[FEATURE] Added indicators to the report

suzakri · Jul 13, 2020 · 6740bff · 6740bff
1 parent c712483
commit 6740bff
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 3 deletions.
diff --git a/include/pe_sieve_types.h b/include/pe_sieve_types.h
@@ -96,6 +96,7 @@ namespace pesieve {
 		DWORD implanted; // all implants: shellcodes + PEs
 		DWORD implanted_pe; // the full PE was probably loaded manually
 		DWORD implanted_shc; //implanted shellcodes
+		DWORD other; // other indicators
 		DWORD skipped; // some of the modules must be skipped (i.e. dotNET managed code have different characteristics and this scan does not apply)
 		DWORD errors; // Count of elements that could not be scanned because of errors. If errors == ERROR_SCAN_FAILURE, no scan was performed.
 	} t_report;

diff --git a/postprocessors/report_formatter.cpp b/postprocessors/report_formatter.cpp
@@ -9,7 +9,7 @@ std::string pesieve::scan_report_to_string(const ProcessScanReport &process_repo
 	const t_report report = process_report.generateSummary();
 	std::stringstream stream;
 	//summary:
-	size_t other = report.suspicious - (report.patched + report.replaced + report.detached + report.implanted + report.hdr_mod);
+	size_t other = report.other;
 	stream << "PID:    " << std::dec << report.pid << "\n";
 	stream << "---" << std::endl;
 	stream << "SUMMARY: \n" << std::endl;
@@ -19,6 +19,7 @@ std::string pesieve::scan_report_to_string(const ProcessScanReport &process_repo
 	stream << "Hooked:           " << std::dec << report.patched << "\n";
 	stream << "Replaced:         " << std::dec << report.replaced << "\n";
 	stream << "HdrsModified:     " << std::dec << report.hdr_mod << "\n";
+	stream << "IAT Hooks:        " << std::dec << report.iat_hooked << "\n";
 	stream << "Detached:         " << std::dec << report.detached << "\n";
 	stream << "Implanted:        " << std::dec << report.implanted << "\n";
 	if (report.implanted) {

diff --git a/scanners/scan_report.cpp b/scanners/scan_report.cpp
@@ -182,7 +182,7 @@ pesieve::t_report pesieve::ProcessScanReport::generateSummary() const
 	summary.implanted = summary.implanted_shc + summary.implanted_pe;
 	summary.hdr_mod = countSuspiciousPerType(REPORT_HEADERS_SCAN) - summary.replaced;
 	summary.detached = countSuspiciousPerType(REPORT_UNREACHABLE_SCAN);
-
+	summary.other = summary.suspicious - (summary.patched + summary.replaced + summary.detached + summary.implanted + summary.hdr_mod + summary.iat_hooked);
 	return summary;
 }
 
@@ -217,7 +217,7 @@ const bool pesieve::ProcessScanReport::toJSON(std::stringstream &stream, size_t
 {
 	const t_report report = this->generateSummary();
 	//summary:
-	size_t other = report.suspicious - (report.patched + report.replaced + report.detached + report.implanted + report.hdr_mod);
+	size_t other = report.other;
 	stream << "{\n";
 	OUT_PADDED(stream, level, "\"pid\" : ");
 	stream << std::dec << report.pid << ",\n";