PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
pe_sieve_params_info.cpp
Go to the documentation of this file.
1#include "pe_sieve_params_info.h"
2
3#include <windows.h>
4
5using namespace pesieve;
6
7std::string pesieve::translate_dump_mode(const DWORD dump_mode)
8{
9 switch (dump_mode) {
10 case pesieve::PE_DUMP_AUTO:
11 return "autodetect (default)";
12 case pesieve::PE_DUMP_VIRTUAL:
13 return "virtual (as is in the memory, no unmapping)";
14 case pesieve::PE_DUMP_UNMAP:
15 return "unmapped (converted to raw using sections' raw headers)";
16 case pesieve::PE_DUMP_REALIGN:
17 return "realigned raw (converted raw format to be the same as virtual)";
18 }
19 return "";
20}
21
22std::string pesieve::dump_mode_to_id(const DWORD dump_mode)
23{
24 switch (dump_mode) {
25 case pesieve::PE_DUMP_AUTO:
26 return "A";
27 case pesieve::PE_DUMP_VIRTUAL:
28 return "V";
29 case pesieve::PE_DUMP_UNMAP:
30 return "U";
31 case pesieve::PE_DUMP_REALIGN:
32 return "R";
33 }
34 return "N";
35}
36
37std::string pesieve::translate_out_filter(const pesieve::t_output_filter o_filter)
38{
39 switch (o_filter) {
40 case pesieve::OUT_FULL:
41 return "no filter: dump everything (default)";
42 case pesieve::OUT_NO_DUMPS:
43 return "don't dump the modified PEs, but save the report";
44 case pesieve::OUT_NO_DIR:
45 return "don't dump any files";
46 }
47 return "";
48}
49
50std::string pesieve::translate_results_filter(const pesieve::t_results_filter r_filter)
51{
52 switch (r_filter) {
53 case pesieve::SHOW_SUSPICIOUS:
54 return "only suspicious (default)";
55 case pesieve::SHOW_SUSPICIOUS_AND_ERRORS:
56 return "suspicious and errors";
57 case pesieve::SHOW_ALL:
58 return "all scanned";
59 }
60 return "";
61}
62
63std::string pesieve::results_filter_to_id(const DWORD r_filter)
64{
65 switch (r_filter) {
66 case pesieve::SHOW_SUSPICIOUS:
67 return "S";
68 case pesieve::SHOW_SUSPICIOUS_AND_ERRORS:
69 return "SE";
70 case pesieve::SHOW_ALL:
71 return "L";
72 }
73 return "";
74}
75
76std::string pesieve::translate_imprec_mode(const pesieve::t_imprec_mode imprec_mode)
77{
78 switch (imprec_mode) {
79 case pesieve::PE_IMPREC_NONE:
80 return "none: do not recover imports (default)";
81 case pesieve::PE_IMPREC_AUTO:
82 return "try to autodetect the most suitable mode";
83 case pesieve::PE_IMPREC_UNERASE:
84 return "unerase the erased parts of the partialy damaged ImportTable";
85 case pesieve::PE_IMPREC_REBUILD0:
86 return "build the ImportTable from scratch, basing on the found IATs:\n\t use only terminated blocks (restrictive mode)";
87 case pesieve::PE_IMPREC_REBUILD1:
88 return "build the ImportTable from scratch, basing on the found IATs:\n\t use terminated blocks, or blocks with more than 1 thunk";
89 case pesieve::PE_IMPREC_REBUILD2:
90 return "build the ImportTable from scratch, basing on the found IATs:\n\t use all found blocks (aggressive mode)";
91 }
92 return "";
93}
94
95
96std::string pesieve::imprec_mode_to_id(const pesieve::t_imprec_mode imprec_mode)
97{
98 switch (imprec_mode) {
99 case pesieve::PE_IMPREC_NONE:
100 return "N";
101 case pesieve::PE_IMPREC_AUTO:
102 return "A";
103 case pesieve::PE_IMPREC_UNERASE:
104 return "U";
105 case pesieve::PE_IMPREC_REBUILD0:
106 return "R0";
107 case pesieve::PE_IMPREC_REBUILD1:
108 return "R1";
109 case pesieve::PE_IMPREC_REBUILD2:
110 return "R2";
111 }
112 return "N";
113}
114
115
116std::string pesieve::translate_dotnet_policy(const pesieve::t_dotnet_policy &mode)
117{
118 switch (mode) {
119 case pesieve::PE_DNET_NONE:
120 return "none: treat managed processes same as native";
121 case pesieve::PE_DNET_SKIP_MAPPING:
122 return "skip mapping mismatch (in .NET modules only)";
123 case pesieve::PE_DNET_SKIP_SHC:
124 return "skip shellcodes (in all modules within the managed process)";
125 case pesieve::PE_DNET_SKIP_HOOKS:
126 return "skip hooked modules (in all modules within the managed process)";
127 case pesieve::PE_DNET_SKIP_ALL:
128 return "skip all the above (mapping, shellcodes, hooks)";
129 }
130 return "";
131}
132
133std::string pesieve::translate_data_mode(const pesieve::t_data_scan_mode &mode)
134{
135 switch (mode) {
136 case pesieve::PE_DATA_NO_SCAN:
137 return "none: do not scan non-executable pages";
138 case pesieve::PE_DATA_SCAN_DOTNET:
139 return ".NET: scan non-executable in .NET applications";
140 case pesieve::PE_DATA_SCAN_NO_DEP:
141 return "if no DEP: scan non-exec if DEP is disabled (or if is .NET)";
142 case pesieve::PE_DATA_SCAN_ALWAYS:
143 return "always: scan non-executable pages unconditionally";
144 case pesieve::PE_DATA_SCAN_INACCESSIBLE:
145 return "include inaccessible: scan non-executable pages unconditionally;\n\t in reflection mode (/refl): scan also inaccessible pages";
146 case pesieve::PE_DATA_SCAN_INACCESSIBLE_ONLY:
147 return "scan inaccessible pages, but exclude other non-executable;\n\t works in reflection mode (/refl) only";
148 }
149 return "";
150}
151
152std::string pesieve::translate_json_level(const pesieve::t_json_level &mode)
153{
154 switch (mode) {
155 case pesieve::JSON_BASIC:
156 return "basic";
157 case pesieve::JSON_DETAILS:
158 return "details #1 (list patches)";
159 case pesieve::JSON_DETAILS2:
160 return "details #2 (list patches: extended)";
161 }
162 return "";
163}
164
165std::string pesieve::shellc_mode_mode_to_id(const pesieve::t_shellc_mode& mode)
166{
167 switch (mode) {
168 case pesieve::SHELLC_PATTERNS:
169 return "P";
170 case pesieve::SHELLC_STATS:
171 return "S";
172 case pesieve::SHELLC_PATTERNS_OR_STATS:
173 return "A";
174 case pesieve::SHELLC_PATTERNS_AND_STATS:
175 return "B";
176 }
177 return "N";
178}
179
180std::string pesieve::translate_shellc_mode(const pesieve::t_shellc_mode& mode)
181{
182 switch (mode) {
183 case pesieve::SHELLC_NONE:
184 return "none: do not detect shellcodes";
185 case pesieve::SHELLC_PATTERNS:
186 return "detect shellcodes by patterns";
187 case pesieve::SHELLC_STATS:
188 return "detect shellcodes by stats";
189 case pesieve::SHELLC_PATTERNS_OR_STATS:
190 return "detect shellcodes by patterns or stats (any match)";
191 case pesieve::SHELLC_PATTERNS_AND_STATS:
192 return "detect shellcodes by patterns and stats (both match)";
193 }
194 return "";
195}
196
197std::string pesieve::translate_obfusc_mode(const pesieve::t_obfusc_mode& mode)
198{
199 switch (mode) {
200 case pesieve::OBFUSC_NONE:
201 return "none: do not detect obfuscated areas";
202 case pesieve::OBFUSC_STRONG_ENC:
203 return "detect areas possibly encrypted with strong encryption";
204 case pesieve::OBFUSC_WEAK_ENC:
205 return "detect areas possibly encrypted with weak encryption (lower entropy, possible XOR patterns)";
206 case pesieve::OBFUSC_ANY:
207 return "detect any: possible strong or weak encryption";
208 }
209 return "";
210}
211
212std::string pesieve::obfusc_mode_mode_to_id(const pesieve::t_obfusc_mode& mode)
213{
214 switch (mode) {
215 case pesieve::OBFUSC_STRONG_ENC:
216 return "S";
217 case pesieve::OBFUSC_WEAK_ENC:
218 return "W";
219 case pesieve::OBFUSC_ANY:
220 return "A";
221 }
222 return "N";
223}
224
225
226std::string pesieve::translate_iat_scan_mode(const pesieve::t_iat_scan_mode mode)
227{
228 switch (mode) {
229 case pesieve::PE_IATS_NONE:
230 return "none: do not scan for IAT Hooks (default)";
231 case pesieve::PE_IATS_CLEAN_SYS_FILTERED:
232 return "scan IAT, filter hooks that lead to unpatched system module";
233 case pesieve::PE_IATS_ALL_SYS_FILTERED:
234 return "scan IAT, filter hooks that lead to ANY system module";
235 case pesieve::PE_IATS_UNFILTERED:
236 return "unfiltered: scan for IAT Hooks, report all";
237 }
238 return "";
239}
pesieve.t_data_scan_mode
Definition pesieve.py:73
pesieve.t_dotnet_policy
Definition pesieve.py:65
pesieve.t_iat_scan_mode
Definition pesieve.py:58
pesieve.t_imprec_mode
Definition pesieve.py:42
pesieve.t_json_level
Definition pesieve.py:82
pesieve.t_obfusc_mode
Definition pesieve.py:35
pesieve.t_output_filter
Definition pesieve.py:21
pesieve.t_shellc_mode
Definition pesieve.py:27
pesieve::shellc_mode_mode_to_id
std::string shellc_mode_mode_to_id(const pesieve::t_shellc_mode &mode)
Definition pe_sieve_params_info.cpp:165
pesieve::translate_iat_scan_mode
std::string translate_iat_scan_mode(const pesieve::t_iat_scan_mode mode)
Definition pe_sieve_params_info.cpp:226
pesieve::translate_data_mode
std::string translate_data_mode(const pesieve::t_data_scan_mode &mode)
Definition pe_sieve_params_info.cpp:133
pesieve::imprec_mode_to_id
std::string imprec_mode_to_id(const pesieve::t_imprec_mode imprec_mode)
Definition pe_sieve_params_info.cpp:96
pesieve::translate_obfusc_mode
std::string translate_obfusc_mode(const pesieve::t_obfusc_mode &mode)
Definition pe_sieve_params_info.cpp:197
pesieve::translate_dump_mode
std::string translate_dump_mode(const DWORD dump_mode)
Definition pe_sieve_params_info.cpp:7
pesieve::obfusc_mode_mode_to_id
std::string obfusc_mode_mode_to_id(const pesieve::t_obfusc_mode &mode)
Definition pe_sieve_params_info.cpp:212
pesieve::dump_mode_to_id
std::string dump_mode_to_id(const DWORD dump_mode)
Definition pe_sieve_params_info.cpp:22
pesieve::translate_json_level
std::string translate_json_level(const pesieve::t_json_level &mode)
Definition pe_sieve_params_info.cpp:152
pesieve::results_filter_to_id
std::string results_filter_to_id(const DWORD r_filter)
Definition pe_sieve_params_info.cpp:63
pesieve::translate_out_filter
std::string translate_out_filter(const pesieve::t_output_filter o_filter)
Definition pe_sieve_params_info.cpp:37
pesieve::translate_imprec_mode
std::string translate_imprec_mode(const pesieve::t_imprec_mode imprec_mode)
Definition pe_sieve_params_info.cpp:76
pesieve::translate_results_filter
std::string translate_results_filter(const pesieve::t_results_filter r_filter)
Definition pe_sieve_params_info.cpp:50
pesieve::translate_dotnet_policy
std::string translate_dotnet_policy(const pesieve::t_dotnet_policy &mode)
Definition pe_sieve_params_info.cpp:116
pesieve::translate_shellc_mode
std::string translate_shellc_mode(const pesieve::t_shellc_mode &mode)
Definition pe_sieve_params_info.cpp:180
pe_sieve_params_info.h
Generated by doxygen 1.12.0