-
Notifications
You must be signed in to change notification settings - Fork 432
/
pe_sieve_types.h
173 lines (151 loc) · 7.95 KB
/
pe_sieve_types.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
/**
* @file
* @brief The types used by PE-sieve API.
*/
#pragma once
#include <windows.h>
#define PARAM_LIST_SEPARATOR ';'
#ifndef __cplusplus
typedef char bool;
#endif
#ifdef __cplusplus
namespace pesieve {
#endif
//! the status returned if scanning has failed
const DWORD ERROR_SCAN_FAILURE = (-1);
typedef enum {
OUT_FULL = 0, ///< no filter: dump everything (default)
OUT_NO_DUMPS, ///< don't dump the modified PEs, but save the report
OUT_NO_DIR, ///< don't dump any files
OUT_FILTERS_COUNT
} t_output_filter;
typedef enum {
SHOW_NONE = 0,
SHOW_ERRORS = 1,
SHOW_NOT_SUSPICIOUS = 2,
SHOW_SUSPICIOUS = 4,
SHOW_SUSPICIOUS_AND_ERRORS = SHOW_ERRORS | SHOW_SUSPICIOUS,
SHOW_SUCCESSFUL_ONLY = SHOW_NOT_SUSPICIOUS | SHOW_SUSPICIOUS,
SHOW_ALL = SHOW_ERRORS | SHOW_NOT_SUSPICIOUS | SHOW_SUSPICIOUS,
SHOW_FILTERS_COUNT
} t_results_filter;
typedef enum {
SHELLC_NONE = 0, ///< do not detect shellcode
SHELLC_PATTERNS, ///< detect shellcodes by patterns
SHELLC_STATS, ///< detect shellcodes by stats
SHELLC_PATTERNS_OR_STATS, ///< detect shellcodes by patterns or stats (any match)
SHELLC_PATTERNS_AND_STATS, ///< detect shellcodes by patterns and stats (both match)
SHELLC_COUNT
} t_shellc_mode;
typedef enum {
OBFUSC_NONE = 0, ///< do not detect obfuscated contents
OBFUSC_STRONG_ENC, ///< detect areas possibly encrypted with strong encryption
OBFUSC_WEAK_ENC, ///< detect areas possibly encrypted with weak encryption (lower entropy, possible XOR patterns)
OBFUSC_ANY, ///< detect both: possible strong or weak encryption
OBFUSC_COUNT
} t_obfusc_mode;
typedef enum {
PE_IMPREC_NONE = 0, ///< do not try to recover imports
PE_IMPREC_AUTO, ///< try to autodetect the most suitable mode
PE_IMPREC_UNERASE, ///< recover erased parts of the partialy damaged import table
PE_IMPREC_REBUILD0, ///< build the import table from the scratch, basing on the found IAT(s): use only terminated blocks (restrictive mode)
PE_IMPREC_REBUILD1, ///< build the import table from the scratch, basing on the found IAT(s): use terminated blocks, or blocks with more than 1 thunk
PE_IMPREC_REBUILD2, ///< build the import table from the scratch, basing on the found IAT(s): use all found blocks (aggressive mode)
PE_IMPREC_MODES_COUNT
} t_imprec_mode;
typedef enum {
PE_DUMP_AUTO = 0, ///< autodetect which dump mode is the most suitable for the given input
PE_DUMP_VIRTUAL, ///< dump as it is in the memory (virtual)
PE_DUMP_UNMAP, ///< convert to the raw format: using raw sections' headers
PE_DUMP_REALIGN, ///< convert to the raw format: by realigning raw sections' headers to be the same as virtual (useful if the PE was unpacked in memory)
PE_DUMP_MODES_COUNT
} t_dump_mode;
typedef enum {
PE_IATS_NONE = 0, ///< do not scan IAT
PE_IATS_CLEAN_SYS_FILTERED, ///< scan IAT, filter hooks if they lead to unpatched system module
PE_IATS_ALL_SYS_FILTERED, ///< scan IAT, filter hooks if they lead to any system module
PE_IATS_UNFILTERED, ///< scan IAT, unfiltered
PE_IATS_MODES_COUNT
} t_iat_scan_mode;
typedef enum {
PE_DNET_NONE = 0, ///< none: treat managed processes same as native
PE_DNET_SKIP_MAPPING = 1, ///< skip mapping mismatch (in .NET modules only)
PE_DNET_SKIP_SHC, ///< skip shellcodes (in all modules within the managed process)
PE_DNET_SKIP_HOOKS, ///< skip hooked modules (in all modules within the managed process)
PE_DNET_SKIP_ALL, ///< skip all above indicators (mapping, shellcodes, hooks) in modules within the managed process
PE_DNET_COUNT
} t_dotnet_policy;
typedef enum {
PE_DATA_NO_SCAN = 0, ///< do not scan non-executable pages
PE_DATA_SCAN_DOTNET, ///< scan data in .NET applications
PE_DATA_SCAN_NO_DEP, ///< scan data if no DEP or in .NET applications
PE_DATA_SCAN_ALWAYS, ///< scan data unconditionally
PE_DATA_SCAN_INACCESSIBLE, ///< scan data unconditionally, and inaccessible pages (if running in reflection mode)
PE_DATA_SCAN_INACCESSIBLE_ONLY, ///< scan inaccessible pages (if running in reflection mode)
PE_DATA_COUNT
} t_data_scan_mode;
typedef enum {
JSON_BASIC = 0, ///< basic
JSON_DETAILS = 1, ///< include the basic list patches in the main JSON report
JSON_DETAILS2, ///< include the extended list patches in the main JSON report
JSON_LVL_COUNT
} t_json_level;
typedef enum {
REPORT_NONE = 0, ///< do not output a report
REPORT_SCANNED, ///< output the scan report
REPORT_DUMPED, ///< output the dumps report
REPORT_ALL ///< output all available reports
} t_report_type;
//! A wrapper for a dynamically allocated string.
typedef struct _PARAM_STRING {
ULONG length;
char* buffer;
} PARAM_STRING;
//! Input parameters for PE-sieve, defining the configuration.
typedef struct params {
DWORD pid; ///< the PID of the process to be scanned
t_dotnet_policy dotnet_policy; ///< policy for scanning .NET modules
t_imprec_mode imprec_mode; ///< import recovery mode
bool quiet; ///<do not print log on the stdout
t_output_filter out_filter; ///< level of details of the created output material
bool no_hooks; ///< don't scan for hooks
t_shellc_mode shellcode; ///< detect shellcode implants
t_obfusc_mode obfuscated; ///< detect encrypted or obfuscated content (possible encrypted shellcodes)
bool threads; ///< scan threads
t_iat_scan_mode iat; ///< detect IAT hooking
t_data_scan_mode data; ///< should scan non-executable pages?
bool minidump; ///< make minidump of full process
bool rebase; ///< rebase the module to its original base (if known)
t_dump_mode dump_mode; ///< in which mode the detected PE implants should be dumped
bool json_output; ///< display the final summary as the JSON report
bool make_reflection; ///< operate on a process reflection rather than on the live process (this allows i.e. to force-read inaccessible pages)
bool use_cache; ///< enable cache for the scanned modules
t_json_level json_lvl; ///< level of the details of the JSON report
t_results_filter results_filter; ///< what type of results should be included in the report
char output_dir[MAX_PATH + 1]; ///< the root directory where the output should be saved (default: current directory)
PARAM_STRING modules_ignored; ///< a list of modules that will not be scanned, separated by PARAM_LIST_SEPARATOR
PARAM_STRING pattern_file; ///< a file with additional patterns for code recognition
} t_params;
//! Final summary about the scanned process.
typedef struct report {
DWORD pid; ///< pid of the process that was scanned
bool is_managed; ///< is process managed (.NET)
bool is_64bit; ///< is process 64 bit
bool is_reflection; ///< was the scan performed on process reflection
DWORD scanned; ///< number of all scanned modules
DWORD suspicious; ///< general summary of suspicious
DWORD replaced; ///< PE file replaced in memory (probably hollowed)
DWORD hdr_mod; ///< PE header is modified (but not replaced)
DWORD unreachable_file; ///< cannot read the file corresponding to the module in memory
DWORD patched; ///< detected modifications in the code
DWORD iat_hooked; ///< detected IAT hooks
DWORD implanted; ///< all implants: shellcodes + PEs
DWORD implanted_pe; ///< the full PE was probably loaded manually
DWORD implanted_shc; ///< implanted shellcodes
DWORD other; ///< other indicators
DWORD skipped; ///< some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this scan does not apply)
DWORD errors; ///< the number of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE, no scan was performed.
} t_report;
#ifdef __cplusplus
};
#endif