From b1b169c271934121fb27661c85351cf7d10b7dc5 Mon Sep 17 00:00:00 2001 From: hasherezade Date: Wed, 30 Oct 2024 12:59:54 -0700 Subject: [PATCH] [FEATURE] Added a new parameter, regulating what type of results should be reported --- include/pe_sieve_types.h | 12 ++++++++ main.cpp | 12 ++++---- params.h | 15 ++++++++++ params_info/pe_sieve_params_info.cpp | 44 ++++++++++++++++++++++------ params_info/pe_sieve_params_info.h | 2 ++ pe_sieve.cpp | 12 ++++---- pe_sieve_api.cpp | 20 +++++++------ pe_sieve_report.h | 16 +++++++++- postprocessors/report_formatter.cpp | 44 +++++++++++++++++++++++++--- postprocessors/report_formatter.h | 5 ++-- postprocessors/results_dumper.cpp | 31 ++++++++++++++++++-- postprocessors/results_dumper.h | 4 ++- scanners/scan_report.cpp | 20 ++++++------- scanners/scan_report.h | 14 ++------- 14 files changed, 192 insertions(+), 59 deletions(-) diff --git a/include/pe_sieve_types.h b/include/pe_sieve_types.h index bff96c217..5ec19e84a 100644 --- a/include/pe_sieve_types.h +++ b/include/pe_sieve_types.h @@ -27,6 +27,17 @@ namespace pesieve { OUT_FILTERS_COUNT } t_output_filter; + typedef enum { + SHOW_NONE = 0, + SHOW_ERRORS = 1, + SHOW_NOT_SUSPICIOUS = 2, + SHOW_SUSPICIOUS = 4, + SHOW_SUSPICIOUS_AND_ERRORS = SHOW_ERRORS | SHOW_SUSPICIOUS, + SHOW_SUCCESSFUL_ONLY = SHOW_NOT_SUSPICIOUS | SHOW_SUSPICIOUS, + SHOW_ALL = SHOW_ERRORS | SHOW_NOT_SUSPICIOUS | SHOW_SUSPICIOUS, + SHOW_FILTERS_COUNT + } t_results_filter; + typedef enum { SHELLC_NONE = 0, ///< do not detect shellcode SHELLC_PATTERNS, ///< detect shellcodes by patterns @@ -128,6 +139,7 @@ namespace pesieve { bool make_reflection; ///< operate on a process reflection rather than on the live process (this allows i.e. to force-read inaccessible pages) bool use_cache; ///< enable cache for the scanned modules t_json_level json_lvl; ///< level of the details of the JSON report + t_results_filter results_filter; ///< what type of results should be included in the report char output_dir[MAX_PATH + 1]; ///< the root directory where the output should be saved (default: current directory) PARAM_STRING modules_ignored; ///< a list of modules that will not be scanned, separated by PARAM_LIST_SEPARATOR PARAM_STRING pattern_file; ///< a file with additional patterns for code recognition diff --git a/main.cpp b/main.cpp index 117446393..86f4bd3c9 100644 --- a/main.cpp +++ b/main.cpp @@ -28,7 +28,7 @@ void print_report(const pesieve::ReportEx& report, const t_params args) std::string report_str; if (args.json_output) { - report_str = report_to_json(report, pesieve::REPORT_ALL, ProcessScanReport::REPORT_SUSPICIOUS_AND_ERRORS, args.json_lvl); + report_str = report_to_json(report, pesieve::REPORT_ALL, args.results_filter, args.json_lvl); } else { report_str = scan_report_to_string(*report.scan_report); } @@ -48,6 +48,7 @@ void free_params(t_params &args) int main(int argc, char *argv[]) { t_params args = { 0 }; + args.results_filter = SHOW_SUSPICIOUS; PEsieveParams uParams(PESIEVE_VERSION_STR); if (argc < 2) { @@ -81,10 +82,11 @@ int main(int argc, char *argv[]) t_pesieve_res res = PESIEVE_ERROR; if (report != nullptr) { print_report(*report, args); - - pesieve::t_report summary = report->scan_report->generateSummary(); - if (summary.scanned > 0) { - res = (summary.suspicious > 0) ? PESIEVE_DETECTED : PESIEVE_NOT_DETECTED; + if (report->scan_report) { + pesieve::t_report summary = report->scan_report->generateSummary(); + if (summary.scanned > 0) { + res = (summary.suspicious > 0) ? PESIEVE_DETECTED : PESIEVE_NOT_DETECTED; + } } delete report; report = nullptr; diff --git a/params.h b/params.h index 39e563d77..997ba80d8 100644 --- a/params.h +++ b/params.h @@ -25,6 +25,7 @@ using namespace pesieve; #define PARAM_DUMP_MODE "dmode" //output options: #define PARAM_OUT_FILTER "ofilter" +#define PARAM_RESULTS_FILTER "report" #define PARAM_QUIET "quiet" #define PARAM_JSON "json" #define PARAM_JSON_LVL "jlvl" @@ -82,6 +83,18 @@ class PEsieveParams : public Params } } + enumParam = new EnumParam(PARAM_RESULTS_FILTER, "result_type", false); + if (enumParam) { + this->addParam(enumParam); + this->setInfo(PARAM_RESULTS_FILTER, "Define what type of results are reported."); + for (size_t i = SHOW_SUSPICIOUS; i < SHOW_FILTERS_COUNT; i++) { + t_results_filter mode = (t_results_filter)(i); + std::string info = translate_results_filter(mode); + if (info.empty()) continue; + enumParam->addEnumValue(mode, results_filter_to_id(i), info); + } + } + this->addParam(new StringListParam(PARAM_MODULES_IGNORE, false, PARAM_LIST_SEPARATOR)); { std::stringstream ss1; @@ -202,6 +215,7 @@ class PEsieveParams : public Params this->addParamToGroup(PARAM_JSON, str_group); this->addParamToGroup(PARAM_JSON_LVL, str_group); this->addParamToGroup(PARAM_OUT_FILTER, str_group); + this->addParamToGroup(PARAM_RESULTS_FILTER, str_group); str_group = "1. scanner settings"; this->addGroup(new ParamGroup(str_group)); @@ -253,6 +267,7 @@ class PEsieveParams : public Params copyVal(PARAM_PID, ps.pid); copyVal(PARAM_IMP_REC, ps.imprec_mode); copyVal(PARAM_OUT_FILTER, ps.out_filter); + copyVal(PARAM_RESULTS_FILTER, ps.results_filter); fillStringParam(PARAM_MODULES_IGNORE, ps.modules_ignored); diff --git a/params_info/pe_sieve_params_info.cpp b/params_info/pe_sieve_params_info.cpp index 467b399e7..d291ddf91 100644 --- a/params_info/pe_sieve_params_info.cpp +++ b/params_info/pe_sieve_params_info.cpp @@ -16,7 +16,7 @@ std::string pesieve::translate_dump_mode(const DWORD dump_mode) case pesieve::PE_DUMP_REALIGN: return "realigned raw (converted raw format to be the same as virtual)"; } - return "undefined"; + return ""; } std::string pesieve::dump_mode_to_id(const DWORD dump_mode) @@ -44,7 +44,33 @@ std::string pesieve::translate_out_filter(const pesieve::t_output_filter o_filte case pesieve::OUT_NO_DIR: return "don't dump any files"; } - return "undefined"; + return ""; +} + +std::string pesieve::translate_results_filter(const pesieve::t_results_filter r_filter) +{ + switch (r_filter) { + case pesieve::SHOW_SUSPICIOUS: + return "only suspicious (default)"; + case pesieve::SHOW_SUSPICIOUS_AND_ERRORS: + return "suspicious and errors"; + case pesieve::SHOW_ALL: + return "all scanned"; + } + return ""; +} + +std::string pesieve::results_filter_to_id(const DWORD r_filter) +{ + switch (r_filter) { + case pesieve::SHOW_SUSPICIOUS: + return "S"; + case pesieve::SHOW_SUSPICIOUS_AND_ERRORS: + return "SE"; + case pesieve::SHOW_ALL: + return "L"; + } + return ""; } std::string pesieve::translate_imprec_mode(const pesieve::t_imprec_mode imprec_mode) @@ -63,7 +89,7 @@ std::string pesieve::translate_imprec_mode(const pesieve::t_imprec_mode imprec_m case pesieve::PE_IMPREC_REBUILD2: return "build the ImportTable from scratch, basing on the found IATs:\n\t use all found blocks (aggressive mode)"; } - return "undefined"; + return ""; } @@ -101,7 +127,7 @@ std::string pesieve::translate_dotnet_policy(const pesieve::t_dotnet_policy &mod case pesieve::PE_DNET_SKIP_ALL: return "skip all the above (mapping, shellcodes, hooks)"; } - return "undefined"; + return ""; } std::string pesieve::translate_data_mode(const pesieve::t_data_scan_mode &mode) @@ -120,7 +146,7 @@ std::string pesieve::translate_data_mode(const pesieve::t_data_scan_mode &mode) case pesieve::PE_DATA_SCAN_INACCESSIBLE_ONLY: return "scan inaccessible pages, but exclude other non-executable;\n\t works in reflection mode (/refl) only"; } - return "undefined"; + return ""; } std::string pesieve::translate_json_level(const pesieve::t_json_level &mode) @@ -133,7 +159,7 @@ std::string pesieve::translate_json_level(const pesieve::t_json_level &mode) case pesieve::JSON_DETAILS2: return "details #2 (list patches: extended)"; } - return "undefined"; + return ""; } std::string pesieve::shellc_mode_mode_to_id(const pesieve::t_shellc_mode& mode) @@ -165,7 +191,7 @@ std::string pesieve::translate_shellc_mode(const pesieve::t_shellc_mode& mode) case pesieve::SHELLC_PATTERNS_AND_STATS: return "detect shellcodes by patterns and stats (both match)"; } - return "undefined"; + return ""; } std::string pesieve::translate_obfusc_mode(const pesieve::t_obfusc_mode& mode) @@ -180,7 +206,7 @@ std::string pesieve::translate_obfusc_mode(const pesieve::t_obfusc_mode& mode) case pesieve::OBFUSC_ANY: return "detect any: possible strong or weak encryption"; } - return "undefined"; + return ""; } std::string pesieve::obfusc_mode_mode_to_id(const pesieve::t_obfusc_mode& mode) @@ -209,5 +235,5 @@ std::string pesieve::translate_iat_scan_mode(const pesieve::t_iat_scan_mode mode case pesieve::PE_IATS_UNFILTERED: return "unfiltered: scan for IAT Hooks, report all"; } - return "undefined"; + return ""; } diff --git a/params_info/pe_sieve_params_info.h b/params_info/pe_sieve_params_info.h index 2ef6fa635..6f788a49e 100644 --- a/params_info/pe_sieve_params_info.h +++ b/params_info/pe_sieve_params_info.h @@ -6,6 +6,8 @@ namespace pesieve { std::string translate_dump_mode(const DWORD dump_mode); std::string translate_out_filter(const pesieve::t_output_filter o_filter); + std::string translate_results_filter(const pesieve::t_results_filter r_filter); + std::string results_filter_to_id(const DWORD r_filter); std::string translate_data_mode(const pesieve::t_data_scan_mode &mode); std::string translate_imprec_mode(const pesieve::t_imprec_mode imprec_mode); std::string translate_dotnet_policy(const pesieve::t_dotnet_policy &mode); diff --git a/pe_sieve.cpp b/pe_sieve.cpp index 17e285395..051a1e177 100644 --- a/pe_sieve.cpp +++ b/pe_sieve.cpp @@ -24,6 +24,7 @@ pesieve::PatternMatcher g_Matcher; pesieve::SyscallTable g_SyscallTable; namespace pesieve { + void check_access_denied(DWORD processID) { HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, processID); @@ -126,7 +127,7 @@ namespace pesieve { ProcessDumpReport* dumpReport = nullptr; ResultsDumper dumper(expand_path(args.output_dir), args.quiet); - if (dumper.dumpJsonReport(process_report, ProcessScanReport::REPORT_SUSPICIOUS_AND_ERRORS, args.json_lvl) && !args.quiet) { + if (dumper.dumpJsonReport(process_report, args.results_filter, args.json_lvl) && !args.quiet) { std::cout << "[+] Report dumped to: " << dumper.getOutputDir() << std::endl; } @@ -248,19 +249,20 @@ pesieve::ReportEx* pesieve::scan_and_dump(IN const pesieve::t_params args) const bool is_reflection = (cloned_proc) ? true : false; ProcessScanner scanner(target_proc, is_reflection, args); report->scan_report = scanner.scanRemote(); - if (report->scan_report) { // dump elements from the process: report->dump_report = make_dump(target_proc, is_reflection, args, *report->scan_report); } } catch (std::exception &e) { - delete report; - report = nullptr; - + report->error_report = new ErrorReport(args.pid, e.what()); if (!args.quiet) { util::print_in_color(ERROR_COLOR, std::string("[ERROR] ") + e.what() + "\n", true); } + ResultsDumper dumper(expand_path(args.output_dir), args.quiet); + if (dumper.dumpJsonReport(*report->error_report, args.results_filter) && !args.quiet) { + std::cout << "[+] Report dumped to: " << dumper.getOutputDir() << std::endl; + } } if (cloned_proc) { release_process_reflection(&cloned_proc); diff --git a/pe_sieve_api.cpp b/pe_sieve_api.cpp index c009aadb2..5644fc326 100644 --- a/pe_sieve_api.cpp +++ b/pe_sieve_api.cpp @@ -13,10 +13,10 @@ using namespace pesieve; size_t print_report(const pesieve::ReportEx& report, const pesieve::t_params args, const t_report_type rtype, char* json_buf, size_t json_buf_size) { - if (!report.scan_report || rtype == REPORT_NONE) return 0; - + if (rtype == REPORT_NONE) return 0; + size_t level = 1; - std::string report_str = report_to_json(report, rtype, ProcessScanReport::REPORT_SUSPICIOUS_AND_ERRORS, args.json_lvl, level); + std::string report_str = report_to_json(report, rtype, args.report_filter, args.json_lvl, level); const size_t report_len = report_str.length(); if (json_buf && json_buf_size) { @@ -35,13 +35,15 @@ PEsieve_report PESIEVE_API_FUNC PESieve_scan_ex(IN const PEsieve_params &args, I return empty; } const pesieve::ReportEx* report = pesieve::scan_and_dump(args); - if (report == nullptr) { - pesieve::t_report nullrep = { 0 }; - nullrep.pid = args.pid; - nullrep.errors = pesieve::ERROR_SCAN_FAILURE; - return nullrep; + pesieve::t_report summary = { 0 }; + summary.pid = args.pid; + summary.errors = pesieve::ERROR_SCAN_FAILURE; + if (!report) { + return summary; + } + if (report->scan_report) { + summary = report->scan_report->generateSummary(); } - pesieve::t_report summary = report->scan_report->generateSummary(); //check the pointers: if (json_buf) { if (!json_buf_size || IsBadWritePtr(json_buf, json_buf_size)) { diff --git a/pe_sieve_report.h b/pe_sieve_report.h index a15c28199..04128591c 100644 --- a/pe_sieve_report.h +++ b/pe_sieve_report.h @@ -13,11 +13,23 @@ namespace pesieve { + class ErrorReport + { + public: + ErrorReport(DWORD _pid, const std::string &_message) + : pid(_pid), message(_message) + { + } + + const DWORD pid; + const std::string message; + }; + //! The final report about the actions performed on the process: scanning and dumping class ReportEx { public: ReportEx() : - scan_report(nullptr), dump_report(nullptr) + scan_report(nullptr), dump_report(nullptr), error_report(nullptr) { } @@ -25,10 +37,12 @@ namespace pesieve { { delete scan_report; delete dump_report; + delete error_report; } ProcessScanReport* scan_report; ///< the report aggregating the results of the performed scans ProcessDumpReport* dump_report; ///< the report aggregating the results of the performed dumps + ErrorReport* error_report; ///< the report detailing on possible errors that prevented the scan }; }; diff --git a/postprocessors/report_formatter.cpp b/postprocessors/report_formatter.cpp index 94a9180a0..9215b7abc 100644 --- a/postprocessors/report_formatter.cpp +++ b/postprocessors/report_formatter.cpp @@ -36,9 +36,37 @@ std::string pesieve::scan_report_to_string(const ProcessScanReport &process_repo return stream.str(); } +std::string pesieve::err_report_to_json(const pesieve::ErrorReport& err_report, + t_results_filter filter, + size_t start_level +) +{ + if ((filter & SHOW_ERRORS) == 0) { + return ""; + } + //summary: + std::stringstream stream; + + size_t level = start_level + 1; + OUT_PADDED(stream, start_level, "{\n"); // beginning of the report + + OUT_PADDED(stream, level, "\"pid\" : "); + stream << std::dec << err_report.pid << ",\n"; + OUT_PADDED(stream, level, "\"err_message\" : "); + stream << "\"" << err_report.message << "\"\n"; + OUT_PADDED(stream, start_level, "}\n"); // end of the report + + std::string report_all = stream.str(); + if (report_all.length() == 0) { + return ""; + } + return report_all; +} + + std::string pesieve::scan_report_to_json( const ProcessScanReport &process_report, - ProcessScanReport::t_report_filter filter, + t_results_filter filter, const pesieve::t_json_level &jdetails, size_t start_level ) @@ -75,15 +103,23 @@ std::string pesieve::dump_report_to_json( return report_all; } -std::string pesieve::report_to_json(const pesieve::ReportEx& report, const t_report_type rtype, ProcessScanReport::t_report_filter filter, const pesieve::t_json_level& jdetails, size_t start_level) +std::string pesieve::report_to_json(const pesieve::ReportEx& report, const t_report_type rtype, t_results_filter filter, const pesieve::t_json_level& jdetails, size_t start_level) { - if (!report.scan_report || rtype == REPORT_NONE) return 0; + if (rtype == REPORT_NONE) return 0; size_t level = 1; std::stringstream stream; + + if (report.error_report && (filter & SHOW_ERRORS)) { + stream << "{\n"; + OUT_PADDED(stream, level, "\"error_report\" :\n"); + stream << err_report_to_json(*report.error_report, filter, level); + stream << "}\n"; + return stream.str(); + } const bool has_dumps = (report.dump_report && report.dump_report->countDumped() > 0) ? true : false; stream << "{\n"; - if (rtype == REPORT_ALL || rtype == REPORT_SCANNED) { + if (report.scan_report && (rtype == REPORT_ALL || rtype == REPORT_SCANNED)) { OUT_PADDED(stream, level, "\"scan_report\" :\n"); stream << scan_report_to_json(*report.scan_report, filter, jdetails, level); if (rtype == REPORT_ALL && has_dumps) { diff --git a/postprocessors/report_formatter.h b/postprocessors/report_formatter.h index dc426d324..e1763a134 100644 --- a/postprocessors/report_formatter.h +++ b/postprocessors/report_formatter.h @@ -9,10 +9,11 @@ namespace pesieve { std::string scan_report_to_string(const ProcessScanReport &report); - std::string scan_report_to_json(const ProcessScanReport& process_report, ProcessScanReport::t_report_filter filter, const pesieve::t_json_level& jdetails, size_t start_level=0); + std::string scan_report_to_json(const ProcessScanReport& process_report,t_results_filter filter, const pesieve::t_json_level& jdetails, size_t start_level=0); std::string dump_report_to_json(const ProcessDumpReport& process_report, const pesieve::t_json_level& jdetails, size_t start_level=0); - std::string report_to_json(const pesieve::ReportEx& report, const t_report_type rtype, ProcessScanReport::t_report_filter filter, const pesieve::t_json_level& jdetails, size_t start_level=0); + std::string err_report_to_json(const ErrorReport& err_report, t_results_filter filter, size_t start_level = 0); + std::string report_to_json(const ReportEx& report, const t_report_type rtype, t_results_filter filter, const pesieve::t_json_level& jdetails, size_t start_level=0); }; // namespace pesieve diff --git a/postprocessors/results_dumper.cpp b/postprocessors/results_dumper.cpp index 7bc94854f..fc60c70a8 100644 --- a/postprocessors/results_dumper.cpp +++ b/postprocessors/results_dumper.cpp @@ -113,7 +113,7 @@ namespace pesieve { }; //namespace pesieve -bool pesieve::ResultsDumper::dumpJsonReport(pesieve::ProcessScanReport &process_report, const ProcessScanReport::t_report_filter &filter, const pesieve::t_json_level &jdetails) +bool pesieve::ResultsDumper::dumpJsonReport(pesieve::ProcessScanReport &process_report, const t_results_filter &filter, const pesieve::t_json_level &jdetails) { std::stringstream stream; size_t level = 1; @@ -154,7 +154,7 @@ bool pesieve::ResultsDumper::dumpJsonReport(ProcessDumpReport &process_report) size_t level = 1; process_report.toJSON(stream, level); std::string report_all = stream.str(); - if (report_all.length() == 0) { + if (report_all.empty()) { return false; } //ensure that the directory is created: @@ -174,6 +174,33 @@ bool pesieve::ResultsDumper::dumpJsonReport(ProcessDumpReport &process_report) return false; } +bool pesieve::ResultsDumper::dumpJsonReport(ErrorReport& error_report, const t_results_filter& filter) +{ + std::stringstream stream; + size_t level = 1; + + const std::string err_content = err_report_to_json(error_report, filter, level); + if (err_content.empty()) { + return false; + } + + //ensure that the directory is created: + this->dumpDir = pesieve::ResultsDumper::makeDirName(error_report.pid); + + std::ofstream json_report; + std::string report_path = makeOutPath("error_report.json"); + json_report.open(report_path); + if (json_report.is_open() == false) { + return false; + } + json_report << err_content << std::endl; + if (json_report.is_open()) { + json_report.close(); + return true; + } + return false; +} + pesieve::ProcessDumpReport* pesieve::ResultsDumper::dumpDetectedModules( HANDLE processHandle, bool isRefl, diff --git a/postprocessors/results_dumper.h b/postprocessors/results_dumper.h index 374a07ead..7a035842f 100644 --- a/postprocessors/results_dumper.h +++ b/postprocessors/results_dumper.h @@ -21,10 +21,12 @@ namespace pesieve { ProcessDumpReport* dumpDetectedModules(HANDLE hProcess, bool isRefl, ProcessScanReport &process_report, const pesieve::t_dump_mode dump_mode, const pesieve::t_imprec_mode imprec_mode); // dump JSON report from the process scan - bool dumpJsonReport(ProcessScanReport &process_report, const ProcessScanReport::t_report_filter &filter, const pesieve::t_json_level &jdetails); + bool dumpJsonReport(ProcessScanReport &process_report, const t_results_filter &filter, const pesieve::t_json_level &jdetails); bool dumpJsonReport(ProcessDumpReport &process_report); + bool dumpJsonReport(ErrorReport& error_report, const t_results_filter& filter); + std::string getOutputDir() { return this->dumpDir; diff --git a/scanners/scan_report.cpp b/scanners/scan_report.cpp index f41bd801e..8b7a9f776 100644 --- a/scanners/scan_report.cpp +++ b/scanners/scan_report.cpp @@ -16,18 +16,18 @@ using namespace pesieve::util; namespace pesieve { - bool is_shown_type(t_scan_status status, ProcessScanReport::t_report_filter filter) + bool is_shown_type(t_scan_status status, t_results_filter filter) { - if (filter == ProcessScanReport::REPORT_ALL) { + if (filter == SHOW_ALL) { return true; } - if (filter & ProcessScanReport::REPORT_ERRORS) { + if (filter & SHOW_ERRORS) { if (status == SCAN_ERROR) return true; } - if (filter & ProcessScanReport::REPORT_SUSPICIOUS) { + if (filter & SHOW_SUSPICIOUS) { if (status == SCAN_SUSPICIOUS) return true; } - if (filter & ProcessScanReport::REPORT_NOT_SUSPICIOUS) { + if (filter & SHOW_NOT_SUSPICIOUS) { if (status == SCAN_NOT_SUSPICIOUS) return true; } return false; @@ -35,14 +35,14 @@ namespace pesieve { }; //namespace pesieve -bool pesieve::ProcessScanReport::hasAnyShownType(const pesieve::ProcessScanReport::t_report_filter &filter) +bool pesieve::ProcessScanReport::hasAnyShownType(const pesieve::t_results_filter &filter) { t_report summary = this->generateSummary(); - t_scan_status aggregated_status = summary.suspicious > 0 ? SCAN_SUSPICIOUS : SCAN_NOT_SUSPICIOUS; + t_scan_status aggregated_status = (summary.suspicious > 0) ? SCAN_SUSPICIOUS : SCAN_NOT_SUSPICIOUS; if (is_shown_type(aggregated_status, filter)) { return true; } - aggregated_status = summary.errors > 0 ? SCAN_ERROR : SCAN_NOT_SUSPICIOUS; + aggregated_status = (summary.errors > 0) ? SCAN_ERROR : SCAN_NOT_SUSPICIOUS; if (is_shown_type(aggregated_status, filter)) { return true; } @@ -182,7 +182,7 @@ pesieve::t_report pesieve::ProcessScanReport::generateSummary() const return summary; } -std::string pesieve::ProcessScanReport::listModules(size_t level, const pesieve::ProcessScanReport::t_report_filter &filter, const t_json_level &jdetails) const +std::string pesieve::ProcessScanReport::listModules(size_t level, const pesieve::t_results_filter &filter, const t_json_level &jdetails) const { std::stringstream stream; //summary: @@ -211,7 +211,7 @@ std::string pesieve::ProcessScanReport::listModules(size_t level, const pesieve: const bool pesieve::ProcessScanReport::toJSON( std::stringstream &stream, size_t start_level, - const pesieve::ProcessScanReport::t_report_filter &filter, + const pesieve::t_results_filter &filter, const pesieve::t_json_level &jdetails) const { const t_report report = this->generateSummary(); diff --git a/scanners/scan_report.h b/scanners/scan_report.h index 432a04f6e..c80e6f461 100644 --- a/scanners/scan_report.h +++ b/scanners/scan_report.h @@ -31,14 +31,6 @@ namespace pesieve { REPORT_TYPES_COUNT } t_report_type; - typedef enum { - REPORT_ERRORS = 1, - REPORT_NOT_SUSPICIOUS = 2, - REPORT_SUSPICIOUS = 4, - REPORT_SUSPICIOUS_AND_ERRORS = REPORT_ERRORS | REPORT_SUSPICIOUS, - REPORT_ALL = REPORT_ERRORS | REPORT_NOT_SUSPICIOUS | REPORT_SUSPICIOUS - } t_report_filter; - static t_report_type getReportType(ModuleScanReport *report); ProcessScanReport(DWORD _pid, bool _is64bit, bool _isReflection, t_params* _usedParams) @@ -95,7 +87,7 @@ namespace pesieve { return modulesInfo.findModuleContaining(field_addr, field_size); } - const virtual bool toJSON(std::stringstream &stream, size_t level, const t_report_filter &filter, const pesieve::t_json_level &jdetails) const; + const virtual bool toJSON(std::stringstream &stream, size_t level, const t_results_filter &filter, const pesieve::t_json_level &jdetails) const; pesieve::t_report generateSummary() const; DWORD getPid() { return pid; } @@ -106,7 +98,7 @@ namespace pesieve { peconv::ExportsMapper *exportsMap; protected: - std::string listModules(size_t level, const ProcessScanReport::t_report_filter &filter, const t_json_level &jdetails) const; + std::string listModules(size_t level, const t_results_filter &filter, const t_json_level &jdetails) const; void deleteModuleReports() { @@ -127,7 +119,7 @@ namespace pesieve { } size_t countHdrsReplaced() const; - bool hasAnyShownType(const ProcessScanReport::t_report_filter &filter); + bool hasAnyShownType(const t_results_filter &filter); DWORD pid; bool is64bit;