90 if (type >= REPORT_TYPES_COUNT) {
94 std::set<ModuleScanReport*>::iterator
itr;
95 for (
itr = this->reportsByType[type].
begin();
itr != this->reportsByType[type].end(); ++
itr) {
106 if (
report ==
nullptr)
return;
109 if (type >= REPORT_TYPES_COUNT) {
112 this->reportsByType[type].insert(
report);
120 std::set<ModuleScanReport*>::const_iterator
itr;
121 for (
itr = reportsByType[REPORT_HEADERS_SCAN].
begin();
itr != reportsByType[REPORT_HEADERS_SCAN].end(); ++
itr) {
124 if (
report->isHdrReplaced()) {
137 std::set<ModuleScanReport*>::iterator
itr;
138 for (
itr = this->reportsByType[type].
begin();
itr != this->reportsByType[type].end(); ++
itr) {
144 if (
hdrRep->isHdrReplaced()) {
156 summary.is_64bit = this->is64bit;
157 summary.is_managed = this->isManaged;
158 summary.is_reflection = this->isReflection;
160 summary.skipped =
static_cast<DWORD>(this->reportsByType[REPORT_SKIPPED_SCAN].size());
161 summary.scanned =
static_cast<DWORD>(this->reportsByType[REPORT_HEADERS_SCAN].size());
163 std::vector<ModuleScanReport*>::const_iterator
itr = moduleReports.begin();
164 for (;
itr != moduleReports.end(); ++
itr) {
176 summary.implanted_shc =
MASK_TO_DWORD(countSuspiciousPerType(REPORT_MEMPAGE_SCAN) + countSuspiciousPerType(REPORT_THREADS_SCAN));
191 std::vector<ModuleScanReport*>::const_iterator
itr;
192 for (
itr = this->moduleReports.begin();
itr != this->moduleReports.end(); ++
itr) {
205 if (moduleReports.size()) {
262 stream << std::dec << other <<
"\n";
A report from the artefacts scan, generated by ArtefactScanner.
A report from the code scan, generated by CodeScanner.
A report from an IAT scan, generated by IATScanner.
A base class of all the reports detailing on the output of the performed module's scan.
static t_scan_status get_scan_status(const ModuleScanReport *report)
bool hasAnyShownType(const ProcessScanReport::t_report_filter &filter)
size_t countResultsPerType(const t_report_type type, const t_scan_status result) const
virtual const bool toJSON(std::stringstream &stream, size_t level, const t_report_filter &filter, const pesieve::t_json_level &jdetails) const
bool isModuleReplaced(HMODULE module_base)
pesieve::t_report generateSummary() const
@ REPORT_UNREACHABLE_SCAN
static t_report_type getReportType(ModuleScanReport *report)
size_t countHdrsReplaced() const
void appendToType(ModuleScanReport *report)
std::string listModules(size_t level, const ProcessScanReport::t_report_filter &filter, const t_json_level &jdetails) const
A report from the thread scan, generated by ThreadScanner.
A report from the working set scan, generated by WorkingSetScanner.
#define MASK_TO_DWORD(val)
DWORD(__stdcall *_PssCaptureSnapshot)(HANDLE ProcessHandle
std::string escape_path_separators(std::string path)
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
bool is_shown_type(t_scan_status status, ProcessScanReport::t_report_filter filter)
enum pesieve::module_scan_status t_scan_status
#define PESIEVE_VERSION_STR
Final summary about the scanned process.
DWORD errors
the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE,...
DWORD implanted_shc
implanted shellcodes
bool is_reflection
was the scan performed on process reflection
DWORD scanned
number of all scanned modules
DWORD patched
detected modifications in the code
DWORD suspicious
general summary of suspicious
bool is_64bit
is process 64 bit
DWORD iat_hooked
detected IAT hooks
DWORD hdr_mod
PE header is modified (but not replaced)
DWORD unreachable_file
cannot read the file corresponding to the module in memory
DWORD implanted_pe
the full PE was probably loaded manually
DWORD skipped
some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this...
DWORD replaced
PE file replaced in memory (probably hollowed)
bool is_managed
is process managed (.NET)
DWORD other
other indicators
DWORD pid
pid of the process that was scanned