PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
pe_sieve_api.cpp
Go to the documentation of this file.
1#include <windows.h>
2#include <string>
3#include <iostream>
4
5#include "pe_sieve.h"
6
7#define PESIEVE_EXPORTS
8#include <pe_sieve_api.h>
9
10#define LIB_NAME "PE-sieve"
11
12using namespace pesieve;
13
14size_t print_report(const pesieve::ReportEx& report, const pesieve::t_params args, const t_report_type rtype, char* json_buf, size_t json_buf_size)
15{
16 if (rtype == REPORT_NONE) return 0;
17
18 size_t level = 1;
19 std::string report_str = report_to_json(report, rtype, args.results_filter, args.json_lvl, level);
20 const size_t report_len = report_str.length();
21
22 if (json_buf && json_buf_size) {
23 ::memset(json_buf, 0, json_buf_size);
24 size_t max_len = report_len <= (json_buf_size - 1) ? report_len : (json_buf_size - 1);
25 ::memcpy(json_buf, report_str.c_str(), max_len);
26 }
27 return report_len;
28}
29
30PEsieve_report PESIEVE_API_FUNC PESieve_scan_ex(IN const PEsieve_params &args, IN const PEsieve_rtype rtype, OUT char* json_buf, IN size_t json_buf_size, OUT size_t* needed_size)
31{
32 if (IsBadReadPtr((LPVOID)&args, sizeof(PEsieve_params)) ) {
33 pesieve::t_report empty = { 0 };
34 empty.errors = 1;
35 return empty;
36 }
37 const pesieve::ReportEx* report = pesieve::scan_and_dump(args);
38 pesieve::t_report summary = { 0 };
39 summary.pid = args.pid;
40 summary.errors = pesieve::ERROR_SCAN_FAILURE;
41 if (!report) {
42 return summary;
43 }
44 if (report->scan_report) {
45 summary = report->scan_report->generateSummary();
46 }
47 //check the pointers:
48 if (json_buf) {
49 if (!json_buf_size || IsBadWritePtr(json_buf, json_buf_size)) {
50 json_buf = nullptr;
51 json_buf_size = 0;
52 }
53 }
54 if (needed_size && IsBadWritePtr(needed_size, sizeof(size_t))) {
55 needed_size = nullptr;
56 }
57
58 //print the report (only if any valid output buffer was passed)
59 if (json_buf || needed_size) {
60 const size_t report_size = print_report(*report, args, rtype, json_buf, json_buf_size);
61 if (needed_size) {
62 *needed_size = report_size;
63 }
64 }
65 delete report;
66 return summary;
67}
68
69PEsieve_report PESIEVE_API_FUNC PESieve_scan(IN const PEsieve_params &args)
70{
71 return PESieve_scan_ex(args, REPORT_NONE, nullptr, 0, nullptr);
72}
73
74void PESIEVE_API_FUNC PESieve_help(void)
75{
76 std::string my_info = pesieve::info();
77
78 std::cout << my_info;
79 MessageBox(NULL, my_info.c_str(), LIB_NAME, MB_ICONINFORMATION);
80}
81
82extern const DWORD PESIEVE_API PESieve_version = MAKELONG(MAKEWORD(PESIEVE_PATCH_VERSION, PESIEVE_MICRO_VERSION), MAKEWORD(PESIEVE_MINOR_VERSION, PESIEVE_MAJOR_VERSION));
pesieve::ReportEx
The final report about the actions performed on the process: scanning and dumping.
Definition pe_sieve_report.h:29
pesieve.t_params
Definition pesieve.py:100
pesieve.t_report_type
Definition pesieve.py:88
pesieve.t_report
Definition pesieve.py:123
pesieve::util::DWORD
DWORD(__stdcall *_PssCaptureSnapshot)(HANDLE ProcessHandle
pesieve.PESieve_help
PESieve_help()
Definition pesieve.py:168
pesieve.ERROR_SCAN_FAILURE
int ERROR_SCAN_FAILURE
Definition pesieve.py:9
pesieve::report_to_json
std::string report_to_json(const ReportEx &report, const t_report_type rtype, t_results_filter filter, const pesieve::t_json_level &jdetails, size_t start_level=0)
Definition report_formatter.cpp:106
pesieve.PESieve_version
PESieve_version
Definition pesieve.py:145
pesieve.PESieve_scan_ex
(t_report, str, int) PESieve_scan_ex(t_params params, t_report_type rtype, int buf_size)
Definition pesieve.py:186
pesieve::info
std::string info()
The string with the basic information about the scanner.
Definition pe_sieve.cpp:274
pesieve::scan_and_dump
ReportEx * scan_and_dump(IN const pesieve::t_params args)
The main action performed by PE-sieve: scanning the process and dumping the detected material.
Definition pe_sieve.cpp:198
pesieve.PESieve_scan
t_report PESieve_scan(t_params params)
Definition pesieve.py:173
pe_sieve.h
The root of the PE-sieve scanner.
print_report
size_t print_report(const pesieve::ReportEx &report, const pesieve::t_params args, const t_report_type rtype, char *json_buf, size_t json_buf_size)
Definition pe_sieve_api.cpp:14
LIB_NAME
#define LIB_NAME
Definition pe_sieve_api.cpp:10
pe_sieve_api.h
The API: definitions of the exported elements that are accessible from PE-sieve DLL.
PESIEVE_API
#define PESIEVE_API
Definition pe_sieve_api.h:13
PESIEVE_API_FUNC
#define PESIEVE_API_FUNC
Definition pe_sieve_api.h:21
REPORT_NONE
@ REPORT_NONE
do not output a report
Definition pe_sieve_types.h:111
PESIEVE_PATCH_VERSION
#define PESIEVE_PATCH_VERSION
Definition pe_sieve_ver_short.h:6
PESIEVE_MINOR_VERSION
#define PESIEVE_MINOR_VERSION
Definition pe_sieve_ver_short.h:4
PESIEVE_MAJOR_VERSION
#define PESIEVE_MAJOR_VERSION
Definition pe_sieve_ver_short.h:3
PESIEVE_MICRO_VERSION
#define PESIEVE_MICRO_VERSION
Definition pe_sieve_ver_short.h:5
params
Input parameters for PE-sieve, defining the configuration.
Definition pe_sieve_types.h:124
report
Final summary about the scanned process.
Definition pe_sieve_types.h:150
Generated by doxygen 1.12.0