PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
stats_analyzer.h
Go to the documentation of this file.
1#pragma once
2
3#include <iostream>
4#include <string>
5#include <vector>
6
7#include "stats.h"
8#include "multi_stats.h"
9#include "stats_util.h"
10
11#define CODE_RULE "possible_code"
12
13namespace pesieve {
14
15 namespace stats {
16
17 size_t fillCodeStrings(OUT std::set<std::string>& codeStrings);
18
19 size_t fetchPeakValues(IN const ChunkStats& currArea, IN double stdDev, int devCount, OUT std::set<BYTE>& peaks);
20
21 size_t valuesNotBelowMean(IN const ChunkStats& currArea, double mean);
22
23 double getPrintableRatio(IN const AreaMultiStats& stats);
24
25 }; //namespace stats
26
27 //---
28
29 class RuleMatcher
30 {
31 public:
32
41
42 RuleMatcher(std::string _name)
43 : name(_name), matched(false)
44 {
45 }
46
47 bool isMatching(IN const AreaMultiStats& stats)
48 {
49 matched = _isMatching(stats);
50 return matched;
51 }
52
53 bool isMatched()
54 {
55 return matched;
56 }
57
58 std::string name;
59
60 protected:
61
62 virtual bool _isMatching(IN const AreaMultiStats& stats) = 0;
63
64 bool matched;
65 };
66
67 //---
68
69 struct AreaInfo
70 {
71 AreaInfo()
72 {
73 }
74
75 // Copy constructor
80
81 bool hasMatchAt(const std::string& ruleName)
82 {
83 for (auto itr = matchedRules.begin(); itr != matchedRules.end(); ++itr) {
84 std::string name = *itr;
85 if (name == ruleName) {
86 return true;
87 }
88 }
89 return false;
90 }
91
92 bool hasAnyMatch()
93 {
94 return (matchedRules.size()) != 0 ? true : false;
95 }
96
97 const virtual bool toJSON(std::stringstream& outs, size_t level)
98 {
99 OUT_PADDED(outs, level, "\"stats_verdict\" : {\n");
100 fieldsToJSON(outs, level + 1);
101 outs << "\n";
102 OUT_PADDED(outs, level, "}");
103 return true;
104 }
105
106 const virtual void fieldsToJSON(std::stringstream& outs, size_t level)
107 {
108 size_t count = 0;
109 for (auto itr = matchedRules.begin(); itr != matchedRules.end(); ++itr) {
110 std::string ruleName = *itr;
111 if (count > 0) {
112 outs << ",\n";
113 }
114 count++;
115 OUT_PADDED(outs, level, "\"" + ruleName + "\" : ");
116 outs << std::dec << true;
117 }
118 }
119
120 std::vector<std::string> matchedRules;
121 };
122
123 //
124 struct RuleMatchersSet
125 {
130
131 ~RuleMatchersSet()
132 {
133 deleteMatchers();
134 }
135
136 void initRules(DWORD ruleTypes);
137
138 size_t findMatches(IN const AreaMultiStats& stats, OUT AreaInfo& info);
139
140 void deleteMatchers()
141 {
142 for (auto itr = matchers.begin(); itr != matchers.end(); ++itr) {
143 RuleMatcher* m = *itr;
144 if (!m) continue;
145 delete m;
146 }
147 matchers.clear();
148 }
149
150 std::vector< RuleMatcher* > matchers;
151 };
152
153}; // namespace pesieve
pesieve::RuleMatcher::isMatching
bool isMatching(IN const AreaMultiStats &stats)
Definition stats_analyzer.h:47
pesieve::RuleMatcher::_isMatching
virtual bool _isMatching(IN const AreaMultiStats &stats)=0
pesieve::RuleMatcher::RuleMatcher
RuleMatcher(std::string _name)
Definition stats_analyzer.h:42
OUT_PADDED
#define OUT_PADDED(stream, field_size, str)
Definition format_util.h:12
multi_stats.h
pesieve::stats::valuesNotBelowMean
size_t valuesNotBelowMean(IN const ChunkStats &currArea, double mean)
Definition stats_analyzer.cpp:99
pesieve::stats::getPrintableRatio
double getPrintableRatio(IN const AreaMultiStats &stats)
Definition stats_analyzer.cpp:27
pesieve::stats::fillCodeStrings
size_t fillCodeStrings(OUT std::set< std::string > &codeStrings)
Definition stats_analyzer.cpp:118
pesieve::stats::fetchPeakValues
size_t fetchPeakValues(IN const ChunkStats &currArea, IN double stdDev, int devCount, OUT std::set< BYTE > &peaks)
Definition stats_analyzer.cpp:80
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
pesieve::info
std::string info()
The string with the basic information about the scanner.
Definition pe_sieve.cpp:268
stats_util.h
pesieve::AreaInfo::fieldsToJSON
virtual const void fieldsToJSON(std::stringstream &outs, size_t level)
Definition stats_analyzer.h:106
pesieve::AreaInfo::AreaInfo
AreaInfo(const AreaInfo &p1)
Definition stats_analyzer.h:76
pesieve::AreaInfo::hasMatchAt
bool hasMatchAt(const std::string &ruleName)
Definition stats_analyzer.h:81
pesieve::AreaInfo::toJSON
virtual const bool toJSON(std::stringstream &outs, size_t level)
Definition stats_analyzer.h:97
pesieve::AreaInfo::matchedRules
std::vector< std::string > matchedRules
Definition stats_analyzer.h:120
pesieve::RuleMatchersSet::initRules
void initRules(DWORD ruleTypes)
Definition stats_analyzer.cpp:321
pesieve::RuleMatchersSet::findMatches
size_t findMatches(IN const AreaMultiStats &stats, OUT AreaInfo &info)
Definition stats_analyzer.cpp:337
pesieve::RuleMatchersSet::matchers
std::vector< RuleMatcher * > matchers
Definition stats_analyzer.h:150
pesieve::RuleMatchersSet::RuleMatchersSet
RuleMatchersSet(DWORD ruleTypes)
Definition stats_analyzer.h:126
Generated by doxygen 1.10.0