PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
scan_report.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4
5#include <iostream>
6#include <sstream>
7#include <string>
8#include <vector>
9
10#include <peconv.h>
11#include "pe_sieve_types.h"
12#include "module_scan_report.h"
13#include "scanned_modules.h"
14
15namespace pesieve {
16
18 class ProcessScanReport
19 {
20 public:
33
41
42 static t_report_type getReportType(ModuleScanReport *report);
43
49
55
56 void appendReport(ModuleScanReport *report)
57 {
58 if (report == nullptr) return;
59 moduleReports.push_back(report);
60 if (ModuleScanReport::get_scan_status(report) == SCAN_ERROR) {
61 this->errorsCount++;
62 }
63 appendToType(report);
64 // if the scan was successful, append the module to the scanned modules:
65 if (ModuleScanReport::get_scan_status(report) != SCAN_ERROR) {
66 modulesInfo.appendToModulesList(report);
67 }
68 }
69
74
75 bool hasModule(ULONGLONG page_addr)
76 {
77 if (!modulesInfo.getModuleAt(page_addr)) {
78 return false;
79 }
80 return true;
81 }
82
83 bool hasModuleContaining(ULONGLONG page_addr, size_t size)
84 {
85 if (!modulesInfo.findModuleContaining(page_addr, size)) {
86 return false;
87 }
88 return true;
89 }
90
91 bool isModuleReplaced(HMODULE module_base);
92
97
98 const virtual bool toJSON(std::stringstream &stream, size_t level, const t_report_filter &filter, const pesieve::t_json_level &jdetails) const;
99
100 pesieve::t_report generateSummary() const;
101 DWORD getPid() { return pid; }
102 bool isManagedProcess() { return this->isManaged; }
103
104 std::string mainImagePath;
105 std::vector<ModuleScanReport*> moduleReports; //TODO: make it protected
106 peconv::ExportsMapper *exportsMap;
107
108 protected:
109 std::string listModules(size_t level, const ProcessScanReport::t_report_filter &filter, const t_json_level &jdetails) const;
110
111 void deleteModuleReports()
112 {
113 std::vector<ModuleScanReport*>::iterator itr = moduleReports.begin();
114 for (; itr != moduleReports.end(); ++itr) {
115 ModuleScanReport* module = *itr;
116 delete module;
117 }
118 moduleReports.clear();
119 }
120
121 void appendToType(ModuleScanReport *report);
122 size_t countResultsPerType(const t_report_type type, const t_scan_status result) const;
123
124 size_t countSuspiciousPerType(const t_report_type type) const
125 {
126 return countResultsPerType(type, SCAN_SUSPICIOUS);
127 }
128
129 size_t countHdrsReplaced() const;
130 bool hasAnyShownType(const ProcessScanReport::t_report_filter &filter);
131
132 DWORD pid;
133 bool is64bit;
134 bool isManaged;
135 bool isReflection;
136 t_params* usedParams;
137 size_t errorsCount;
138
139 ModulesInfo modulesInfo;
140 std::set<ModuleScanReport*> reportsByType[REPORT_TYPES_COUNT];
141
142 friend class ProcessScanner;
143 friend class ResultsDumper;
144 };
145
146}; //namespace pesieve
pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26
pesieve::ModuleScanReport::get_scan_status
static t_scan_status get_scan_status(const ModuleScanReport *report)
Definition module_scan_report.h:30
pesieve::ModulesInfo
A container of all the process modules that were scanned.
Definition scanned_modules.h:84
pesieve::ModulesInfo::findModuleContaining
ScannedModule * findModuleContaining(ULONGLONG address, size_t size=0) const
Definition scanned_modules.cpp:53
pesieve::ModulesInfo::getScannedSize
size_t getScannedSize(ULONGLONG start_address) const
Definition scanned_modules.cpp:83
pesieve::ModulesInfo::appendToModulesList
bool appendToModulesList(ModuleScanReport *report)
Definition scanned_modules.cpp:24
pesieve::ModulesInfo::getModuleAt
ScannedModule * getModuleAt(ULONGLONG address) const
Definition scanned_modules.cpp:103
pesieve::ProcessScanReport
The report aggregating the results of the performed scan.
Definition scan_report.h:19
pesieve::ProcessScanReport::hasAnyShownType
bool hasAnyShownType(const ProcessScanReport::t_report_filter &filter)
Definition scan_report.cpp:38
pesieve::ProcessScanReport::countResultsPerType
size_t countResultsPerType(const t_report_type type, const t_scan_status result) const
Definition scan_report.cpp:88
pesieve::ProcessScanReport::toJSON
virtual const bool toJSON(std::stringstream &stream, size_t level, const t_report_filter &filter, const pesieve::t_json_level &jdetails) const
Definition scan_report.cpp:212
pesieve::ProcessScanReport::ProcessScanReport
ProcessScanReport(DWORD _pid, bool _is64bit, bool _isReflection, t_params *_usedParams)
Definition scan_report.h:44
pesieve::ProcessScanReport::appendReport
void appendReport(ModuleScanReport *report)
Definition scan_report.h:56
pesieve::ProcessScanReport::isModuleReplaced
bool isModuleReplaced(HMODULE module_base)
Definition scan_report.cpp:115
pesieve::ProcessScanReport::generateSummary
pesieve::t_report generateSummary() const
Definition scan_report.cpp:152
pesieve::ProcessScanReport::exportsMap
peconv::ExportsMapper * exportsMap
Definition scan_report.h:106
pesieve::ProcessScanReport::reportsByType
std::set< ModuleScanReport * > reportsByType[REPORT_TYPES_COUNT]
Definition scan_report.h:140
pesieve::ProcessScanReport::moduleReports
std::vector< ModuleScanReport * > moduleReports
Definition scan_report.h:105
pesieve::ProcessScanReport::hasModule
bool hasModule(ULONGLONG page_addr)
Definition scan_report.h:75
pesieve::ProcessScanReport::getReportType
static t_report_type getReportType(ModuleScanReport *report)
Definition scan_report.cpp:53
pesieve::ProcessScanReport::hasModuleContaining
bool hasModuleContaining(ULONGLONG page_addr, size_t size)
Definition scan_report.h:83
pesieve::ProcessScanReport::countHdrsReplaced
size_t countHdrsReplaced() const
Definition scan_report.cpp:132
pesieve::ProcessScanReport::getModuleContaining
ScannedModule * getModuleContaining(ULONGLONG field_addr, size_t field_size=0) const
Definition scan_report.h:93
pesieve::ProcessScanReport::getScannedSize
size_t getScannedSize(ULONGLONG address) const
Definition scan_report.h:70
pesieve::ProcessScanReport::appendToType
void appendToType(ModuleScanReport *report)
Definition scan_report.cpp:104
pesieve::ProcessScanReport::countSuspiciousPerType
size_t countSuspiciousPerType(const t_report_type type) const
Definition scan_report.h:124
pesieve::ProcessScanReport::listModules
std::string listModules(size_t level, const ProcessScanReport::t_report_filter &filter, const t_json_level &jdetails) const
Definition scan_report.cpp:185
pesieve::ProcessScanner
The root scanner, responsible for enumerating all the elements to be scanned within a given process,...
Definition scanner.h:14
pesieve::ScannedModule
Represents a basic info about the scanned module, such as its base offset, size, and the status.
Definition scanned_modules.h:14
pesieve.t_json_level
Definition pesieve.py:82
pesieve.t_params
Definition pesieve.py:100
pesieve.t_report_type
Definition pesieve.py:88
pesieve.t_report
Definition pesieve.py:123
module_scan_report.h
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
pesieve::t_scan_status
enum pesieve::module_scan_status t_scan_status
pe_sieve_types.h
The types used by PE-sieve API.
scanned_modules.h
report
Final summary about the scanned process.
Definition pe_sieve_types.h:137
Generated by doxygen 1.10.0