PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
params_dump.cpp
Go to the documentation of this file.
1#include "params_dump.h"
2
3#include "../utils/format_util.h"
4
5void pesieve::params_fields_to_JSON(pesieve::t_params& params, std::stringstream& outs, size_t level)
6{
7 if (params.modules_ignored.length && params.modules_ignored.buffer) {
8 OUT_PADDED(outs, level, "\"modules_ignored\" : ");
9 outs << "\"" << params.modules_ignored.buffer << "\"" << ",\n";
10 }
11 if (params.data) {
12 OUT_PADDED(outs, level, "\"data\" : ");
13 outs << std::dec << params.data << ",\n";
14 }
15 if (params.dotnet_policy) {
16 OUT_PADDED(outs, level, "\"dotnet_policy\" : ");
17 outs << std::dec << params.dotnet_policy << ",\n";
18 }
19
20 if (params.make_reflection) {
21 OUT_PADDED(outs, level, "\"use_reflection\" : ");
22 outs << std::dec << params.make_reflection << ",\n";
23 }
24 if (params.use_cache) {
25 OUT_PADDED(outs, level, "\"use_cache\" : ");
26 outs << std::dec << params.use_cache << ",\n";
27 }
28 if (params.out_filter) {
29 OUT_PADDED(outs, level, "\"out_filter\" : ");
30 outs << std::dec << params.out_filter << ",\n";
31 }
32 if (params.imprec_mode) {
33 OUT_PADDED(outs, level, "\"imprec_mode\" : ");
34 outs << std::dec << params.imprec_mode << ",\n";
35 }
36
37 OUT_PADDED(outs, level, "\"hooks\" : ");
38 outs << std::dec << (params.no_hooks ? 0 : 1) << ",\n";
39
40 OUT_PADDED(outs, level, "\"iat\" : ");
41 outs << std::dec << params.iat << ",\n";
42
43 OUT_PADDED(outs, level, "\"threads\" : ");
44 outs << std::dec << params.threads << ",\n";
45
46 OUT_PADDED(outs, level, "\"shellcode\" : ");
47 outs << std::dec << params.shellcode << ",\n";
48
49 OUT_PADDED(outs, level, "\"obfuscated\" : ");
50 outs << std::dec << params.obfuscated << "\n";
51}
52
53
54void pesieve::params_to_JSON(pesieve::t_params& params, std::stringstream& stream, size_t level)
55{
56 OUT_PADDED(stream, level, "\"pesieve_params\" : {\n");
57 params_fields_to_JSON(params, stream, level + 1);
58 OUT_PADDED(stream, level, "}");
59}
pesieve.t_params
Definition pesieve.py:110
format_util.h
OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12
pesieve::params_fields_to_JSON
void params_fields_to_JSON(pesieve::t_params &params, std::stringstream &outs, size_t level)
Definition params_dump.cpp:5
pesieve::params_to_JSON
void params_to_JSON(pesieve::t_params &params, std::stringstream &stream, size_t start_level)
Definition params_dump.cpp:54
params_dump.h
_PARAM_STRING::length
ULONG length
Definition pe_sieve_types.h:119
_PARAM_STRING::buffer
char * buffer
Definition pe_sieve_types.h:120
params
Input parameters for PE-sieve, defining the configuration.
Definition pe_sieve_types.h:124
params::make_reflection
bool make_reflection
operate on a process reflection rather than on the live process (this allows i.e. to force-read inacc...
Definition pe_sieve_types.h:140
params::shellcode
t_shellc_mode shellcode
detect shellcode implants
Definition pe_sieve_types.h:131
params::dotnet_policy
t_dotnet_policy dotnet_policy
policy for scanning .NET modules
Definition pe_sieve_types.h:126
params::no_hooks
bool no_hooks
don't scan for hooks
Definition pe_sieve_types.h:130
params::use_cache
bool use_cache
enable cache for the scanned modules
Definition pe_sieve_types.h:141
params::modules_ignored
PARAM_STRING modules_ignored
a list of modules that will not be scanned, separated by PARAM_LIST_SEPARATOR
Definition pe_sieve_types.h:146
params::imprec_mode
t_imprec_mode imprec_mode
import recovery mode
Definition pe_sieve_types.h:127
params::obfuscated
t_obfusc_mode obfuscated
detect encrypted or obfuscated content (possible encrypted shellcodes)
Definition pe_sieve_types.h:132
params::iat
t_iat_scan_mode iat
detect IAT hooking
Definition pe_sieve_types.h:134
params::threads
bool threads
scan threads
Definition pe_sieve_types.h:133
params::out_filter
t_output_filter out_filter
level of details of the created output material
Definition pe_sieve_types.h:129
params::data
t_data_scan_mode data
should scan non-executable pages?
Definition pe_sieve_types.h:135
Generated by doxygen 1.17.0