10#define PARAM_LIST_SEPARATOR ';'
131 char output_dir[MAX_PATH + 1];
struct report t_report
Final summary about the scanned process.
@ SHELLC_STATS
detect shellcodes by stats
@ SHELLC_NONE
do not detect shellcode
@ SHELLC_PATTERNS_OR_STATS
detect shellcodes by patterns or stats (any match)
@ SHELLC_PATTERNS_AND_STATS
detect shellcodes by patterns and stats (both match)
@ SHELLC_PATTERNS
detect shellcodes by patterns
@ PE_DATA_SCAN_DOTNET
scan data in .NET applications
@ PE_DATA_SCAN_INACCESSIBLE_ONLY
scan inaccessible pages (if running in reflection mode)
@ PE_DATA_SCAN_INACCESSIBLE
scan data unconditionally, and inaccessible pages (if running in reflection mode)
@ PE_DATA_SCAN_NO_DEP
scan data if no DEP or in .NET applications
@ PE_DATA_NO_SCAN
do not scan non-executable pages
@ PE_DATA_SCAN_ALWAYS
scan data unconditionally
@ PE_DUMP_VIRTUAL
dump as it is in the memory (virtual)
@ PE_DUMP_UNMAP
convert to the raw format: using raw sections' headers
@ PE_DUMP_REALIGN
convert to the raw format: by realigning raw sections' headers to be the same as virtual (useful if t...
@ PE_DUMP_AUTO
autodetect which dump mode is the most suitable for the given input
@ PE_IATS_CLEAN_SYS_FILTERED
scan IAT, filter hooks if they lead to unpatched system module
@ PE_IATS_NONE
do not scan IAT
@ PE_IATS_UNFILTERED
scan IAT, unfiltered
@ PE_IATS_ALL_SYS_FILTERED
scan IAT, filter hooks if they lead to any system module
@ OUT_FULL
no filter: dump everything (default)
@ OUT_NO_DUMPS
don't dump the modified PEs, but save the report
@ OUT_NO_DIR
don't dump any files
struct _PARAM_STRING PARAM_STRING
A wrapper for a dynamically allocated string.
struct params t_params
Input parameters for PE-sieve, defining the configuration.
@ PE_DNET_SKIP_ALL
skip all above indicators (mapping, shellcodes, hooks) in modules within the managed process
@ PE_DNET_SKIP_SHC
skip shellcodes (in all modules within the managed process)
@ PE_DNET_SKIP_MAPPING
skip mapping mismatch (in .NET modules only)
@ PE_DNET_NONE
none: treat managed processes same as native
@ PE_DNET_SKIP_HOOKS
skip hooked modules (in all modules within the managed process)
@ REPORT_ALL
output all available reports
@ REPORT_DUMPED
output the dumps report
@ REPORT_NONE
do not output a report
@ REPORT_SCANNED
output the scan report
@ OBFUSC_ANY
detect both: possible strong or weak encryption
@ OBFUSC_WEAK_ENC
detect areas possibly encrypted with weak encryption (lower entropy, possible XOR patterns)
@ OBFUSC_STRONG_ENC
detect areas possibly encrypted with strong encryption
@ OBFUSC_NONE
do not detect obfuscated contents
@ PE_IMPREC_NONE
do not try to recover imports
@ PE_IMPREC_AUTO
try to autodetect the most suitable mode
@ PE_IMPREC_REBUILD0
build the import table from the scratch, basing on the found IAT(s): use only terminated blocks (rest...
@ PE_IMPREC_UNERASE
recover erased parts of the partialy damaged import table
@ PE_IMPREC_REBUILD2
build the import table from the scratch, basing on the found IAT(s): use all found blocks (aggressive...
@ PE_IMPREC_REBUILD1
build the import table from the scratch, basing on the found IAT(s): use terminated blocks,...
@ JSON_DETAILS
include the basic list patches in the main JSON report
@ JSON_DETAILS2
include the extended list patches in the main JSON report
A wrapper for a dynamically allocated string.
Input parameters for PE-sieve, defining the configuration.
t_dump_mode dump_mode
in which mode the detected PE implants should be dumped
bool make_reflection
operate on a process reflection rather than on the live process (this allows i.e. to force-read inacc...
t_shellc_mode shellcode
detect shellcode implants
t_dotnet_policy dotnet_policy
policy for scanning .NET modules
bool no_hooks
don't scan for hooks
DWORD pid
the PID of the process to be scanned
bool use_cache
enable cache for the scanned modules
t_json_level json_lvl
level of the details of the JSON report
PARAM_STRING modules_ignored
a list of modules that will not be scanned, separated by PARAM_LIST_SEPARATOR
PARAM_STRING pattern_file
a file with additional patterns for code recognition
t_imprec_mode imprec_mode
import recovery mode
t_obfusc_mode obfuscated
detect encrypted or obfuscated content (possible encrypted shellcodes)
t_iat_scan_mode iat
detect IAT hooking
bool minidump
make minidump of full process
t_output_filter out_filter
level of details of the created output material
t_data_scan_mode data
should scan non-executable pages?
bool quiet
do not print log on the stdout
bool json_output
display the final summary as the JSON report
Final summary about the scanned process.
DWORD implanted
all implants: shellcodes + PEs
DWORD errors
the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE,...
DWORD implanted_shc
implanted shellcodes
bool is_reflection
was the scan performed on process reflection
DWORD scanned
number of all scanned modules
DWORD patched
detected modifications in the code
DWORD suspicious
general summary of suspicious
bool is_64bit
is process 64 bit
DWORD iat_hooked
detected IAT hooks
DWORD hdr_mod
PE header is modified (but not replaced)
DWORD unreachable_file
cannot read the file corresponding to the module in memory
DWORD implanted_pe
the full PE was probably loaded manually
DWORD skipped
some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this...
DWORD replaced
PE file replaced in memory (probably hollowed)
bool is_managed
is process managed (.NET)
DWORD other
other indicators
DWORD pid
pid of the process that was scanned
1.10.0