62 this->addParam(
new IntParam(
PARAM_PID,
true));
63 this->setInfo(
PARAM_PID,
"Set the PID of the target process.");
65 EnumParam *enumParam =
new EnumParam(
PARAM_IMP_REC,
"imprec_mode",
false);
67 this->addParam(enumParam);
68 this->setInfo(
PARAM_IMP_REC,
"Set in which mode the ImportTable should be recovered");
77 this->addParam(enumParam);
87 std::stringstream ss1;
88 ss1 <<
"Do not scan module/s with given name/s.";
89 std::stringstream ss2;
95 this->setInfo(
PARAM_QUIET,
"Print only the summary. Do not log on stdout during the scan.");
97 this->addParam(
new BoolParam(
PARAM_JSON,
false));
98 this->setInfo(
PARAM_JSON,
"Print the JSON report as the summary.");
103 this->addParam(enumParam);
104 this->setInfo(
PARAM_JSON_LVL,
"Level of details of the JSON report.");
112 this->setInfo(
PARAM_MINIDUMP,
"Create a minidump of the full suspicious process.");
117 this->addParam(enumParam);
118 this->setInfo(
PARAM_SHELLCODE,
"Detect shellcode implants (by patterns or statistics). ");
126 this->setInfo(
PARAM_PATTERN,
"Set additional shellcode patterns (file in the SIG format).");
131 this->addParam(enumParam);
132 this->setInfo(
PARAM_OBFUSCATED,
"Detect encrypted content, and possible obfuscated shellcodes.");
141 this->setInfo(
PARAM_THREADS,
"Scan threads' callstack. Detect shellcodes, incl. 'sleeping beacons'.");
146 "Make a process reflection before scan.",
147 std::string(INFO_SPACER) +
"This allows i.e. to force-read inaccessible pages."
151 enumParam =
new EnumParam(
PARAM_IAT,
"iat_scan_mode",
false);
153 this->addParam(enumParam);
154 this->setInfo(
PARAM_IAT,
"Scan for IAT hooks.");
164 this->addParam(enumParam);
165 this->setInfo(
PARAM_DOTNET_POLICY,
"Set the policy for scanning managed processes (.NET).");
173 enumParam =
new EnumParam(
PARAM_DATA,
"data_scan_mode",
false);
175 this->addParam(enumParam);
176 this->setInfo(
PARAM_DATA,
"Set if non-executable pages should be scanned.");
186 this->addParam(enumParam);
187 this->setInfo(
PARAM_DUMP_MODE,
"Set in which mode the detected PE files should be dumped.");
189 peconv::t_pe_dump_mode mode = (peconv::t_pe_dump_mode)(i);
195 this->addParam(
new StringParam(
PARAM_DIR,
false));
196 this->setInfo(
PARAM_DIR,
"Set a root directory for the output (default: current directory).");
199 std::string str_group =
"5. output options";
200 this->addGroup(
new ParamGroup(str_group));
201 this->addParamToGroup(
PARAM_DIR, str_group);
206 str_group =
"1. scanner settings";
207 this->addGroup(
new ParamGroup(str_group));
211 str_group =
"3. scan options";
212 this->addGroup(
new ParamGroup(str_group));
214 this->addParamToGroup(
PARAM_IAT, str_group);
220 str_group =
"4. dump options";
221 this->addGroup(
new ParamGroup(str_group));
226 str_group =
"2. scan exclusions";
227 this->addGroup(
new ParamGroup(str_group));