pe-sieve/scan__report_8cpp_source.html

#include "scan_report.h"

#include "../pe_sieve_ver_short.h"

#include "headers_scanner.h"

#include "code_scanner.h"

#include "iat_scanner.h"

#include "workingset_scanner.h"

#include "artefact_scanner.h"

#include "mapping_scanner.h"

#include "thread_scanner.h"


#include "../utils/format_util.h"

#include "../params_info/params_dump.h"


using namespace pesieve;

using namespace pesieve::util;


namespace pesieve {


    bool is_shown_type(t_scan_status status, t_results_filter filter)

    {

        if (filter == SHOW_ALL) {

            return true;

        }

        if (filter & SHOW_ERRORS) {

            if (status == SCAN_ERROR) return true;

        }

        if (filter & SHOW_SUSPICIOUS) {

            if (status == SCAN_SUSPICIOUS) return true;

        }

        if (filter & SHOW_NOT_SUSPICIOUS) {

            if (status == SCAN_NOT_SUSPICIOUS) return true;

        }

        return false;

    }


}; //namespace pesieve


bool pesieve::ProcessScanReport::hasAnyShownType(const pesieve::t_results_filter &filter)

{

    t_report summary = this->generateSummary();

    t_scan_status aggregated_status = (summary.suspicious > 0) ? SCAN_SUSPICIOUS : SCAN_NOT_SUSPICIOUS;

    if (is_shown_type(aggregated_status, filter)) {

        return true;

    }

    aggregated_status = (summary.errors > 0) ? SCAN_ERROR : SCAN_NOT_SUSPICIOUS;

    if (is_shown_type(aggregated_status, filter)) {

        return true;

    }

    return false;

}


//----


pesieve::ProcessScanReport::t_report_type pesieve::ProcessScanReport::getReportType(ModuleScanReport *report)

{

    if (!report) {

        return pesieve::ProcessScanReport::REPORT_TYPES_COUNT;

    }

    if (dynamic_cast<HeadersScanReport*>(report)) {

        return pesieve::ProcessScanReport::REPORT_HEADERS_SCAN;

    }

    if (dynamic_cast<WorkingSetScanReport*>(report)) {

        if (dynamic_cast<ArtefactScanReport*>(report)) {

            return pesieve::ProcessScanReport::REPORT_ARTEFACT_SCAN;

        }

        return pesieve::ProcessScanReport::REPORT_MEMPAGE_SCAN;

    }

    if (dynamic_cast<MappingScanReport*>(report)) {

        return pesieve::ProcessScanReport::REPORT_MAPPING_SCAN;

    }

    if (dynamic_cast<CodeScanReport*>(report)) {

        return pesieve::ProcessScanReport::REPORT_CODE_SCAN;

    }

    if (dynamic_cast<IATScanReport*>(report)) {

        return pesieve::ProcessScanReport::REPORT_IAT_SCAN;

    }

    if (dynamic_cast<UnreachableModuleReport*>(report)) {

        return pesieve::ProcessScanReport::REPORT_UNREACHABLE_SCAN;

    }

    if (dynamic_cast<SkippedModuleReport*>(report)) {

        return pesieve::ProcessScanReport::REPORT_SKIPPED_SCAN;

    }

    if (dynamic_cast<ThreadScanReport*>(report)) {

        return pesieve::ProcessScanReport::REPORT_THREADS_SCAN;

    }

    return pesieve::ProcessScanReport::REPORT_TYPES_COUNT;

}


size_t pesieve::ProcessScanReport::countResultsPerType(const t_report_type type, const t_scan_status result) const

{

    if (type >= REPORT_TYPES_COUNT) {

        return 0; //invalid type

    }

    size_t counter = 0;

    std::set<ModuleScanReport*>::iterator itr;

    for (itr = this->reportsByType[type].begin(); itr != this->reportsByType[type].end(); ++itr) {

        ModuleScanReport* report = *itr;

        if (ModuleScanReport::get_scan_status(report) == result) {

            counter++;

        }

    }

    return counter;

}


void pesieve::ProcessScanReport::appendToType(ModuleScanReport *report)

{

    if (report == nullptr) return;


    t_report_type type = pesieve::ProcessScanReport::getReportType(report);

    if (type >= REPORT_TYPES_COUNT) {

        return;

    }

    this->reportsByType[type].insert(report);

}


bool pesieve::ProcessScanReport::isModuleReplaced(HMODULE module_base)

{

    if (!hasModule((ULONGLONG)module_base)) {

        return false;

    }

    std::set<ModuleScanReport*>::const_iterator itr;

    for (itr = reportsByType[REPORT_HEADERS_SCAN].begin(); itr != reportsByType[REPORT_HEADERS_SCAN].end(); ++itr) {

        HeadersScanReport* report = dynamic_cast<HeadersScanReport*>(*itr);

        if (report && report->module == module_base) {

            if (report->isHdrReplaced()) {

                return true;

            }

        }

    }

    return false;

}


size_t pesieve::ProcessScanReport::countHdrsReplaced() const

{

    size_t replaced = 0;

    const t_report_type type = REPORT_HEADERS_SCAN;


    std::set<ModuleScanReport*>::iterator itr;

    for (itr = this->reportsByType[type].begin(); itr != this->reportsByType[type].end(); ++itr) {

        ModuleScanReport* report = *itr;

        if (ModuleScanReport::get_scan_status(report) == SCAN_SUSPICIOUS) {

            HeadersScanReport *hdrRep = dynamic_cast<HeadersScanReport*>(report);

            if (!hdrRep) continue; //it should not happen


            if (hdrRep->isHdrReplaced()) {

                replaced++;

            }

        }

    }

    return replaced;

}


pesieve::t_report pesieve::ProcessScanReport::generateSummary() const

{

    t_report summary = { 0 };

    summary.pid = this->pid;

    summary.is_64bit = this->is64bit;

    summary.is_managed = this->isManaged;

    summary.is_reflection = this->isReflection;

    summary.errors = static_cast<DWORD>(this->errorsCount);

    summary.skipped = static_cast<DWORD>(this->reportsByType[REPORT_SKIPPED_SCAN].size());

    summary.scanned = static_cast<DWORD>(this->reportsByType[REPORT_HEADERS_SCAN].size());


    std::vector<ModuleScanReport*>::const_iterator itr = moduleReports.begin();

    for (; itr != moduleReports.end(); ++itr) {

        ModuleScanReport* report = *itr;

        if (ModuleScanReport::get_scan_status(report) == SCAN_SUSPICIOUS) {

            summary.suspicious++;

        }

        if (ModuleScanReport::get_scan_status(report) == SCAN_ERROR) {

            summary.errors++;

        }

    }

    summary.replaced = MASK_TO_DWORD(countHdrsReplaced());

    summary.patched = MASK_TO_DWORD(countSuspiciousPerType(REPORT_CODE_SCAN));

    summary.iat_hooked = MASK_TO_DWORD(countSuspiciousPerType(REPORT_IAT_SCAN));

    summary.implanted_shc = MASK_TO_DWORD(countSuspiciousPerType(REPORT_MEMPAGE_SCAN) + countSuspiciousPerType(REPORT_THREADS_SCAN));

    summary.implanted_pe = MASK_TO_DWORD(countSuspiciousPerType(REPORT_ARTEFACT_SCAN));

    summary.implanted = MASK_TO_DWORD(summary.implanted_shc + summary.implanted_pe);

    summary.hdr_mod = MASK_TO_DWORD(countSuspiciousPerType(REPORT_HEADERS_SCAN) - summary.replaced);

    summary.unreachable_file = MASK_TO_DWORD(countSuspiciousPerType(REPORT_UNREACHABLE_SCAN) + countResultsPerType(REPORT_UNREACHABLE_SCAN, pesieve::SCAN_ERROR));

    summary.other = MASK_TO_DWORD(summary.suspicious - (summary.patched + summary.replaced + summary.implanted + summary.hdr_mod + summary.iat_hooked));

    return summary;

}


std::string pesieve::ProcessScanReport::listModules(size_t level, const pesieve::t_results_filter &filter, const t_json_level &jdetails) const

{

    std::stringstream stream;

    //summary:

    OUT_PADDED(stream, level, "\"scans\" : [\n");

    bool is_first = true;

    std::vector<ModuleScanReport*>::const_iterator itr;

    for (itr = this->moduleReports.begin(); itr != this->moduleReports.end(); ++itr) {

        ModuleScanReport *mod = *itr;

        if (is_shown_type(mod->status, filter)) {

            if (!is_first) {

                stream << ",\n";

            }

            OUT_PADDED(stream, level + 1, "{\n");

            mod->toJSON(stream, level + 2, jdetails);

            stream << "\n";

            OUT_PADDED(stream, level + 1, "}");

            is_first = false;

        }

    }

    if (moduleReports.size()) {

        stream << "\n";

    }

    OUT_PADDED(stream, level, "]\n");

    return stream.str();

}


const bool pesieve::ProcessScanReport::toJSON(

    std::stringstream &stream, size_t start_level,

    const pesieve::t_results_filter &filter,

    const pesieve::t_json_level &jdetails) const

{

    const t_report report = this->generateSummary();

    //summary:

    size_t other = report.other;

    size_t level = start_level + 1;

    OUT_PADDED(stream, start_level, "{\n"); // beginning of the report


    OUT_PADDED(stream, level, "\"pid\" : ");

    stream << std::dec << report.pid << ",\n";

    OUT_PADDED(stream, level, "\"is_64_bit\" : ");

    stream << std::dec << report.is_64bit << ",\n";

    OUT_PADDED(stream, level, "\"is_managed\" : ");

    stream << std::dec << report.is_managed << ",\n";

    OUT_PADDED(stream, level, "\"main_image_path\" : \"");

    stream << escape_path_separators(this->mainImagePath) << "\",\n";

    OUT_PADDED(stream, level, "\"used_reflection\" : ");

    stream << std::dec << report.is_reflection << ",\n";

    OUT_PADDED(stream, level, "\"scanner_version\" : ");

    stream << "\"" << PESIEVE_VERSION_STR << "\",\n";

    OUT_PADDED(stream, level, "\"scanned\" : \n");

    OUT_PADDED(stream, level, "{\n");

    //stream << " {\n";

    OUT_PADDED(stream, level + 1, "\"total\" : ");

    stream << std::dec << report.scanned << ",\n";

    OUT_PADDED(stream, level + 1, "\"skipped\" : ");

    stream << std::dec << report.skipped << ",\n";

    OUT_PADDED(stream, level + 1, "\"modified\" : \n");

    OUT_PADDED(stream, level + 1, "{\n");

    //stream << "  {\n";

    OUT_PADDED(stream, level + 2, "\"total\" : ");

    stream << std::dec << report.suspicious << ",\n";

    OUT_PADDED(stream, level + 2, "\"patched\" : ");

    stream << std::dec << report.patched << ",\n";

    OUT_PADDED(stream, level + 2, "\"iat_hooked\" : ");

    stream << std::dec << report.iat_hooked << ",\n";

    OUT_PADDED(stream, level + 2, "\"replaced\" : ");

    stream << std::dec << report.replaced << ",\n";

    OUT_PADDED(stream, level + 2, "\"hdr_modified\" : ");

    stream << std::dec << report.hdr_mod << ",\n";

    OUT_PADDED(stream, level + 2, "\"implanted_pe\" : ");

    stream << std::dec << report.implanted_pe << ",\n";

    OUT_PADDED(stream, level + 2, "\"implanted_shc\" : ");

    stream << std::dec << report.implanted_shc << ",\n";

    OUT_PADDED(stream, level + 2, "\"unreachable_file\" : ");

    stream << std::dec << report.unreachable_file << ",\n";

    OUT_PADDED(stream, level + 2, "\"other\" : ");

    stream << std::dec << other << "\n";

    OUT_PADDED(stream, level + 1, "},\n"); // modified

    OUT_PADDED(stream, level + 1, "\"errors\" : ");

    stream << std::dec << report.errors << "\n";

    OUT_PADDED(stream, level, "},\n"); // scanned

    stream << listModules(level, filter, jdetails);


    OUT_PADDED(stream, start_level, "}"); // end of the report

    return true;

}


artefact_scanner.h

pesieve::ArtefactScanReport
A report from the artefacts scan, generated by ArtefactScanner.
Definition artefact_scanner.h:118

pesieve::CodeScanReport
A report from the code scan, generated by CodeScanner.
Definition code_scanner.h:14

pesieve::HeadersScanReport
A report from the headers scan, generated by HeadersScanner.
Definition headers_scanner.h:11

pesieve::HeadersScanReport::isHdrReplaced
bool isHdrReplaced()
Definition headers_scanner.h:65

pesieve::IATScanReport
A report from an IAT scan, generated by IATScanner.
Definition iat_scanner.h:12

pesieve::MappingScanReport
Definition mapping_scanner.h:13

pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26

pesieve::ModuleScanReport::status
t_scan_status status
Definition module_scan_report.h:61

pesieve::ModuleScanReport::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level=JSON_LEVEL, const pesieve::t_json_level &jdetails=JSON_BASIC)=0

pesieve::ModuleScanReport::get_scan_status
static t_scan_status get_scan_status(const ModuleScanReport *report)
Definition module_scan_report.h:30

pesieve::ProcessScanReport::countResultsPerType
size_t countResultsPerType(const t_report_type type, const t_scan_status result) const
Definition scan_report.cpp:88

pesieve::ProcessScanReport::toJSON
virtual const bool toJSON(std::stringstream &stream, size_t level, const t_results_filter &filter, const pesieve::t_json_level &jdetails) const
Definition scan_report.cpp:212

pesieve::ProcessScanReport::isModuleReplaced
bool isModuleReplaced(HMODULE module_base)
Definition scan_report.cpp:115

pesieve::ProcessScanReport::generateSummary
pesieve::t_report generateSummary() const
Definition scan_report.cpp:152

pesieve::ProcessScanReport::listModules
std::string listModules(size_t level, const t_results_filter &filter, const t_json_level &jdetails) const
Definition scan_report.cpp:185

pesieve::ProcessScanReport::t_report_type
t_report_type
Definition scan_report.h:21

pesieve::ProcessScanReport::REPORT_ARTEFACT_SCAN
@ REPORT_ARTEFACT_SCAN
Definition scan_report.h:26

pesieve::ProcessScanReport::REPORT_SKIPPED_SCAN
@ REPORT_SKIPPED_SCAN
Definition scan_report.h:28

pesieve::ProcessScanReport::REPORT_UNREACHABLE_SCAN
@ REPORT_UNREACHABLE_SCAN
Definition scan_report.h:27

pesieve::ProcessScanReport::REPORT_MEMPAGE_SCAN
@ REPORT_MEMPAGE_SCAN
Definition scan_report.h:25

pesieve::ProcessScanReport::REPORT_THREADS_SCAN
@ REPORT_THREADS_SCAN
Definition scan_report.h:30

pesieve::ProcessScanReport::REPORT_TYPES_COUNT
@ REPORT_TYPES_COUNT
Definition scan_report.h:31

pesieve::ProcessScanReport::REPORT_MAPPING_SCAN
@ REPORT_MAPPING_SCAN
Definition scan_report.h:22

pesieve::ProcessScanReport::REPORT_HEADERS_SCAN
@ REPORT_HEADERS_SCAN
Definition scan_report.h:23

pesieve::ProcessScanReport::REPORT_IAT_SCAN
@ REPORT_IAT_SCAN
Definition scan_report.h:29

pesieve::ProcessScanReport::REPORT_CODE_SCAN
@ REPORT_CODE_SCAN
Definition scan_report.h:24

pesieve::ProcessScanReport::getReportType
static t_report_type getReportType(ModuleScanReport *report)
Definition scan_report.cpp:53

pesieve::ProcessScanReport::countHdrsReplaced
size_t countHdrsReplaced() const
Definition scan_report.cpp:132

pesieve::ProcessScanReport::hasAnyShownType
bool hasAnyShownType(const t_results_filter &filter)
Definition scan_report.cpp:38

pesieve::ProcessScanReport::appendToType
void appendToType(ModuleScanReport *report)
Definition scan_report.cpp:104

pesieve::SkippedModuleReport
Definition module_scan_report.h:121

pesieve::ThreadScanReport
A report from the thread scan, generated by ThreadScanner.
Definition thread_scanner.h:16

pesieve::UnreachableModuleReport
Definition module_scan_report.h:101

pesieve::WorkingSetScanReport
A report from the working set scan, generated by WorkingSetScanner.
Definition workingset_scanner.h:29

pesieve.t_json_level
Definition pesieve.py:82

pesieve.t_report
Definition pesieve.py:123

code_scanner.h

format_util.h

OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12

headers_scanner.h

MASK_TO_DWORD
#define MASK_TO_DWORD(val)
Definition iat_finder.h:9

iat_scanner.h

mapping_scanner.h

pesieve::util
Definition artefact_scanner.cpp:12

pesieve::util::DWORD
DWORD(__stdcall *_PssCaptureSnapshot)(HANDLE ProcessHandle

pesieve::util::escape_path_separators
std::string escape_path_separators(std::string path)
Definition path_util.cpp:27

pesieve
Definition pesieve.py:1

pesieve::SCAN_NOT_SUSPICIOUS
@ SCAN_NOT_SUSPICIOUS
Definition module_scan_report.h:20

pesieve::SCAN_SUSPICIOUS
@ SCAN_SUSPICIOUS
Definition module_scan_report.h:21

pesieve::SCAN_ERROR
@ SCAN_ERROR
Definition module_scan_report.h:19

pesieve::t_scan_status
enum pesieve::module_scan_status t_scan_status

pesieve::is_shown_type
bool is_shown_type(t_scan_status status, t_results_filter filter)
Definition scan_report.cpp:19

params_dump.h

t_results_filter
t_results_filter
Definition pe_sieve_types.h:30

SHOW_ERRORS
@ SHOW_ERRORS
Definition pe_sieve_types.h:32

SHOW_SUSPICIOUS
@ SHOW_SUSPICIOUS
Definition pe_sieve_types.h:34

SHOW_NOT_SUSPICIOUS
@ SHOW_NOT_SUSPICIOUS
Definition pe_sieve_types.h:33

SHOW_ALL
@ SHOW_ALL
Definition pe_sieve_types.h:37

pe_sieve_ver_short.h

PESIEVE_VERSION_STR
#define PESIEVE_VERSION_STR
Definition pe_sieve_ver_short.h:8

scan_report.h

report
Final summary about the scanned process.
Definition pe_sieve_types.h:150

report::errors
DWORD errors
the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE,...
Definition pe_sieve_types.h:167

report::implanted_shc
DWORD implanted_shc
implanted shellcodes
Definition pe_sieve_types.h:164

report::is_reflection
bool is_reflection
was the scan performed on process reflection
Definition pe_sieve_types.h:154

report::scanned
DWORD scanned
number of all scanned modules
Definition pe_sieve_types.h:155

report::patched
DWORD patched
detected modifications in the code
Definition pe_sieve_types.h:160

report::suspicious
DWORD suspicious
general summary of suspicious
Definition pe_sieve_types.h:156

report::is_64bit
bool is_64bit
is process 64 bit
Definition pe_sieve_types.h:153

report::iat_hooked
DWORD iat_hooked
detected IAT hooks
Definition pe_sieve_types.h:161

report::hdr_mod
DWORD hdr_mod
PE header is modified (but not replaced)
Definition pe_sieve_types.h:158

report::unreachable_file
DWORD unreachable_file
cannot read the file corresponding to the module in memory
Definition pe_sieve_types.h:159

report::implanted_pe
DWORD implanted_pe
the full PE was probably loaded manually
Definition pe_sieve_types.h:163

report::skipped
DWORD skipped
some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this...
Definition pe_sieve_types.h:166

report::replaced
DWORD replaced
PE file replaced in memory (probably hollowed)
Definition pe_sieve_types.h:157

report::is_managed
bool is_managed
is process managed (.NET)
Definition pe_sieve_types.h:152

report::other
DWORD other
other indicators
Definition pe_sieve_types.h:165

report::pid
DWORD pid
pid of the process that was scanned
Definition pe_sieve_types.h:151

thread_scanner.h

workingset_scanner.h