pe-sieve/results__dumper_8h_source.html

#pragma once


#include <windows.h>


#include "report_formatter.h"

#include "dump_report.h"

#include "pe_buffer.h"


namespace pesieve {


    class ResultsDumper

    {

    public:


        ResultsDumper(std::string _baseDir, bool _quiet)

            : baseDir(_baseDir), quiet(_quiet)

        {

        }


        // dump all modules detected as suspicious during the process scan

        ProcessDumpReport* dumpDetectedModules(

            HANDLE hProcess,

            bool isRefl,

            ProcessScanReport &process_report,

            const pesieve::t_dump_mode dump_mode,

            const t_imprec_mode imprec_mode,

            const bool rebase

        );


        // dump JSON report from the process scan

        bool dumpJsonReport(ProcessScanReport &process_report, const t_results_filter &filter, const pesieve::t_json_level &jdetails);


        bool dumpJsonReport(ProcessDumpReport &process_report);


        bool dumpJsonReport(ErrorReport& error_report, const t_results_filter& filter);


        std::string getOutputDir()

        {

            return this->dumpDir;

        }


        std::string makeOutPath(const std::string &fname, const std::string& defaultExtension = "");


    protected:

        bool dumpModule(

            IN HANDLE processHandle,

            IN bool isRefl,

            IN const ModulesInfo &modulesInfo,

            IN ModuleScanReport* modReport,

            IN const peconv::ExportsMapper *exportsMap,

            IN const pesieve::t_dump_mode dump_mode,

            IN const pesieve::t_imprec_mode imprec_mode,

            IN bool rebase,

            OUT ProcessDumpReport &dumpReport

        );


        std::string makeModuleDumpPath(ULONGLONG modBaseAddr, const std::string &fname, const std::string &defaultExtension);


        std::string makeDirName(const DWORD process_id);


        void makeAndJoinDirectories(std::stringstream& name_stream);


        bool fillModuleCopy(IN ModuleScanReport* mod, IN OUT PeBuffer& module_buf);


        std::string dumpDir; // dump directory

        std::string baseDir; // base directory

        bool quiet;

    };


}; //namespace pesieve

pesieve::ErrorReport
Definition pe_sieve_report.h:17

pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26

pesieve::ModulesInfo
A container of all the process modules that were scanned.
Definition scanned_modules.h:84

pesieve::PeBuffer
Definition pe_buffer.h:8

pesieve::ProcessDumpReport
The report aggregating the results of the performed dumps.
Definition dump_report.h:49

pesieve::ProcessScanReport
The report aggregating the results of the performed scan.
Definition scan_report.h:19

pesieve::ResultsDumper
Definition results_dumper.h:12

pesieve::ResultsDumper::makeModuleDumpPath
std::string makeModuleDumpPath(ULONGLONG modBaseAddr, const std::string &fname, const std::string &defaultExtension)
Definition results_dumper.cpp:455

pesieve::ResultsDumper::makeDirName
std::string makeDirName(const DWORD process_id)
Definition results_dumper.cpp:484

pesieve::ResultsDumper::fillModuleCopy
bool fillModuleCopy(IN ModuleScanReport *mod, IN OUT PeBuffer &module_buf)
Definition results_dumper.cpp:244

pesieve::ResultsDumper::makeAndJoinDirectories
void makeAndJoinDirectories(std::stringstream &name_stream)
Definition results_dumper.cpp:433

pesieve::ResultsDumper::ResultsDumper
ResultsDumper(std::string _baseDir, bool _quiet)
Definition results_dumper.h:15

pesieve::ResultsDumper::makeOutPath
std::string makeOutPath(const std::string &fname, const std::string &defaultExtension="")
Definition results_dumper.cpp:469

pesieve::ResultsDumper::quiet
bool quiet
Definition results_dumper.h:82

pesieve::ResultsDumper::dumpModule
bool dumpModule(IN HANDLE processHandle, IN bool isRefl, IN const ModulesInfo &modulesInfo, IN ModuleScanReport *modReport, IN const peconv::ExportsMapper *exportsMap, IN const pesieve::t_dump_mode dump_mode, IN const pesieve::t_imprec_mode imprec_mode, IN bool rebase, OUT ProcessDumpReport &dumpReport)
Definition results_dumper.cpp:262

pesieve::ResultsDumper::dumpDetectedModules
ProcessDumpReport * dumpDetectedModules(HANDLE hProcess, bool isRefl, ProcessScanReport &process_report, const pesieve::t_dump_mode dump_mode, const t_imprec_mode imprec_mode, const bool rebase)
Definition results_dumper.cpp:204

pesieve::ResultsDumper::getOutputDir
std::string getOutputDir()
Definition results_dumper.h:37

pesieve::ResultsDumper::dumpDir
std::string dumpDir
Definition results_dumper.h:80

pesieve::ResultsDumper::dumpJsonReport
bool dumpJsonReport(ProcessScanReport &process_report, const t_results_filter &filter, const pesieve::t_json_level &jdetails)
Definition results_dumper.cpp:116

pesieve::ResultsDumper::baseDir
std::string baseDir
Definition results_dumper.h:81

pesieve.t_dump_mode
Definition pesieve.py:51

pesieve.t_imprec_mode
Definition pesieve.py:42

pesieve.t_json_level
Definition pesieve.py:82

dump_report.h

pesieve
Definition pesieve.py:1

pe_buffer.h

t_results_filter
t_results_filter
Definition pe_sieve_types.h:30

report_formatter.h