pe-sieve/results__dumper_8h_source.html

#pragma once


#include <windows.h>


#include "report_formatter.h"

#include "dump_report.h"

#include "pe_buffer.h"


namespace pesieve {


    class ResultsDumper

    {

    public:


        ResultsDumper(std::string _baseDir, bool _quiet)

            : baseDir(_baseDir), quiet(_quiet)

        {

        }


        // dump all modules detected as suspicious during the process scan

        ProcessDumpReport* dumpDetectedModules(HANDLE hProcess, bool isRefl, ProcessScanReport &process_report, const pesieve::t_dump_mode dump_mode, const pesieve::t_imprec_mode imprec_mode);


        // dump JSON report from the process scan

        bool dumpJsonReport(ProcessScanReport &process_report, const ProcessScanReport::t_report_filter &filter, const pesieve::t_json_level &jdetails);


        bool dumpJsonReport(ProcessDumpReport &process_report);


        std::string getOutputDir()

        {

            return this->dumpDir;

        }


        std::string makeOutPath(const std::string &fname, const std::string& defaultExtension = "");


    protected:

        bool dumpModule(

            IN HANDLE processHandle,

            IN bool isRefl,

            IN const ModulesInfo &modulesInfo,

            IN ModuleScanReport* modReport,

            IN const peconv::ExportsMapper *exportsMap,

            IN const pesieve::t_dump_mode dump_mode,

            IN const pesieve::t_imprec_mode imprec_mode,

            OUT ProcessDumpReport &dumpReport

        );


        std::string makeModuleDumpPath(ULONGLONG modBaseAddr, const std::string &fname, const std::string &defaultExtension);


        std::string makeDirName(const DWORD process_id);


        void makeAndJoinDirectories(std::stringstream& name_stream);


        bool fillModuleCopy(IN ModuleScanReport* mod, IN OUT PeBuffer& module_buf);


        std::string dumpDir; // dump directory

        std::string baseDir; // base directory

        bool quiet;

    };


}; //namespace pesieve

pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26

pesieve::ModulesInfo
A container of all the process modules that were scanned.
Definition scanned_modules.h:84

pesieve::PeBuffer
Definition pe_buffer.h:8

pesieve::ProcessDumpReport
The report aggregating the results of the performed dumps.
Definition dump_report.h:48

pesieve::ProcessScanReport
The report aggregating the results of the performed scan.
Definition scan_report.h:19

pesieve::ProcessScanReport::t_report_filter
t_report_filter
Definition scan_report.h:34

pesieve::ResultsDumper
Definition results_dumper.h:12

pesieve::ResultsDumper::makeModuleDumpPath
std::string makeModuleDumpPath(ULONGLONG modBaseAddr, const std::string &fname, const std::string &defaultExtension)
Definition results_dumper.cpp:412

pesieve::ResultsDumper::makeDirName
std::string makeDirName(const DWORD process_id)
Definition results_dumper.cpp:441

pesieve::ResultsDumper::fillModuleCopy
bool fillModuleCopy(IN ModuleScanReport *mod, IN OUT PeBuffer &module_buf)
Definition results_dumper.cpp:212

pesieve::ResultsDumper::makeAndJoinDirectories
void makeAndJoinDirectories(std::stringstream &name_stream)
Definition results_dumper.cpp:390

pesieve::ResultsDumper::ResultsDumper
ResultsDumper(std::string _baseDir, bool _quiet)
Definition results_dumper.h:15

pesieve::ResultsDumper::makeOutPath
std::string makeOutPath(const std::string &fname, const std::string &defaultExtension="")
Definition results_dumper.cpp:426

pesieve::ResultsDumper::quiet
bool quiet
Definition results_dumper.h:71

pesieve::ResultsDumper::dumpDetectedModules
ProcessDumpReport * dumpDetectedModules(HANDLE hProcess, bool isRefl, ProcessScanReport &process_report, const pesieve::t_dump_mode dump_mode, const pesieve::t_imprec_mode imprec_mode)
Definition results_dumper.cpp:177

pesieve::ResultsDumper::dumpModule
bool dumpModule(IN HANDLE processHandle, IN bool isRefl, IN const ModulesInfo &modulesInfo, IN ModuleScanReport *modReport, IN const peconv::ExportsMapper *exportsMap, IN const pesieve::t_dump_mode dump_mode, IN const pesieve::t_imprec_mode imprec_mode, OUT ProcessDumpReport &dumpReport)
Definition results_dumper.cpp:230

pesieve::ResultsDumper::getOutputDir
std::string getOutputDir()
Definition results_dumper.h:28

pesieve::ResultsDumper::dumpDir
std::string dumpDir
Definition results_dumper.h:69

pesieve::ResultsDumper::baseDir
std::string baseDir
Definition results_dumper.h:70

pesieve::ResultsDumper::dumpJsonReport
bool dumpJsonReport(ProcessScanReport &process_report, const ProcessScanReport::t_report_filter &filter, const pesieve::t_json_level &jdetails)
Definition results_dumper.cpp:116

pesieve.t_dump_mode
Definition pesieve.py:51

pesieve.t_imprec_mode
Definition pesieve.py:42

pesieve.t_json_level
Definition pesieve.py:82

dump_report.h

pesieve
Definition pesieve.py:1

pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31

pe_buffer.h

report_formatter.h