iat_scan_mode(mode));
175 }
176 }
177
178 //PARAM_DOTNET_POLICY
179 enumParam = new EnumParam(PARAM_DOTNET_POLICY, "dotnet_policy", false);
180 if (enumParam) {
181 this->addParam(enumParam);
182 this->setInfo(PARAM_DOTNET_POLICY, "Set the policy for scanning managed processes (.NET).");
183 for (size_t i = 0; i < PE_DNET_COUNT; i++) {
184 t_dotnet_policy mode = (t_dotnet_policy)(i);
185 enumParam->addEnumValue(mode, translate_dotnet_policy(mode));
186 }
187 }
188
189 //PARAM_DATA
190 enumParam = new EnumParam(PARAM_DATA, "data_scan_mode", false);
191 if (enumParam) {
192 this->addParam(enumParam);
193 this->setInfo(PARAM_DATA, "Set if non-executable pages should be scanned.");
194 for (size_t i = 0; i < PE_DATA_COUNT; i++) {
195 t_data_scan_mode mode = (t_data_scan_mode)(i);
196 enumParam->addEnumValue(mode, translate_data_mode(mode));
197 }
198 }
199
200 //PARAM_DUMP_MODE
201 enumParam = new EnumParam(PARAM_DUMP_MODE, "dump_mode", false);
202 if (enumParam) {
203 this->addParam(enumParam);
204 this->setInfo(PARAM_DUMP_MODE, "Set in which mode the detected PE files should be dumped.");
205 for (size_t i = 0; i < PE_DUMP_MODES_COUNT; i++) {
206 peconv::t_pe_dump_mode mode = (peconv::t_pe_dump_mode)(i);
207 enumParam->addEnumValue(mode, dump_mode_to_id(mode), translate_dump_mode(mode));
208 }
209 }
210
211 //PARAM_DIR
212 this->addParam(new StringParam(PARAM_DIR, false));
213 this->setInfo(PARAM_DIR, "Set a root directory for the output (default: current directory).");
214
215 //optional: group parameters
216 std::string str_group = "5. output options";
217 this->addGroup(new ParamGroup(str_group));
218 this->addParamToGroup(PARAM_DIR, str_group);
219 this->addParamToGroup(PARAM_JSON, str_group);
220 this->addParamToGroup(PARAM_JSON_LVL, str_group);
221 this->addParamToGroup(PARAM_OUT_FILTER, str_group);
222 this->addParamToGroup(PARAM_RESULTS_FILTER, str_group);
223
224 str_group = "1. scanner settings";
225 this->addGroup(new ParamGroup(str_group));
226 this->addParamToGroup(PARAM_QUIET, str_group);
227 this->addParamToGroup(PARAM_REFLECTION, str_group);
228
229 str_group = "3. scan options";
230 this->addGroup(new ParamGroup(str_group));
231 this->addParamToGroup(PARAM_DATA, str_group);
232 this->addParamToGroup(PARAM_IAT, str_group);
233 this->addParamToGroup(PARAM_SHELLCODE, str_group);
234 this->addParamToGroup(PARAM_OBFUSCATED, str_group);
235 this->addParamToGroup(PARAM_THREADS, str_group);
236 this->addParamToGroup(PARAM_PATTERN, str_group);
237
238 str_group = "4. dump options";
239 this->addGroup(new ParamGroup(str_group));
240 this->addParamToGroup(PARAM_MINIDUMP, str_group);
241 this->addParamToGroup(PARAM_IMP_REC, str_group);
242 this->addParamToGroup(PARAM_DUMP_MODE, str_group);
243 this->addParamToGroup(PARAM_REBASE, str_group);
244
245 str_group = "2. scan exclusions";
246 this->addGroup(new ParamGroup(str_group));
247 this->addParamToGroup(PARAM_DOTNET_POLICY, str_group);
248 this->addParamToGroup(PARAM_MODULES_IGNORE, str_group);
249 }
250
251 bool fillStringParam(const std::string &paramId, PARAM_STRING &strparam)
252 {
253 StringParam* myStr = dynamic_cast<StringParam*>(this->getParam(paramId));
254 if (!myStr || !myStr->isSet()) {
255 return false;
256 }
257 std::string val = myStr->valToString();
258 const size_t len = val.length();
259 if (!len) {
260 return false;
261 }
262 alloc_strparam(strparam, len);
263 bool is_copied = false;
264 if (strparam.buffer) {
265 is_copied = copyCStr<StringParam>(paramId, strparam.buffer, strparam.length);
266 }
267 return is_copied;
268 }
269
270 void fillStruct(t_params &ps)
271 {
272 copyVal<IntParam>(PARAM_PID, ps.pid);
273 copyVal<EnumParam>(PARAM_IMP_REC, ps.imprec_mode);
274 copyVal<EnumParam>(PARAM_OUT_FILTER, ps.out_filter);
275 copyVal<EnumParam>(PARAM_RESULTS_FILTER, ps.results_filter);
276
277 fillStringParam(PARAM_MODULES_IGNORE, ps.modules_ignored);
278 copyVal<BoolParam>(PARAM_REBASE, ps.rebase);
279 copyVal<BoolParam>(PARAM_QUIET, ps.quiet);
280 copyVal<BoolParam>(PARAM_JSON, ps.json_output);
281
282 copyVal<EnumParam>(PARAM_JSON_LVL, ps.json_lvl);
283
284 copyVal<BoolParam>(PARAM_MINIDUMP, ps.minidump);
285 copyVal<EnumParam>(PARAM_SHELLCODE, ps.shellcode);
286 copyVal<EnumParam>(PARAM_OBFUSCATED, ps.obfuscated);
287 copyVal<BoolParam>(PARAM_THREADS, ps.threads);
288 copyVal<BoolParam>(PARAM_REFLECTION, ps.make_reflection);
289
290 copyVal<EnumParam>(PARAM_IAT, ps.iat);
291 copyVal<EnumParam>(PARAM_DOTNET_POLICY, ps.dotnet_policy);
292 copyVal<EnumParam>(PARAM_DATA, ps.data);
293 copyVal<EnumParam>(PARAM_DUMP_MODE, ps.dump_mode);
294
295 copyCStr<StringParam>(PARAM_DIR, ps.output_dir, _countof(ps.output_dir));
296 fillStringParam(PARAM_PATTERN, ps.pattern_file);
297 }
298
299 void printBanner()
300 {
301 char logo[] = "\
302.______ _______ _______. __ ___________ ____ _______ \n\
303| _ \\ | ____| / || | | ____\\ \\ / / | ____|\n\
304| |_) | | |__ ______ | (----`| | | |__ \\ \\/ / | |__ \n\
305| ___/ | __| |______| \\ \\ | | | __| \\ / | __| \n\
306| | | |____ .----) | | | | |____ \\ / | |____ \n\
307| _| |_______| |_______/ |__| |_______| \\__/ |_______|\n";
308
309 char logo2[] = "\
310 _ _______ _______ __ _______ __ _______ \n";
311 char logo3[] = "\
312________________________________________________________________________\n";
313 paramkit::print_in_color(DARK_GREEN, logo);
314 paramkit::print_in_color(DARK_RED, logo2);
315 paramkit::print_in_color(DARK_RED, logo3);
316 std::cout << "\n";
317 std::cout << pesieve::info();
318 }
319
320};
PEsieveParams::printBanner
void printBanner()
Definition params.h:299
PEsieveParams::PEsieveParams
PEsieveParams(const std::string &version)
Definition params.h:61
PEsieveParams::fillStruct
void fillStruct(t_params &ps)
Definition params.h:270
PEsieveParams::fillStringParam
bool fillStringParam(const std::string &paramId, PARAM_STRING &strparam)
Definition params.h:251
pesieve.PARAM_STRING
Definition pesieve.py:94
pesieve.t_data_scan_mode
Definition pesieve.py:73
pesieve.t_dotnet_policy
Definition pesieve.py:65
pesieve.t_iat_scan_mode
Definition pesieve.py:58
pesieve.t_imprec_mode
Definition pesieve.py:42
pesieve.t_json_level
Definition pesieve.py:82
pesieve.t_obfusc_mode
Definition pesieve.py:35
pesieve.t_output_filter
Definition pesieve.py:21
pesieve.t_params
Definition pesieve.py:100
pesieve.t_shellc_mode
Definition pesieve.py:27
pesieve::shellc_mode_mode_to_id
std::string shellc_mode_mode_to_id(const pesieve::t_shellc_mode &mode)
Definition pe_sieve_params_info.cpp:165
pesieve::translate_iat_scan_mode
std::string translate_iat_scan_mode(const pesieve::t_iat_scan_mode mode)
Definition pe_sieve_params_info.cpp:226
pesieve::translate_data_mode
std::string translate_data_mode(const pesieve::t_data_scan_mode &mode)
Definition pe_sieve_params_info.cpp:133
pesieve::imprec_mode_to_id
std::string imprec_mode_to_id(const pesieve::t_imprec_mode imprec_mode)
Definition pe_sieve_params_info.cpp:96
pesieve::translate_obfusc_mode
std::string translate_obfusc_mode(const pesieve::t_obfusc_mode &mode)
Definition pe_sieve_params_info.cpp:197
pesieve::translate_dump_mode
std::string translate_dump_mode(const DWORD dump_mode)
Definition pe_sieve_params_info.cpp:7
pesieve::obfusc_mode_mode_to_id
std::string obfusc_mode_mode_to_id(const pesieve::t_obfusc_mode &mode)
Definition pe_sieve_params_info.cpp:212
pesieve::dump_mode_to_id
std::string dump_mode_to_id(const DWORD dump_mode)
Definition pe_sieve_params_info.cpp:22
pesieve::translate_json_level
std::string translate_json_level(const pesieve::t_json_level &mode)
Definition pe_sieve_params_info.cpp:152
pesieve::results_filter_to_id
std::string results_filter_to_id(const DWORD r_filter)
Definition pe_sieve_params_info.cpp:63
pesieve::translate_out_filter
std::string translate_out_filter(const pesieve::t_output_filter o_filter)
Definition pe_sieve_params_info.cpp:37
pesieve::info
std::string info()
The string with the basic information about the scanner.
Definition pe_sieve.cpp:274
pesieve::translate_imprec_mode
std::string translate_imprec_mode(const pesieve::t_imprec_mode imprec_mode)
Definition pe_sieve_params_info.cpp:76
pesieve::translate_results_filter
std::string translate_results_filter(const pesieve::t_results_filter r_filter)
Definition pe_sieve_params_info.cpp:50
pesieve::translate_dotnet_policy
std::string translate_dotnet_policy(const pesieve::t_dotnet_policy &mode)
Definition pe_sieve_params_info.cpp:116
pesieve::translate_shellc_mode
std::string translate_shellc_mode(const pesieve::t_shellc_mode &mode)
Definition pe_sieve_params_info.cpp:180
PARAM_IAT
#define PARAM_IAT
Definition params.h:18
PARAM_RESULTS_FILTER
#define PARAM_RESULTS_FILTER
Definition params.h:29
PARAM_PATTERN
#define PARAM_PATTERN
Definition params.h:35
PARAM_MINIDUMP
#define PARAM_MINIDUMP
Definition params.h:34
PARAM_IMP_REC
#define PARAM_IMP_REC
Definition params.h:24
PARAM_OUT_FILTER
#define PARAM_OUT_FILTER
Definition params.h:28
PARAM_OBFUSCATED
#define PARAM_OBFUSCATED
Definition params.h:15
PARAM_JSON
#define PARAM_JSON
Definition params.h:31
PARAM_PID
#define PARAM_PID
Definition params.h:13
PARAM_REBASE
#define PARAM_REBASE
Definition params.h:26
PARAM_DOTNET_POLICY
#define PARAM_DOTNET_POLICY
Definition params.h:21
PARAM_DATA
#define PARAM_DATA
Definition params.h:17
PARAM_MODULES_IGNORE
#define PARAM_MODULES_IGNORE
Definition params.h:19
PARAM_QUIET
#define PARAM_QUIET
Definition params.h:30
alloc_strparam
bool alloc_strparam(PARAM_STRING &strparam, ULONG len)
Definition params.h:38
PARAM_THREADS
#define PARAM_THREADS
Definition params.h:16
PARAM_SHELLCODE
#define PARAM_SHELLCODE
Definition params.h:14
PARAM_JSON_LVL
#define PARAM_JSON_LVL
Definition params.h:32
PARAM_DIR
#define PARAM_DIR
Definition params.h:33
free_strparam
void free_strparam(PARAM_STRING &strparam)
Definition params.h:51
PARAM_DUMP_MODE
#define PARAM_DUMP_MODE
Definition params.h:25
PARAM_REFLECTION
#define PARAM_REFLECTION
Definition params.h:20
pe_sieve.h
The root of the PE-sieve scanner.
pe_sieve_params_info.h
PARAM_LIST_SEPARATOR
#define PARAM_LIST_SEPARATOR
Definition pe_sieve_types.h:10
t_results_filter
t_results_filter
Definition pe_sieve_types.h:30
SHOW_SUSPICIOUS
@ SHOW_SUSPICIOUS
Definition pe_sieve_types.h:34
SHOW_FILTERS_COUNT
@ SHOW_FILTERS_COUNT
Definition pe_sieve_types.h:38
t_shellc_mode
t_shellc_mode
Definition pe_sieve_types.h:41
SHELLC_COUNT
@ SHELLC_COUNT
Definition pe_sieve_types.h:47
t_data_scan_mode
t_data_scan_mode
Definition pe_sieve_types.h:93
PE_DATA_COUNT
@ PE_DATA_COUNT
Definition pe_sieve_types.h:100
PE_DUMP_MODES_COUNT
@ PE_DUMP_MODES_COUNT
Definition pe_sieve_types.h:73
t_iat_scan_mode
t_iat_scan_mode
Definition pe_sieve_types.h:76
PE_IATS_MODES_COUNT
@ PE_IATS_MODES_COUNT
Definition pe_sieve_types.h:81
t_output_filter
t_output_filter
Definition pe_sieve_types.h:23
OUT_FILTERS_COUNT
@ OUT_FILTERS_COUNT
Definition pe_sieve_types.h:27
t_dotnet_policy
t_dotnet_policy
Definition pe_sieve_types.h:84
PE_DNET_COUNT
@ PE_DNET_COUNT
Definition pe_sieve_types.h:90
t_obfusc_mode
t_obfusc_mode
Definition pe_sieve_types.h:50
OBFUSC_COUNT
@ OBFUSC_COUNT
Definition pe_sieve_types.h:55
t_imprec_mode
t_imprec_mode
Definition pe_sieve_types.h:58
PE_IMPREC_MODES_COUNT
@ PE_IMPREC_MODES_COUNT
Definition pe_sieve_types.h:65
t_json_level
t_json_level
Definition pe_sieve_types.h:103
JSON_LVL_COUNT
@ JSON_LVL_COUNT
Definition pe_sieve_types.h:107
Generated by doxygen 1.12.0