PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
stats.h
Go to the documentation of this file.
1#pragma once
2
3#include <windows.h>
4#include <sstream>
5
6#include "entropy.h"
7#include "../utils/byte_buffer.h"
8#include "../utils/format_util.h"
9
10namespace pesieve {
11
13 struct StatsSettings {
14 public:
15 StatsSettings() {}
16 virtual bool isFilled() = 0;
17 };
18
20 class AreaStats {
21 public:
22 AreaStats()
23 : area_start(0), area_size(0)
24 {
25 }
26
27 void setStartOffset(size_t _area_start)
28 {
29 area_start = _area_start;
30 }
31
32 void appendVal(BYTE val)
33 {
34 _appendVal(val);
35 area_size++;
36 }
37
38 const virtual void fieldsToJSON(std::stringstream& outs, size_t level) = 0;
39
40 bool isFilled() const
41 {
42 return area_size > 0 ? true : false;
43 }
44
45 virtual void summarize() = 0;
46
47 virtual bool fillSettings(StatsSettings* _settings) { return false; }
48
49 const virtual bool toJSON(std::stringstream& outs, size_t level)
50 {
51 if (!isFilled()) {
52 return false;
53 }
54 OUT_PADDED(outs, level, "\"stats\" : {\n");
55 fieldsToJSON(outs, level + 1);
56 outs << "\n";
57 OUT_PADDED(outs, level, "}");
58 return true;
59 }
60
61 protected:
62 virtual void _appendVal(BYTE val) = 0;
63
64 size_t area_size;
65 size_t area_start;
66
67 friend class AreaStatsCalculator;
68
69 }; // AreaStats
70
71
73 class AreaStatsCalculator {
74 public:
75 AreaStatsCalculator(const util::ByteBuffer& _buffer)
76 : buffer(_buffer)
77 {
78 }
79
80 bool fill(AreaStats& stats, StatsSettings* settings)
81 {
82 const bool skipPadding = true;
83 const size_t data_size = buffer.getDataSize(skipPadding);
84 const BYTE* data_buf = buffer.getData(skipPadding);
85 if (!data_size || !data_buf) {
86 return false;
87 }
88 if (settings && !stats.fillSettings(settings)) {
89 std::cerr << "Settings initialization failed!\n";
90 }
91 stats.setStartOffset(buffer.getStartOffset(skipPadding));
92 BYTE lastVal = 0;
93 for (size_t i = 0; i < data_size; ++i) {
94 const BYTE val = data_buf[i];
95 stats.appendVal(val);
96 }
97 stats.summarize();
98 return true;
99 }
100
101 private:
102 const util::ByteBuffer& buffer;
103 };
104
105}; //pesieve
byte_buffer.h
pesieve::AreaStatsCalculator::fill
bool fill(AreaStats &stats, StatsSettings *settings)
Definition stats.h:80
pesieve::AreaStatsCalculator::AreaStatsCalculator
AreaStatsCalculator(const util::ByteBuffer &_buffer)
Definition stats.h:75
pesieve::AreaStats
Base class for the statistics from analyzed buffer.
Definition stats.h:20
pesieve::AreaStats::isFilled
bool isFilled() const
Definition stats.h:40
pesieve::AreaStats::_appendVal
virtual void _appendVal(BYTE val)=0
pesieve::AreaStats::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level)
Definition stats.h:49
pesieve::AreaStats::summarize
virtual void summarize()=0
pesieve::AreaStats::setStartOffset
void setStartOffset(size_t _area_start)
Definition stats.h:27
pesieve::AreaStats::fillSettings
virtual bool fillSettings(StatsSettings *_settings)
Definition stats.h:47
pesieve::AreaStats::area_size
size_t area_size
Definition stats.h:64
pesieve::AreaStats::area_start
size_t area_start
Definition stats.h:65
pesieve::AreaStats::appendVal
void appendVal(BYTE val)
Definition stats.h:32
pesieve::AreaStats::AreaStatsCalculator
friend class AreaStatsCalculator
Definition stats.h:67
pesieve::AreaStats::fieldsToJSON
virtual const void fieldsToJSON(std::stringstream &outs, size_t level)=0
format_util.h
OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12
pesieve::StatsSettings
Base class for settings defining what type of stats should be collected.
Definition stats.h:13
pesieve::StatsSettings::isFilled
virtual bool isFilled()=0
Generated by doxygen 1.13.2