PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
params.h
Go to the documentation of this file.
1#pragma once
2#include <sstream>
3
4#include "pe_sieve.h"
5#include "params_info/pe_sieve_params_info.h"
6
7#include <paramkit.h>
8
9using namespace paramkit;
10using namespace pesieve;
11
12//scan options:
13#define PARAM_PID "pid"
14#define PARAM_SHELLCODE "shellc"
15#define PARAM_OBFUSCATED "obfusc"
16#define PARAM_THREADS "threads"
17#define PARAM_DATA "data"
18#define PARAM_IAT "iat"
19#define PARAM_MODULES_IGNORE "mignore"
20#define PARAM_REFLECTION "refl"
21#define PARAM_DOTNET_POLICY "dnet"
22
23//dump options:
24#define PARAM_IMP_REC "imp"
25#define PARAM_DUMP_MODE "dmode"
26//output options:
27#define PARAM_OUT_FILTER "ofilter"
28#define PARAM_QUIET "quiet"
29#define PARAM_JSON "json"
30#define PARAM_JSON_LVL "jlvl"
31#define PARAM_DIR "dir"
32#define PARAM_MINIDUMP "minidmp"
33#define PARAM_PATTERN "pattern"
34
35
36bool alloc_strparam(PARAM_STRING& strparam, ULONG len)
37{
38 if (strparam.buffer != nullptr) { // already allocated
39 return false;
40 }
41 strparam.buffer = (char*)calloc(len + 1, sizeof(char));
42 if (strparam.buffer) {
43 strparam.length = len;
44 return true;
45 }
46 return false;
47}
48
49void free_strparam(PARAM_STRING& strparam)
50{
51 free(strparam.buffer);
52 strparam.buffer = nullptr;
53 strparam.length = 0;
54}
55
56class PEsieveParams : public Params
57{
58public:
59 PEsieveParams(const std::string &version)
60 : Params(version)
61 {
62 this->addParam(new IntParam(PARAM_PID, true));
63 this->setInfo(PARAM_PID, "Set the PID of the target process.");
64
65 EnumParam *enumParam = new EnumParam(PARAM_IMP_REC, "imprec_mode", false);
66 if (enumParam) {
67 this->addParam(enumParam);
68 this->setInfo(PARAM_IMP_REC, "Set in which mode the ImportTable should be recovered");
69 for (size_t i = 0; i < PE_IMPREC_MODES_COUNT; i++) {
70 t_imprec_mode mode = (t_imprec_mode)(i);
71 enumParam->addEnumValue(mode, imprec_mode_to_id(mode), translate_imprec_mode(mode));
72 }
73 }
74
75 enumParam = new EnumParam(PARAM_OUT_FILTER, "ofilter_id", false);
76 if (enumParam) {
77 this->addParam(enumParam);
78 this->setInfo(PARAM_OUT_FILTER, "Filter the dumped output.");
79 for (size_t i = 0; i < OUT_FILTERS_COUNT; i++) {
80 t_output_filter mode = (t_output_filter)(i);
81 enumParam->addEnumValue(mode, translate_out_filter(mode));
82 }
83 }
84
85 this->addParam(new StringListParam(PARAM_MODULES_IGNORE, false, PARAM_LIST_SEPARATOR));
86 {
87 std::stringstream ss1;
88 ss1 << "Do not scan module/s with given name/s.";
89 std::stringstream ss2;
90 ss2 << INFO_SPACER << "Example: kernel32.dll" << PARAM_LIST_SEPARATOR << "user32.dll";
91 this->setInfo(PARAM_MODULES_IGNORE, ss1.str(), ss2.str());
92 }
93
94 this->addParam(new BoolParam(PARAM_QUIET, false));
95 this->setInfo(PARAM_QUIET, "Print only the summary. Do not log on stdout during the scan.");
96
97 this->addParam(new BoolParam(PARAM_JSON, false));
98 this->setInfo(PARAM_JSON, "Print the JSON report as the summary.");
99 //
100 //PARAM_JSON_LVL
101 enumParam = new EnumParam(PARAM_JSON_LVL, "json_lvl", false);
102 if (enumParam) {
103 this->addParam(enumParam);
104 this->setInfo(PARAM_JSON_LVL, "Level of details of the JSON report.");
105 for (size_t i = 0; i < JSON_LVL_COUNT; i++) {
106 t_json_level mode = (t_json_level)(i);
107 enumParam->addEnumValue(mode, translate_json_level(mode));
108 }
109 }
110
111 this->addParam(new BoolParam(PARAM_MINIDUMP, false));
112 this->setInfo(PARAM_MINIDUMP, "Create a minidump of the full suspicious process.");
113
114 //PARAM_SHELLCODE
115 enumParam = new EnumParam(PARAM_SHELLCODE, "shellc_mode", false);
116 if (enumParam) {
117 this->addParam(enumParam);
118 this->setInfo(PARAM_SHELLCODE, "Detect shellcode implants (by patterns or statistics). ");
119 for (size_t i = 0; i < SHELLC_COUNT; i++) {
120 t_shellc_mode mode = (t_shellc_mode)(i);
121 enumParam->addEnumValue(mode, shellc_mode_mode_to_id(mode), translate_shellc_mode(mode));
122 }
123 }
124
125 this->addParam(new StringParam(PARAM_PATTERN, false));
126 this->setInfo(PARAM_PATTERN, "Set additional shellcode patterns (file in the SIG format).");
127
128 //PARAM_OBFUSCATED
129 enumParam = new EnumParam(PARAM_OBFUSCATED, "obfusc_mode", false);
130 if (enumParam) {
131 this->addParam(enumParam);
132 this->setInfo(PARAM_OBFUSCATED, "Detect encrypted content, and possible obfuscated shellcodes.");
133 for (size_t i = 0; i < OBFUSC_COUNT; i++) {
134 t_obfusc_mode mode = (t_obfusc_mode)(i);
135 enumParam->addEnumValue(mode, obfusc_mode_mode_to_id(mode), translate_obfusc_mode(mode));
136 }
137 }
138
139 //PARAM_THREADS
140 this->addParam(new BoolParam(PARAM_THREADS, false));
141 this->setInfo(PARAM_THREADS, "Scan threads' callstack. Detect shellcodes, incl. 'sleeping beacons'.");
142
143 //PARAM_REFLECTION
144 this->addParam(new BoolParam(PARAM_REFLECTION, false));
145 this->setInfo(PARAM_REFLECTION,
146 "Make a process reflection before scan.",
147 std::string(INFO_SPACER) + "This allows i.e. to force-read inaccessible pages."
148 );
149
150 //PARAM_IAT
151 enumParam = new EnumParam(PARAM_IAT, "iat_scan_mode", false);
152 if (enumParam) {
153 this->addParam(enumParam);
154 this->setInfo(PARAM_IAT, "Scan for IAT hooks.");
155 for (size_t i = 0; i < PE_IATS_MODES_COUNT; i++) {
156 t_iat_scan_mode mode = (t_iat_scan_mode)(i);
157 enumParam->addEnumValue(mode, translate_iat_scan_mode(mode));
158 }
159 }
160
161 //PARAM_DOTNET_POLICY
162 enumParam = new EnumParam(PARAM_DOTNET_POLICY, "dotnet_policy", false);
163 if (enumParam) {
164 this->addParam(enumParam);
165 this->setInfo(PARAM_DOTNET_POLICY, "Set the policy for scanning managed processes (.NET).");
166 for (size_t i = 0; i < PE_DNET_COUNT; i++) {
167 t_dotnet_policy mode = (t_dotnet_policy)(i);
168 enumParam->addEnumValue(mode, translate_dotnet_policy(mode));
169 }
170 }
171
172 //PARAM_DATA
173 enumParam = new EnumParam(PARAM_DATA, "data_scan_mode", false);
174 if (enumParam) {
175 this->addParam(enumParam);
176 this->setInfo(PARAM_DATA, "Set if non-executable pages should be scanned.");
177 for (size_t i = 0; i < PE_DATA_COUNT; i++) {
178 t_data_scan_mode mode = (t_data_scan_mode)(i);
179 enumParam->addEnumValue(mode, translate_data_mode(mode));
180 }
181 }
182
183 //PARAM_DUMP_MODE
184 enumParam = new EnumParam(PARAM_DUMP_MODE, "dump_mode", false);
185 if (enumParam) {
186 this->addParam(enumParam);
187 this->setInfo(PARAM_DUMP_MODE, "Set in which mode the detected PE files should be dumped.");
188 for (size_t i = 0; i < PE_DUMP_MODES_COUNT; i++) {
189 peconv::t_pe_dump_mode mode = (peconv::t_pe_dump_mode)(i);
190 enumParam->addEnumValue(mode, dump_mode_to_id(mode), translate_dump_mode(mode));
191 }
192 }
193
194 //PARAM_DIR
195 this->addParam(new StringParam(PARAM_DIR, false));
196 this->setInfo(PARAM_DIR, "Set a root directory for the output (default: current directory).");
197
198 //optional: group parameters
199 std::string str_group = "5. output options";
200 this->addGroup(new ParamGroup(str_group));
201 this->addParamToGroup(PARAM_DIR, str_group);
202 this->addParamToGroup(PARAM_JSON, str_group);
203 this->addParamToGroup(PARAM_JSON_LVL, str_group);
204 this->addParamToGroup(PARAM_OUT_FILTER, str_group);
205
206 str_group = "1. scanner settings";
207 this->addGroup(new ParamGroup(str_group));
208 this->addParamToGroup(PARAM_QUIET, str_group);
209 this->addParamToGroup(PARAM_REFLECTION, str_group);
210
211 str_group = "3. scan options";
212 this->addGroup(new ParamGroup(str_group));
213 this->addParamToGroup(PARAM_DATA, str_group);
214 this->addParamToGroup(PARAM_IAT, str_group);
215 this->addParamToGroup(PARAM_SHELLCODE, str_group);
216 this->addParamToGroup(PARAM_OBFUSCATED, str_group);
217 this->addParamToGroup(PARAM_THREADS, str_group);
218 this->addParamToGroup(PARAM_PATTERN, str_group);
219
220 str_group = "4. dump options";
221 this->addGroup(new ParamGroup(str_group));
222 this->addParamToGroup(PARAM_MINIDUMP, str_group);
223 this->addParamToGroup(PARAM_IMP_REC, str_group);
224 this->addParamToGroup(PARAM_DUMP_MODE, str_group);
225
226 str_group = "2. scan exclusions";
227 this->addGroup(new ParamGroup(str_group));
228 this->addParamToGroup(PARAM_DOTNET_POLICY, str_group);
229 this->addParamToGroup(PARAM_MODULES_IGNORE, str_group);
230 }
231
232 bool fillStringParam(const std::string &paramId, PARAM_STRING &strparam)
233 {
234 StringParam* myStr = dynamic_cast<StringParam*>(this->getParam(paramId));
235 if (!myStr || !myStr->isSet()) {
236 return false;
237 }
238 std::string val = myStr->valToString();
239 const size_t len = val.length();
240 if (!len) {
241 return false;
242 }
243 alloc_strparam(strparam, len);
244 bool is_copied = false;
245 if (strparam.buffer) {
246 is_copied = copyCStr<StringParam>(paramId, strparam.buffer, strparam.length);
247 }
248 return is_copied;
249 }
250
251 void fillStruct(t_params &ps)
252 {
253 copyVal<IntParam>(PARAM_PID, ps.pid);
254 copyVal<EnumParam>(PARAM_IMP_REC, ps.imprec_mode);
255 copyVal<EnumParam>(PARAM_OUT_FILTER, ps.out_filter);
256
257 fillStringParam(PARAM_MODULES_IGNORE, ps.modules_ignored);
258
259 copyVal<BoolParam>(PARAM_QUIET, ps.quiet);
260 copyVal<BoolParam>(PARAM_JSON, ps.json_output);
261
262 copyVal<EnumParam>(PARAM_JSON_LVL, ps.json_lvl);
263
264 copyVal<BoolParam>(PARAM_MINIDUMP, ps.minidump);
265 copyVal<EnumParam>(PARAM_SHELLCODE, ps.shellcode);
266 copyVal<EnumParam>(PARAM_OBFUSCATED, ps.obfuscated);
267 copyVal<BoolParam>(PARAM_THREADS, ps.threads);
268 copyVal<BoolParam>(PARAM_REFLECTION, ps.make_reflection);
269
270 copyVal<EnumParam>(PARAM_IAT, ps.iat);
271 copyVal<EnumParam>(PARAM_DOTNET_POLICY, ps.dotnet_policy);
272 copyVal<EnumParam>(PARAM_DATA, ps.data);
273 copyVal<EnumParam>(PARAM_DUMP_MODE, ps.dump_mode);
274
275 copyCStr<StringParam>(PARAM_DIR, ps.output_dir, _countof(ps.output_dir));
276 fillStringParam(PARAM_PATTERN, ps.pattern_file);
277 }
278
279 void printBanner()
280 {
281 char logo[] = "\
282.______ _______ _______. __ ___________ ____ _______ \n\
283| _ \\ | ____| / || | | ____\\ \\ / / | ____|\n\
284| |_) | | |__ ______ | (----`| | | |__ \\ \\/ / | |__ \n\
285| ___/ | __| |______| \\ \\ | | | __| \\ / | __| \n\
286| | | |____ .----) | | | | |____ \\ / | |____ \n\
287| _| |_______| |_______/ |__| |_______| \\__/ |_______|\n";
288
289 char logo2[] = "\
290 _ _______ _______ __ _______ __ _______ \n";
291 char logo3[] = "\
292________________________________________________________________________\n";
293 paramkit::print_in_color(DARK_GREEN, logo);
294 paramkit::print_in_color(DARK_RED, logo2);
295 paramkit::print_in_color(DARK_RED, logo3);
296 std::cout << "\n";
297 std::cout << pesieve::info();
298 }
299
300};
PEsieveParams::printBanner
void printBanner()
Definition params.h:279
PEsieveParams::PEsieveParams
PEsieveParams(const std::string &version)
Definition params.h:59
PEsieveParams::fillStruct
void fillStruct(t_params &ps)
Definition params.h:251
PEsieveParams::fillStringParam
bool fillStringParam(const std::string &paramId, PARAM_STRING &strparam)
Definition params.h:232
pesieve.PARAM_STRING
Definition pesieve.py:94
pesieve.t_data_scan_mode
Definition pesieve.py:73
pesieve.t_dotnet_policy
Definition pesieve.py:65
pesieve.t_iat_scan_mode
Definition pesieve.py:58
pesieve.t_imprec_mode
Definition pesieve.py:42
pesieve.t_json_level
Definition pesieve.py:82
pesieve.t_obfusc_mode
Definition pesieve.py:35
pesieve.t_output_filter
Definition pesieve.py:21
pesieve.t_params
Definition pesieve.py:100
pesieve.t_shellc_mode
Definition pesieve.py:27
pesieve::shellc_mode_mode_to_id
std::string shellc_mode_mode_to_id(const pesieve::t_shellc_mode &mode)
Definition pe_sieve_params_info.cpp:139
pesieve::translate_iat_scan_mode
std::string translate_iat_scan_mode(const pesieve::t_iat_scan_mode mode)
Definition pe_sieve_params_info.cpp:200
pesieve::translate_data_mode
std::string translate_data_mode(const pesieve::t_data_scan_mode &mode)
Definition pe_sieve_params_info.cpp:107
pesieve::imprec_mode_to_id
std::string imprec_mode_to_id(const pesieve::t_imprec_mode imprec_mode)
Definition pe_sieve_params_info.cpp:70
pesieve::translate_obfusc_mode
std::string translate_obfusc_mode(const pesieve::t_obfusc_mode &mode)
Definition pe_sieve_params_info.cpp:171
pesieve::translate_dump_mode
std::string translate_dump_mode(const DWORD dump_mode)
Definition pe_sieve_params_info.cpp:7
pesieve::obfusc_mode_mode_to_id
std::string obfusc_mode_mode_to_id(const pesieve::t_obfusc_mode &mode)
Definition pe_sieve_params_info.cpp:186
pesieve::dump_mode_to_id
std::string dump_mode_to_id(const DWORD dump_mode)
Definition pe_sieve_params_info.cpp:22
pesieve::translate_json_level
std::string translate_json_level(const pesieve::t_json_level &mode)
Definition pe_sieve_params_info.cpp:126
pesieve::translate_out_filter
std::string translate_out_filter(const pesieve::t_output_filter o_filter)
Definition pe_sieve_params_info.cpp:37
pesieve::info
std::string info()
The string with the basic information about the scanner.
Definition pe_sieve.cpp:272
pesieve::translate_imprec_mode
std::string translate_imprec_mode(const pesieve::t_imprec_mode imprec_mode)
Definition pe_sieve_params_info.cpp:50
pesieve::translate_dotnet_policy
std::string translate_dotnet_policy(const pesieve::t_dotnet_policy &mode)
Definition pe_sieve_params_info.cpp:90
pesieve::translate_shellc_mode
std::string translate_shellc_mode(const pesieve::t_shellc_mode &mode)
Definition pe_sieve_params_info.cpp:154
PARAM_IAT
#define PARAM_IAT
Definition params.h:18
PARAM_PATTERN
#define PARAM_PATTERN
Definition params.h:33
PARAM_MINIDUMP
#define PARAM_MINIDUMP
Definition params.h:32
PARAM_IMP_REC
#define PARAM_IMP_REC
Definition params.h:24
PARAM_OUT_FILTER
#define PARAM_OUT_FILTER
Definition params.h:27
PARAM_OBFUSCATED
#define PARAM_OBFUSCATED
Definition params.h:15
PARAM_JSON
#define PARAM_JSON
Definition params.h:29
PARAM_PID
#define PARAM_PID
Definition params.h:13
PARAM_DOTNET_POLICY
#define PARAM_DOTNET_POLICY
Definition params.h:21
PARAM_DATA
#define PARAM_DATA
Definition params.h:17
PARAM_MODULES_IGNORE
#define PARAM_MODULES_IGNORE
Definition params.h:19
PARAM_QUIET
#define PARAM_QUIET
Definition params.h:28
alloc_strparam
bool alloc_strparam(PARAM_STRING &strparam, ULONG len)
Definition params.h:36
PARAM_THREADS
#define PARAM_THREADS
Definition params.h:16
PARAM_SHELLCODE
#define PARAM_SHELLCODE
Definition params.h:14
PARAM_JSON_LVL
#define PARAM_JSON_LVL
Definition params.h:30
PARAM_DIR
#define PARAM_DIR
Definition params.h:31
free_strparam
void free_strparam(PARAM_STRING &strparam)
Definition params.h:49
PARAM_DUMP_MODE
#define PARAM_DUMP_MODE
Definition params.h:25
PARAM_REFLECTION
#define PARAM_REFLECTION
Definition params.h:20
pe_sieve.h
The root of the PE-sieve scanner.
pe_sieve_params_info.h
PARAM_LIST_SEPARATOR
#define PARAM_LIST_SEPARATOR
Definition pe_sieve_types.h:10
t_shellc_mode
t_shellc_mode
Definition pe_sieve_types.h:30
SHELLC_COUNT
@ SHELLC_COUNT
Definition pe_sieve_types.h:36
t_data_scan_mode
t_data_scan_mode
Definition pe_sieve_types.h:82
PE_DATA_COUNT
@ PE_DATA_COUNT
Definition pe_sieve_types.h:89
PE_DUMP_MODES_COUNT
@ PE_DUMP_MODES_COUNT
Definition pe_sieve_types.h:62
t_iat_scan_mode
t_iat_scan_mode
Definition pe_sieve_types.h:65
PE_IATS_MODES_COUNT
@ PE_IATS_MODES_COUNT
Definition pe_sieve_types.h:70
t_output_filter
t_output_filter
Definition pe_sieve_types.h:23
OUT_FILTERS_COUNT
@ OUT_FILTERS_COUNT
Definition pe_sieve_types.h:27
t_dotnet_policy
t_dotnet_policy
Definition pe_sieve_types.h:73
PE_DNET_COUNT
@ PE_DNET_COUNT
Definition pe_sieve_types.h:79
t_obfusc_mode
t_obfusc_mode
Definition pe_sieve_types.h:39
OBFUSC_COUNT
@ OBFUSC_COUNT
Definition pe_sieve_types.h:44
t_imprec_mode
t_imprec_mode
Definition pe_sieve_types.h:47
PE_IMPREC_MODES_COUNT
@ PE_IMPREC_MODES_COUNT
Definition pe_sieve_types.h:54
t_json_level
t_json_level
Definition pe_sieve_types.h:92
JSON_LVL_COUNT
@ JSON_LVL_COUNT
Definition pe_sieve_types.h:96
Generated by doxygen 1.12.0