PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
pe_sieve_params_info.cpp
Go to the documentation of this file.
1#include "pe_sieve_params_info.h"
2
3#include <windows.h>
4
5using namespace pesieve;
6
7std::string pesieve::translate_dump_mode(const DWORD dump_mode)
8{
9 switch (dump_mode) {
10 case pesieve::PE_DUMP_AUTO:
11 return "autodetect (default)";
12 case pesieve::PE_DUMP_VIRTUAL:
13 return "virtual (as is in the memory, no unmapping)";
14 case pesieve::PE_DUMP_UNMAP:
15 return "unmapped (converted to raw using sections' raw headers)";
16 case pesieve::PE_DUMP_REALIGN:
17 return "realigned raw (converted raw format to be the same as virtual)";
18 }
19 return "undefined";
20}
21
22std::string pesieve::dump_mode_to_id(const DWORD dump_mode)
23{
24 switch (dump_mode) {
25 case pesieve::PE_DUMP_AUTO:
26 return "A";
27 case pesieve::PE_DUMP_VIRTUAL:
28 return "V";
29 case pesieve::PE_DUMP_UNMAP:
30 return "U";
31 case pesieve::PE_DUMP_REALIGN:
32 return "R";
33 }
34 return "N";
35}
36
37std::string pesieve::translate_out_filter(const pesieve::t_output_filter o_filter)
38{
39 switch (o_filter) {
40 case pesieve::OUT_FULL:
41 return "no filter: dump everything (default)";
42 case pesieve::OUT_NO_DUMPS:
43 return "don't dump the modified PEs, but save the report";
44 case pesieve::OUT_NO_DIR:
45 return "don't dump any files";
46 }
47 return "undefined";
48}
49
50std::string pesieve::translate_imprec_mode(const pesieve::t_imprec_mode imprec_mode)
51{
52 switch (imprec_mode) {
53 case pesieve::PE_IMPREC_NONE:
54 return "none: do not recover imports (default)";
55 case pesieve::PE_IMPREC_AUTO:
56 return "try to autodetect the most suitable mode";
57 case pesieve::PE_IMPREC_UNERASE:
58 return "unerase the erased parts of the partialy damaged ImportTable";
59 case pesieve::PE_IMPREC_REBUILD0:
60 return "build the ImportTable from scratch, basing on the found IATs:\n\t use only terminated blocks (restrictive mode)";
61 case pesieve::PE_IMPREC_REBUILD1:
62 return "build the ImportTable from scratch, basing on the found IATs:\n\t use terminated blocks, or blocks with more than 1 thunk";
63 case pesieve::PE_IMPREC_REBUILD2:
64 return "build the ImportTable from scratch, basing on the found IATs:\n\t use all found blocks (aggressive mode)";
65 }
66 return "undefined";
67}
68
69
70std::string pesieve::imprec_mode_to_id(const pesieve::t_imprec_mode imprec_mode)
71{
72 switch (imprec_mode) {
73 case pesieve::PE_IMPREC_NONE:
74 return "N";
75 case pesieve::PE_IMPREC_AUTO:
76 return "A";
77 case pesieve::PE_IMPREC_UNERASE:
78 return "U";
79 case pesieve::PE_IMPREC_REBUILD0:
80 return "R0";
81 case pesieve::PE_IMPREC_REBUILD1:
82 return "R1";
83 case pesieve::PE_IMPREC_REBUILD2:
84 return "R2";
85 }
86 return "N";
87}
88
89
90std::string pesieve::translate_dotnet_policy(const pesieve::t_dotnet_policy &mode)
91{
92 switch (mode) {
93 case pesieve::PE_DNET_NONE:
94 return "none: treat managed processes same as native";
95 case pesieve::PE_DNET_SKIP_MAPPING:
96 return "skip mapping mismatch (in .NET modules only)";
97 case pesieve::PE_DNET_SKIP_SHC:
98 return "skip shellcodes (in all modules within the managed process)";
99 case pesieve::PE_DNET_SKIP_HOOKS:
100 return "skip hooked modules (in all modules within the managed process)";
101 case pesieve::PE_DNET_SKIP_ALL:
102 return "skip all the above (mapping, shellcodes, hooks)";
103 }
104 return "undefined";
105}
106
107std::string pesieve::translate_data_mode(const pesieve::t_data_scan_mode &mode)
108{
109 switch (mode) {
110 case pesieve::PE_DATA_NO_SCAN:
111 return "none: do not scan non-executable pages";
112 case pesieve::PE_DATA_SCAN_DOTNET:
113 return ".NET: scan non-executable in .NET applications";
114 case pesieve::PE_DATA_SCAN_NO_DEP:
115 return "if no DEP: scan non-exec if DEP is disabled (or if is .NET)";
116 case pesieve::PE_DATA_SCAN_ALWAYS:
117 return "always: scan non-executable pages unconditionally";
118 case pesieve::PE_DATA_SCAN_INACCESSIBLE:
119 return "include inaccessible: scan non-executable pages unconditionally;\n\t in reflection mode (/refl): scan also inaccessible pages";
120 case pesieve::PE_DATA_SCAN_INACCESSIBLE_ONLY:
121 return "scan inaccessible pages, but exclude other non-executable;\n\t works in reflection mode (/refl) only";
122 }
123 return "undefined";
124}
125
126std::string pesieve::translate_json_level(const pesieve::t_json_level &mode)
127{
128 switch (mode) {
129 case pesieve::JSON_BASIC:
130 return "basic";
131 case pesieve::JSON_DETAILS:
132 return "details #1 (list patches)";
133 case pesieve::JSON_DETAILS2:
134 return "details #2 (list patches: extended)";
135 }
136 return "undefined";
137}
138
139std::string pesieve::shellc_mode_mode_to_id(const pesieve::t_shellc_mode& mode)
140{
141 switch (mode) {
142 case pesieve::SHELLC_PATTERNS:
143 return "P";
144 case pesieve::SHELLC_STATS:
145 return "S";
146 case pesieve::SHELLC_PATTERNS_OR_STATS:
147 return "A";
148 case pesieve::SHELLC_PATTERNS_AND_STATS:
149 return "B";
150 }
151 return "N";
152}
153
154std::string pesieve::translate_shellc_mode(const pesieve::t_shellc_mode& mode)
155{
156 switch (mode) {
157 case pesieve::SHELLC_NONE:
158 return "none: do not detect shellcodes";
159 case pesieve::SHELLC_PATTERNS:
160 return "detect shellcodes by patterns";
161 case pesieve::SHELLC_STATS:
162 return "detect shellcodes by stats";
163 case pesieve::SHELLC_PATTERNS_OR_STATS:
164 return "detect shellcodes by patterns or stats (any match)";
165 case pesieve::SHELLC_PATTERNS_AND_STATS:
166 return "detect shellcodes by patterns and stats (both match)";
167 }
168 return "undefined";
169}
170
171std::string pesieve::translate_obfusc_mode(const pesieve::t_obfusc_mode& mode)
172{
173 switch (mode) {
174 case pesieve::OBFUSC_NONE:
175 return "none: do not detect obfuscated areas";
176 case pesieve::OBFUSC_STRONG_ENC:
177 return "detect areas possibly encrypted with strong encryption";
178 case pesieve::OBFUSC_WEAK_ENC:
179 return "detect areas possibly encrypted with weak encryption (lower entropy, possible XOR patterns)";
180 case pesieve::OBFUSC_ANY:
181 return "detect any: possible strong or weak encryption";
182 }
183 return "undefined";
184}
185
186std::string pesieve::obfusc_mode_mode_to_id(const pesieve::t_obfusc_mode& mode)
187{
188 switch (mode) {
189 case pesieve::OBFUSC_STRONG_ENC:
190 return "S";
191 case pesieve::OBFUSC_WEAK_ENC:
192 return "W";
193 case pesieve::OBFUSC_ANY:
194 return "A";
195 }
196 return "N";
197}
198
199
200std::string pesieve::translate_iat_scan_mode(const pesieve::t_iat_scan_mode mode)
201{
202 switch (mode) {
203 case pesieve::PE_IATS_NONE:
204 return "none: do not scan for IAT Hooks (default)";
205 case pesieve::PE_IATS_CLEAN_SYS_FILTERED:
206 return "scan IAT, filter hooks that lead to unpatched system module";
207 case pesieve::PE_IATS_ALL_SYS_FILTERED:
208 return "scan IAT, filter hooks that lead to ANY system module";
209 case pesieve::PE_IATS_UNFILTERED:
210 return "unfiltered: scan for IAT Hooks, report all";
211 }
212 return "undefined";
213}
pesieve.t_data_scan_mode
Definition pesieve.py:73
pesieve.t_dotnet_policy
Definition pesieve.py:65
pesieve.t_iat_scan_mode
Definition pesieve.py:58
pesieve.t_imprec_mode
Definition pesieve.py:42
pesieve.t_json_level
Definition pesieve.py:82
pesieve.t_obfusc_mode
Definition pesieve.py:35
pesieve.t_output_filter
Definition pesieve.py:21
pesieve.t_shellc_mode
Definition pesieve.py:27
pesieve::shellc_mode_mode_to_id
std::string shellc_mode_mode_to_id(const pesieve::t_shellc_mode &mode)
Definition pe_sieve_params_info.cpp:139
pesieve::translate_iat_scan_mode
std::string translate_iat_scan_mode(const pesieve::t_iat_scan_mode mode)
Definition pe_sieve_params_info.cpp:200
pesieve::translate_data_mode
std::string translate_data_mode(const pesieve::t_data_scan_mode &mode)
Definition pe_sieve_params_info.cpp:107
pesieve::imprec_mode_to_id
std::string imprec_mode_to_id(const pesieve::t_imprec_mode imprec_mode)
Definition pe_sieve_params_info.cpp:70
pesieve::translate_obfusc_mode
std::string translate_obfusc_mode(const pesieve::t_obfusc_mode &mode)
Definition pe_sieve_params_info.cpp:171
pesieve::translate_dump_mode
std::string translate_dump_mode(const DWORD dump_mode)
Definition pe_sieve_params_info.cpp:7
pesieve::obfusc_mode_mode_to_id
std::string obfusc_mode_mode_to_id(const pesieve::t_obfusc_mode &mode)
Definition pe_sieve_params_info.cpp:186
pesieve::dump_mode_to_id
std::string dump_mode_to_id(const DWORD dump_mode)
Definition pe_sieve_params_info.cpp:22
pesieve::translate_json_level
std::string translate_json_level(const pesieve::t_json_level &mode)
Definition pe_sieve_params_info.cpp:126
pesieve::translate_out_filter
std::string translate_out_filter(const pesieve::t_output_filter o_filter)
Definition pe_sieve_params_info.cpp:37
pesieve::translate_imprec_mode
std::string translate_imprec_mode(const pesieve::t_imprec_mode imprec_mode)
Definition pe_sieve_params_info.cpp:50
pesieve::translate_dotnet_policy
std::string translate_dotnet_policy(const pesieve::t_dotnet_policy &mode)
Definition pe_sieve_params_info.cpp:90
pesieve::translate_shellc_mode
std::string translate_shellc_mode(const pesieve::t_shellc_mode &mode)
Definition pe_sieve_params_info.cpp:154
pe_sieve_params_info.h
Generated by doxygen 1.10.0