[FEATURE] Store used parameters in the report

CMakeLists.txt

@@ -176,10 +176,12 @@ set (utils_hdrs
 
 set (params_info_hdrs
 	params_info/pe_sieve_params_info.h
+	params_info/params_dump.h
 )
 
 set (params_info_srcs
 	params_info/pe_sieve_params_info.cpp
+	params_info/params_dump.cpp
 )
 
 set (srcs

include/pe_sieve_types.h

@@ -110,7 +110,7 @@ namespace pesieve {
 	} PARAM_STRING;
 
 	//!  Input parameters for PE-sieve, defining the configuration.
-	typedef struct {
+	typedef struct params {
 		DWORD pid;                 ///< the PID of the process to be scanned
 		t_dotnet_policy dotnet_policy; ///< policy for scanning .NET modules
 		t_imprec_mode imprec_mode;  ///< import recovery mode
@@ -133,11 +133,12 @@ namespace pesieve {
 	} t_params;
 
 	//!  Final summary about the scanned process.
-	typedef struct {
+	typedef struct report {
 		DWORD pid;              ///< pid of the process that was scanned
 		bool is_managed;        ///< is process managed (.NET)
 		bool is_64bit;          ///< is process 64 bit
 		bool is_reflection;     ///< was the scan performed on process reflection
+		t_params *used_params;   ///< parameters used for the scan
 		DWORD scanned;          ///< number of all scanned modules
 		DWORD suspicious;       ///< general summary of suspicious
 		DWORD replaced;         ///< PE file replaced in memory (probably hollowed)

params_info/params_dump.cpp

@@ -0,0 +1,51 @@
+#include "params_dump.h"
+
+#include "../utils/format_util.h"
+
+void pesieve::params_fields_to_JSON(pesieve::t_params& params, std::stringstream& outs, size_t level)
+{
+	if (params.modules_ignored.length && params.modules_ignored.buffer) {
+		OUT_PADDED(outs, level, "\"modules_ignored\" : ");
+		outs << "\"" << params.modules_ignored.buffer << "\"" << ",\n";
+	}
+	OUT_PADDED(outs, level, "\"data\" : ");
+	outs << std::dec << params.data << ",\n";
+
+	OUT_PADDED(outs, level, "\"dotnet_policy\" : ");
+	outs << std::dec << params.dotnet_policy << ",\n";
+
+	OUT_PADDED(outs, level, "\"hooks\" : ");
+	outs << std::dec << (params.no_hooks ? 0 : 1) << ",\n";
+
+	OUT_PADDED(outs, level, "\"iat\" : ");
+	outs << std::dec << params.iat << ",\n";
+
+	OUT_PADDED(outs, level, "\"threads\" : ");
+	outs << std::dec << params.threads << ",\n";
+
+	OUT_PADDED(outs, level, "\"shellcode\" : ");
+	outs << std::dec << params.shellcode << ",\n";
+
+	OUT_PADDED(outs, level, "\"obfuscated\" : ");
+	outs << std::dec << params.obfuscated << ",\n";
+
+	OUT_PADDED(outs, level, "\"use_reflection\" : ");
+	outs << std::dec << params.make_reflection << ",\n";
+
+	OUT_PADDED(outs, level, "\"use_cache\" : ");
+	outs << std::dec << params.use_cache << ",\n";
+
+	OUT_PADDED(outs, level, "\"out_filter\" : ");
+	outs << std::dec << params.out_filter << ",\n";
+
+	OUT_PADDED(outs, level, "\"imprec_mode\" : ");
+	outs << std::dec << params.imprec_mode << "\n";
+}
+
+
+void pesieve::params_to_JSON(pesieve::t_params& params, std::stringstream& stream, size_t level)
+{
+	OUT_PADDED(stream, level, "\"pesieve_params\" : {\n");
+	params_fields_to_JSON(params, stream, level + 1);
+	OUT_PADDED(stream, level, "}");
+}

params_info/params_dump.h

@@ -0,0 +1,11 @@
+#pragma once
+
+#include <iostream>
+#include <pe_sieve_types.h>
+
+namespace pesieve {
+
+	void params_fields_to_JSON(pesieve::t_params& params, std::stringstream& outs, size_t level);
+	void params_to_JSON(pesieve::t_params& params, std::stringstream& stream, size_t start_level);
+};
+

scanners/scan_report.cpp

@@ -9,6 +9,7 @@
 #include "thread_scanner.h"
 
 #include "../utils/format_util.h"
+#include "../params_info/params_dump.h"
 
 using namespace pesieve;
 using namespace pesieve::util;
@@ -155,6 +156,7 @@ pesieve::t_report pesieve::ProcessScanReport::generateSummary() const
 	summary.is_64bit = this->is64bit;
 	summary.is_managed = this->isManaged;
 	summary.is_reflection = this->isReflection;
+	summary.used_params = this->usedParams;
 	summary.errors = static_cast<DWORD>(this->errorsCount);
 	summary.skipped = static_cast<DWORD>(this->reportsByType[REPORT_SKIPPED_SCAN].size());
 	summary.scanned = static_cast<DWORD>(this->reportsByType[REPORT_HEADERS_SCAN].size());
@@ -229,6 +231,10 @@ const bool pesieve::ProcessScanReport::toJSON(
 	stream << escape_path_separators(this->mainImagePath) << "\",\n";
 	OUT_PADDED(stream, level, "\"used_reflection\" : ");
 	stream << std::dec << report.is_reflection << ",\n";
+	if (report.used_params) {
+		params_to_JSON(*report.used_params, stream, level);
+		stream << ",\n";
+	}
 	OUT_PADDED(stream, level, "\"scanned\" : \n");
 	OUT_PADDED(stream, level, "{\n");
 	//stream << " {\n";

scanners/scan_report.h

@@ -41,8 +41,9 @@ namespace pesieve {
 
 		static t_report_type getReportType(ModuleScanReport *report);
 
-		ProcessScanReport(DWORD _pid, bool _is64bit, bool _isReflection)
-			: pid(_pid), exportsMap(nullptr), errorsCount(0), modulesInfo(pid), isManaged(false), is64bit(_is64bit), isReflection(_isReflection)
+		ProcessScanReport(DWORD _pid, bool _is64bit, bool _isReflection, t_params* _usedParams)
+			: pid(_pid), exportsMap(nullptr), errorsCount(0), modulesInfo(pid), isManaged(false), is64bit(_is64bit), 
+			isReflection(_isReflection), usedParams(_usedParams)
 		{
 		}
 
@@ -132,6 +133,7 @@ namespace pesieve {
 		bool is64bit;
 		bool isManaged;
 		bool isReflection;
+		t_params* usedParams;
 		size_t errorsCount;
 
 		ModulesInfo modulesInfo;

scanners/scanner.cpp

@@ -193,7 +193,7 @@ ProcessScanReport* pesieve::ProcessScanner::scanRemote()
 
 	const bool is_64bit = pesieve::util::is_process_64bit(this->processHandle);
 
-	ProcessScanReport *pReport = new ProcessScanReport(this->args.pid, is_64bit, this->isReflection);
+	ProcessScanReport *pReport = new ProcessScanReport(this->args.pid, is_64bit, this->isReflection, &this->args);
 
 	char image_buf[MAX_PATH] = { 0 };
 	GetProcessImageFileNameA(this->processHandle, image_buf, MAX_PATH);