-
Notifications
You must be signed in to change notification settings - Fork 265
/
Copy pathhh_report.cpp
147 lines (134 loc) · 4.96 KB
/
hh_report.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
#include "hh_report.h"
#include <string>
#include <sstream>
#include <iostream>
#include <iomanip>
#include <cmath>
#include "util/time_util.h"
#define OUT_PADDED(stream, field_size, str) \
std::cout.fill(' '); \
if (field_size) stream << std::setw(field_size) << ' '; \
stream << str;
bool is_suspicious_process(pesieve::t_report report)
{
if (report.suspicious) {
return true;
}
return false;
}
bool HHScanReport::appendReport(pesieve::t_report &scan_report, const std::string &img_name)
{
pidToReport[scan_report.pid] = scan_report;
pidToName[scan_report.pid] = img_name;
if (is_suspicious_process(scan_report)) {
this->suspicious.push_back(scan_report.pid);
}
return true;
}
size_t HHScanReport::reportsToString(std::stringstream &stream)
{
std::vector<DWORD>::const_iterator itr;
size_t printed = 0;
size_t counter = 0;
const size_t max_len = size_t(std::floor(std::log10(double(suspicious.size() - 1))) + 1);
for (itr = this->suspicious.begin(); itr != suspicious.end(); ++itr) {
DWORD pid = *itr;
stream << "[" << std::setw(max_len) << counter++ << "]: PID: " << std::dec << pid << ", ";
stream << "Name: " << this->pidToName[pid] << "\n";
printed++;
}
return printed;
}
size_t HHScanReport::reportsToJSON(std::stringstream &stream, size_t level, const t_hh_params ¶ms)
{
std::vector<DWORD>::const_iterator itr;
OUT_PADDED(stream, level, "\"suspicious\" : [\n");
level++;
size_t printed = 0;
for (itr = this->suspicious.begin(); itr != suspicious.end(); ++itr) {
DWORD pid = *itr;
OUT_PADDED(stream, level, "{\n");
level++;
OUT_PADDED(stream, level, "\"pid\" : ");
stream << std::dec << pid << ",\n";
OUT_PADDED(stream, level, "\"is_managed\" : ");
stream << std::dec << pidToReport[pid].is_managed << ",\n";
OUT_PADDED(stream, level, "\"name\" : ");
stream << "\"" << this->pidToName[pid] << "\",\n";
OUT_PADDED(stream, level, "\"replaced\" : ");
stream << std::dec << pidToReport[pid].replaced << ",\n";
OUT_PADDED(stream, level, "\"hdr_modified\" : ");
stream << std::dec << pidToReport[pid].hdr_mod << ",\n";
if (!params.pesieve_args.no_hooks) {
OUT_PADDED(stream, level, "\"patched\" : ");
stream << std::dec << pidToReport[pid].patched << ",\n";
}
if (params.pesieve_args.iat != pesieve::PE_IATS_NONE) {
OUT_PADDED(stream, level, "\"iat_hooked\" : ");
stream << std::dec << pidToReport[pid].iat_hooked << ",\n";
}
OUT_PADDED(stream, level, "\"implanted_pe\" : ");
stream << std::dec << pidToReport[pid].implanted_pe << ",\n";
OUT_PADDED(stream, level, "\"implanted_shc\" : ");
stream << std::dec << pidToReport[pid].implanted_shc << ",\n";
OUT_PADDED(stream, level, "\"unreachable_file\" : ");
stream << std::dec << pidToReport[pid].unreachable_file << ",\n";
OUT_PADDED(stream, level, "\"other\" : ");
stream << std::dec << pidToReport[pid].other << "\n";
level--;
OUT_PADDED(stream, level, "}");
printed++;
if (printed < suspicious.size()) {
stream << ",";
}
stream << "\n";
}
level--;
OUT_PADDED(stream, level, "]\n");
return printed;
}
std::string HHScanReport::toJSON(const t_hh_params ¶ms)
{
std::stringstream stream;
size_t level = 0;
OUT_PADDED(stream, level, "{\n");
level++;
//summary:
const size_t suspicious_count = countSuspicious();
OUT_PADDED(stream, level, "\"scan_date_time\" : ");
stream << std::dec << "\"" << util::strtime(this->startTime) << "\"" << ",\n";
OUT_PADDED(stream, level, "\"scan_timestamp\" : ");
stream << std::dec << startTime << ",\n";
OUT_PADDED(stream, level, "\"scan_time_ms\" : ");
stream << std::dec << getScanTime() << ",\n";
OUT_PADDED(stream, level, "\"scanned_count\" : ");
stream << std::dec << countTotal() << ",\n";
OUT_PADDED(stream, level, "\"suspicious_count\" : ");
stream << std::dec << suspicious_count;
if (suspicious_count > 0) {
stream << ",\n";
reportsToJSON(stream, level, params);
}
else {
stream << "\n";
}
level--;
OUT_PADDED(stream, level, "}\n");
return stream.str();
}
std::string HHScanReport::toString()
{
std::stringstream stream;
//summary:
stream << "--------" << std::endl;
stream << "SUMMARY:\n";
stream << "Scan at: " << util::strtime(this->startTime) << " (" << std::dec << startTime << ")\n";
stream << "Finished scan in: " << std::dec << getScanTime() << " milliseconds\n";
stream << "[*] Total scanned: " << std::dec << countTotal() << "\n";
stream << "[*] Total suspicious: " << std::dec << countSuspicious() << "\n";
if (countSuspicious() > 0) {
stream << "[+] List of suspicious: \n";
reportsToString(stream);
}
return stream.str();
}