PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
scan_report.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4
5#include <iostream>
6#include <sstream>
7#include <string>
8#include <vector>
9
10#include <peconv.h>
11#include "pe_sieve_types.h"
12#include "module_scan_report.h"
13#include "scanned_modules.h"
14
15namespace pesieve {
16
18 class ProcessScanReport
19 {
20 public:
33
34 static t_report_type getReportType(ModuleScanReport *report);
35
36 ProcessScanReport(DWORD _pid, bool _is64bit, bool _isReflection, t_params* _usedParams)
37 : pid(_pid), exportsMap(nullptr), errorsCount(0), modulesInfo(pid), isManaged(false), is64bit(_is64bit),
38 isReflection(_isReflection), usedParams(_usedParams)
39 {
40 }
41
47
48 void appendReport(ModuleScanReport *report)
49 {
50 if (report == nullptr) return;
51 moduleReports.push_back(report);
52 if (ModuleScanReport::get_scan_status(report) == SCAN_ERROR) {
53 this->errorsCount++;
54 }
55 appendToType(report);
56 // if the scan was successful, append the module to the scanned modules:
57 if (ModuleScanReport::get_scan_status(report) != SCAN_ERROR) {
58 modulesInfo.appendToModulesList(report);
59 }
60 }
61
62 size_t getScannedSize(ULONGLONG address) const
63 {
64 return modulesInfo.getScannedSize(address);
65 }
66
67 bool hasModule(ULONGLONG page_addr)
68 {
69 if (!modulesInfo.getModuleAt(page_addr)) {
70 return false;
71 }
72 return true;
73 }
74
75 bool hasModuleContaining(ULONGLONG page_addr, size_t size)
76 {
77 if (!modulesInfo.findModuleContaining(page_addr, size)) {
78 return false;
79 }
80 return true;
81 }
82
83 bool isModuleReplaced(HMODULE module_base);
84
85 ScannedModule* getModuleContaining(ULONGLONG field_addr, size_t field_size = 0) const
86 {
87 return modulesInfo.findModuleContaining(field_addr, field_size);
88 }
89
90 const virtual bool toJSON(std::stringstream &stream, size_t level, const t_results_filter &filter, const pesieve::t_json_level &jdetails) const;
91
92 pesieve::t_report generateSummary() const;
93 DWORD getPid() { return pid; }
94 bool isManagedProcess() { return this->isManaged; }
95
96 std::string mainImagePath;
97 std::vector<ModuleScanReport*> moduleReports; //TODO: make it protected
98 peconv::ExportsMapper *exportsMap;
99
100 protected:
101 std::string listModules(size_t level, const t_results_filter &filter, const t_json_level &jdetails) const;
102
103 void deleteModuleReports()
104 {
105 std::vector<ModuleScanReport*>::iterator itr = moduleReports.begin();
106 for (; itr != moduleReports.end(); ++itr) {
107 ModuleScanReport* module = *itr;
108 delete module;
109 }
110 moduleReports.clear();
111 }
112
113 void appendToType(ModuleScanReport *report);
114 size_t countResultsPerType(const t_report_type type, const t_scan_status result) const;
115
116 size_t countSuspiciousPerType(const t_report_type type) const
117 {
118 return countResultsPerType(type, SCAN_SUSPICIOUS);
119 }
120
121 size_t countHdrsReplaced() const;
122 bool hasAnyShownType(const t_results_filter &filter);
123
124 DWORD pid;
125 bool is64bit;
126 bool isManaged;
127 bool isReflection;
128 t_params* usedParams;
129 size_t errorsCount;
130
131 ModulesInfo modulesInfo;
132 std::set<ModuleScanReport*> reportsByType[REPORT_TYPES_COUNT];
133
134 friend class ProcessScanner;
135 friend class ResultsDumper;
136 };
137
138}; //namespace pesieve
pesieve::ModuleScanReport
A base class of all the reports detailing on the output of the performed module's scan.
Definition module_scan_report.h:26
pesieve::ModuleScanReport::get_scan_status
static t_scan_status get_scan_status(const ModuleScanReport *report)
Definition module_scan_report.h:30
pesieve::ModulesInfo
A container of all the process modules that were scanned.
Definition scanned_modules.h:84
pesieve::ModulesInfo::findModuleContaining
ScannedModule * findModuleContaining(ULONGLONG address, size_t size=0) const
Definition scanned_modules.cpp:53
pesieve::ModulesInfo::getScannedSize
size_t getScannedSize(ULONGLONG start_address) const
Definition scanned_modules.cpp:83
pesieve::ModulesInfo::appendToModulesList
bool appendToModulesList(ModuleScanReport *report)
Definition scanned_modules.cpp:24
pesieve::ModulesInfo::getModuleAt
ScannedModule * getModuleAt(ULONGLONG address) const
Definition scanned_modules.cpp:103
pesieve::ProcessScanReport
The report aggregating the results of the performed scan.
Definition scan_report.h:19
pesieve::ProcessScanReport::countResultsPerType
size_t countResultsPerType(const t_report_type type, const t_scan_status result) const
Definition scan_report.cpp:88
pesieve::ProcessScanReport::toJSON
virtual const bool toJSON(std::stringstream &stream, size_t level, const t_results_filter &filter, const pesieve::t_json_level &jdetails) const
Definition scan_report.cpp:212
pesieve::ProcessScanReport::ProcessScanReport
ProcessScanReport(DWORD _pid, bool _is64bit, bool _isReflection, t_params *_usedParams)
Definition scan_report.h:36
pesieve::ProcessScanReport::appendReport
void appendReport(ModuleScanReport *report)
Definition scan_report.h:48
pesieve::ProcessScanReport::isModuleReplaced
bool isModuleReplaced(HMODULE module_base)
Definition scan_report.cpp:115
pesieve::ProcessScanReport::generateSummary
pesieve::t_report generateSummary() const
Definition scan_report.cpp:152
pesieve::ProcessScanReport::exportsMap
peconv::ExportsMapper * exportsMap
Definition scan_report.h:98
pesieve::ProcessScanReport::listModules
std::string listModules(size_t level, const t_results_filter &filter, const t_json_level &jdetails) const
Definition scan_report.cpp:185
pesieve::ProcessScanReport::reportsByType
std::set< ModuleScanReport * > reportsByType[REPORT_TYPES_COUNT]
Definition scan_report.h:132
pesieve::ProcessScanReport::moduleReports
std::vector< ModuleScanReport * > moduleReports
Definition scan_report.h:97
pesieve::ProcessScanReport::hasModule
bool hasModule(ULONGLONG page_addr)
Definition scan_report.h:67
pesieve::ProcessScanReport::getReportType
static t_report_type getReportType(ModuleScanReport *report)
Definition scan_report.cpp:53
pesieve::ProcessScanReport::hasModuleContaining
bool hasModuleContaining(ULONGLONG page_addr, size_t size)
Definition scan_report.h:75
pesieve::ProcessScanReport::countHdrsReplaced
size_t countHdrsReplaced() const
Definition scan_report.cpp:132
pesieve::ProcessScanReport::getModuleContaining
ScannedModule * getModuleContaining(ULONGLONG field_addr, size_t field_size=0) const
Definition scan_report.h:85
pesieve::ProcessScanReport::getScannedSize
size_t getScannedSize(ULONGLONG address) const
Definition scan_report.h:62
pesieve::ProcessScanReport::hasAnyShownType
bool hasAnyShownType(const t_results_filter &filter)
Definition scan_report.cpp:38
pesieve::ProcessScanReport::appendToType
void appendToType(ModuleScanReport *report)
Definition scan_report.cpp:104
pesieve::ProcessScanReport::countSuspiciousPerType
size_t countSuspiciousPerType(const t_report_type type) const
Definition scan_report.h:116
pesieve::ProcessScanner
The root scanner, responsible for enumerating all the elements to be scanned within a given process,...
Definition scanner.h:15
pesieve::ScannedModule
Represents a basic info about the scanned module, such as its base offset, size, and the status.
Definition scanned_modules.h:14
pesieve.t_json_level
Definition pesieve.py:82
pesieve.t_params
Definition pesieve.py:100
pesieve.t_report_type
Definition pesieve.py:88
pesieve.t_report
Definition pesieve.py:123
module_scan_report.h
pesieve::t_scan_status
enum pesieve::module_scan_status t_scan_status
pe_sieve_types.h
The types used by PE-sieve API.
t_results_filter
t_results_filter
Definition pe_sieve_types.h:30
scanned_modules.h
report
Final summary about the scanned process.
Definition pe_sieve_types.h:150
Generated by doxygen 1.12.0