def scan(self, pid, pesieveshellc=False): """ Performs a scan on a given process ID :param pid: process id of the process to check :return hooked, replaces, suspicious: number of findings per type """ # Presets results = {"patched": 0, "replaced": 0, "detached": 0, "implanted": 0} # Compose command command = [ self.peSieve, '/pid', str(pid), '/ofilter', '2', '/quiet', '/json' ] + (['/shellc'] if pesieveshellc else []) # Run PE-Sieve on given process output, returnCode = runProcess(command) try: # Debug output results_raw = json.loads(output) results = results_raw["scanned"]["modified"] if self.logger.debug: print results except ValueError as v: self.logger.log("DEBUG", "PESieve", "Couldn't parse the JSON output.") except Exception as e: traceback.print_exc() self.logger.log("ERROR", "PESieve", "Something went wrong during PE-Sieve scan.") return results
def scan(self, pid): """ Performs a scan on a given process ID :param pid: process id of the process to check :return hooked, replaces, suspicious: number of findings per type """ # Presets hooked = 0 replaced = 0 suspicious = 0 # Compose command command = [self.peSieve, '/pid', str(pid), '/nodump', '/quiet'] # Run PE-Sieve on given process output, returnCode = runProcess(command) # Process the output lines = output.splitlines() start_summary = False for line in lines: if self.logger.debug: if "SUMMARY:" in line: start_summary = True if start_summary: print(line) # Extract the integer values result_hooked = re.search(r'Hooked:[\s\t]+([0-9]+)', line) if result_hooked: hooked = int(result_hooked.group(1)) result_replaced = re.search(r'Replaced:[\s\t]+([0-9]+)', line) if result_replaced: replaced = int(result_replaced.group(1)) result_suspicious = re.search(r'Other suspicious:[\s\t]+([0-9]+)', line) if result_suspicious: suspicious = int(result_suspicious.group(1)) # Check output for process replacements if "SUMMARY:" not in output: self.logger.log( "ERROR", "PESieve", "Something went wrong during PE-Sieve scan. " "Couldn't find the SUMMARY section in output.") return hooked, replaced, suspicious