pe-sieve/report__formatter_8cpp_source.html

#include "report_formatter.h"

#include <string>

#include <sstream>


using namespace pesieve;


std::string pesieve::scan_report_to_string(const ProcessScanReport &process_report)

{

    const t_report report = process_report.generateSummary();

    std::stringstream stream;

    //summary:

    size_t other = report.other;

    stream << "---" << std::endl;

    stream << "PID: " << std::dec << report.pid << "\n";

    stream << "---" << std::endl;

    stream << "SUMMARY: \n" << std::endl;

    stream << "Total scanned:      " << std::dec << report.scanned << "\n";

    stream << "Skipped:            " << std::dec << report.skipped << "\n";

    stream << "-\n";

    stream << "Hooked:             " << std::dec << report.patched << "\n";

    stream << "Replaced:           " << std::dec << report.replaced << "\n";

    stream << "Hdrs Modified:      " << std::dec << report.hdr_mod << "\n";

    stream << "IAT Hooks:          " << std::dec << report.iat_hooked << "\n";

    stream << "Implanted:          " << std::dec << report.implanted << "\n";

    if (report.implanted) {

        stream << "Implanted PE:       " << std::dec << report.implanted_pe << "\n";

        stream << "Implanted shc:      " << std::dec << report.implanted_shc << "\n";

    }

    stream << "Unreachable files:  " << std::dec << report.unreachable_file << "\n";

    stream << "Other:              " << std::dec << other << "\n";

    stream << "-\n";

    stream << "Total suspicious:   " << std::dec << report.suspicious << "\n";

    if (report.errors) {

        stream << "[!] Errors:         " << std::dec << report.errors << "\n";

    }

    return stream.str();

}


std::string pesieve::err_report_to_json(const pesieve::ErrorReport& err_report,

    t_results_filter filter,

    size_t start_level

)

{

    if ((filter & SHOW_ERRORS) == 0) {

        return "";

    }

    //summary:

    std::stringstream stream;


    size_t level = start_level + 1;

    OUT_PADDED(stream, start_level, "{\n"); // beginning of the report


    OUT_PADDED(stream, level, "\"pid\" : ");

    stream << std::dec << err_report.pid << ",\n";

    OUT_PADDED(stream, level, "\"err_message\" : ");

    stream << "\"" << err_report.message << "\"\n";

    OUT_PADDED(stream, start_level, "}\n"); // end of the report


    std::string report_all = stream.str();

    if (report_all.length() == 0) {

        return "";

    }

    return report_all;

}


std::string pesieve::scan_report_to_json(

    const ProcessScanReport &process_report,

    t_results_filter filter,

    const pesieve::t_json_level &jdetails,

    size_t start_level

)

{

    //summary:

    std::stringstream stream;


    if (!process_report.toJSON(stream, start_level, filter, jdetails)) {

        return "";

    }

    std::string report_all = stream.str();

    if (report_all.length() == 0) {

        return "";

    }

    return report_all;

}


std::string pesieve::dump_report_to_json(

    const ProcessDumpReport& process_report,

    const pesieve::t_json_level& jdetails,

    size_t start_level

)

{

    //summary:

    std::stringstream stream;


    if (!process_report.toJSON(stream, start_level)) {

        return "";

    }

    std::string report_all = stream.str();

    if (report_all.length() == 0) {

        return "";

    }

    return report_all;

}


std::string pesieve::report_to_json(const pesieve::ReportEx& report, const t_report_type rtype, t_results_filter filter, const pesieve::t_json_level& jdetails, size_t start_level)

{

    if (rtype == REPORT_NONE) return 0;


    size_t level = 1;

    std::stringstream stream;


    if (report.error_report && (filter & SHOW_ERRORS)) {

        stream << "{\n";

        OUT_PADDED(stream, level, "\"error_report\" :\n");

        stream << err_report_to_json(*report.error_report, filter, level);

        stream << "}\n";

        return stream.str();

    }

    const bool has_dumps = (report.dump_report && report.dump_report->countDumped() > 0) ? true : false;

    stream << "{\n";

    if (report.scan_report && (rtype == REPORT_ALL || rtype == REPORT_SCANNED)) {

        OUT_PADDED(stream, level, "\"scan_report\" :\n");

        stream << scan_report_to_json(*report.scan_report, filter, jdetails, level);

        if (rtype == REPORT_ALL && has_dumps) {

            stream << ",";

        }

        stream << "\n";

    }

    if (rtype == REPORT_ALL || rtype == REPORT_DUMPED) {

        if (has_dumps || rtype == REPORT_DUMPED) { // do not output an empty report, unless requested specifically

            OUT_PADDED(stream, level, "\"dump_report\" :\n");

            stream << dump_report_to_json(*report.dump_report, jdetails, level);

            stream << "\n";

        }

    }

    stream << "}\n";

    return stream.str();

}


pesieve::ErrorReport
Definition pe_sieve_report.h:17

pesieve::ErrorReport::pid
const DWORD pid
Definition pe_sieve_report.h:24

pesieve::ErrorReport::message
const std::string message
Definition pe_sieve_report.h:25

pesieve::ProcessDumpReport
The report aggregating the results of the performed dumps.
Definition dump_report.h:49

pesieve::ProcessDumpReport::toJSON
virtual bool toJSON(std::stringstream &stream, size_t level) const
Definition dump_report.cpp:63

pesieve::ProcessScanReport
The report aggregating the results of the performed scan.
Definition scan_report.h:19

pesieve::ProcessScanReport::toJSON
virtual const bool toJSON(std::stringstream &stream, size_t level, const t_results_filter &filter, const pesieve::t_json_level &jdetails) const
Definition scan_report.cpp:212

pesieve::ProcessScanReport::generateSummary
pesieve::t_report generateSummary() const
Definition scan_report.cpp:152

pesieve::ReportEx
The final report about the actions performed on the process: scanning and dumping.
Definition pe_sieve_report.h:29

pesieve.t_json_level
Definition pesieve.py:82

pesieve.t_report_type
Definition pesieve.py:88

pesieve.t_report
Definition pesieve.py:123

OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12

pesieve
Definition pesieve.py:1

pesieve::scan_report_to_string
std::string scan_report_to_string(const ProcessScanReport &report)
Definition report_formatter.cpp:7

pesieve::dump_report_to_json
std::string dump_report_to_json(const ProcessDumpReport &process_report, const pesieve::t_json_level &jdetails, size_t start_level=0)
Definition report_formatter.cpp:87

pesieve::err_report_to_json
std::string err_report_to_json(const ErrorReport &err_report, t_results_filter filter, size_t start_level=0)
Definition report_formatter.cpp:39

pesieve::report_to_json
std::string report_to_json(const ReportEx &report, const t_report_type rtype, t_results_filter filter, const pesieve::t_json_level &jdetails, size_t start_level=0)
Definition report_formatter.cpp:106

pesieve::scan_report_to_json
std::string scan_report_to_json(const ProcessScanReport &process_report, t_results_filter filter, const pesieve::t_json_level &jdetails, size_t start_level=0)
Definition report_formatter.cpp:67

t_results_filter
t_results_filter
Definition pe_sieve_types.h:30

SHOW_ERRORS
@ SHOW_ERRORS
Definition pe_sieve_types.h:32

REPORT_ALL
@ REPORT_ALL
output all available reports
Definition pe_sieve_types.h:114

REPORT_DUMPED
@ REPORT_DUMPED
output the dumps report
Definition pe_sieve_types.h:113

REPORT_NONE
@ REPORT_NONE
do not output a report
Definition pe_sieve_types.h:111

REPORT_SCANNED
@ REPORT_SCANNED
output the scan report
Definition pe_sieve_types.h:112

report_formatter.h

report
Final summary about the scanned process.
Definition pe_sieve_types.h:150

report::implanted
DWORD implanted
all implants: shellcodes + PEs
Definition pe_sieve_types.h:162

report::errors
DWORD errors
the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE,...
Definition pe_sieve_types.h:167

report::implanted_shc
DWORD implanted_shc
implanted shellcodes
Definition pe_sieve_types.h:164

report::scanned
DWORD scanned
number of all scanned modules
Definition pe_sieve_types.h:155

report::patched
DWORD patched
detected modifications in the code
Definition pe_sieve_types.h:160

report::suspicious
DWORD suspicious
general summary of suspicious
Definition pe_sieve_types.h:156

report::iat_hooked
DWORD iat_hooked
detected IAT hooks
Definition pe_sieve_types.h:161

report::hdr_mod
DWORD hdr_mod
PE header is modified (but not replaced)
Definition pe_sieve_types.h:158

report::unreachable_file
DWORD unreachable_file
cannot read the file corresponding to the module in memory
Definition pe_sieve_types.h:159

report::implanted_pe
DWORD implanted_pe
the full PE was probably loaded manually
Definition pe_sieve_types.h:163

report::skipped
DWORD skipped
some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this...
Definition pe_sieve_types.h:166

report::replaced
DWORD replaced
PE file replaced in memory (probably hollowed)
Definition pe_sieve_types.h:157

report::other
DWORD other
other indicators
Definition pe_sieve_types.h:165

report::pid
DWORD pid
pid of the process that was scanned
Definition pe_sieve_types.h:151