Beispiel #1
0
        internal static void changeOccured(FileSystemEventArgs e)
        {
            //Kig på entropien før og efter
            Dictionary <string, double> savedEntropies = ShannonEntropy.getSavedEntropies();
            FileInfo       changedFile         = new FileInfo(e.FullPath);
            ShannonEntropy entropyCalculator   = new ShannonEntropy();
            Double         changedFileEntropy  = entropyCalculator.CalculateEntropy(changedFile);
            Double         originalFileEntropy = 0.0;

            Console.WriteLine("File " + e.FullPath + " has been changed to and has now an entropy of " + changedFileEntropy);
            if (changedFileEntropy == -1)
            {
                return;
            }

            try
            {
                originalFileEntropy = savedEntropies[e.FullPath];
            }
            catch (Exception)
            {
            }

            entropyHandler(e, originalFileEntropy, changedFileEntropy);
        }
Beispiel #2
0
        internal static void deletionOccured(FileSystemEventArgs e)
        {
            string[] filesInDirectory = null;

            filesInDirectory = Directory.GetFiles(returnFilePath(e.FullPath));

            Boolean newSimilarFileIsCreated = false;

            ShannonEntropy entropyCreator = new ShannonEntropy();

            string fileName = returnFileName(e.FullPath);

            double oldEntropy = ShannonEntropy.getSavedEntropies()[e.FullPath];

            foreach (string s in filesInDirectory)
            {
                if (s.Contains(fileName))
                {
                    newSimilarFileIsCreated = true;
                    FileInfo newFileInfo = new FileInfo(s);
                    double   newEntropy  = entropyCreator.CalculateEntropy(newFileInfo);

                    //TODO  react if needed
                    entropyHandler(e, oldEntropy, newEntropy);
                }
            }

            ShannonEntropy.removeKeyFromSavedEntropies(e.FullPath);
        }
Beispiel #3
0
        public static void renameDetectedInFile(string pathOld, string pathNew)
        {
            ShannonEntropy tempEntropyCalculator = new ShannonEntropy();
            //Hvad gør vi hvis filen ikke eksisterer længere?


            FileInfo tempFileInf = new FileInfo(pathNew);

            double changedFileEntropy = tempEntropyCalculator.CalculateEntropy(tempFileInf);


            List <DateTime> temp = new List <DateTime>();

            if ((changedFileEntropy - entropiesOfFiles[pathOld]) > shannonThreshold)
            {
                DateTime now = DateTime.Now;
                foreach (DateTime t in threshold)
                {
                    if (600 < now.Subtract(t).Seconds)
                    {
                        temp.Add(t);
                    }
                }

                foreach (DateTime t in temp)
                {
                    threshold.Remove(t);
                }

                if (threshold.Count > thresholdNum)
                {
                    //ALERT!
                }
            }
        }
Beispiel #4
0
        internal static void creationOccured(FileSystemEventArgs e)
        {
            //Er der en fil i directoriet der har samme entropi som denne er den blot rykket
            //Løb listen af keys igennem, se value, nogen ens? Godt
            //add til databasen den nye fil, slet den gamle

            Dictionary <string, double> savedEntropies = new Dictionary <string, double>();

            savedEntropies = ShannonEntropy.getSavedEntropies();

            FileInfo createdFileInfo = new FileInfo(e.FullPath);

            ShannonEntropy entropyCreator     = new ShannonEntropy();
            double         createdFileEntropy = entropyCreator.CalculateEntropy(createdFileInfo);


            Console.WriteLine("File " + e.FullPath + " has been created and entropy is now " + createdFileEntropy);
            if (createdFileEntropy == -1)
            {
                return;
            }

            Boolean fileHasBeenMoved = false;
            string  oldFilePath      = "";

            foreach (var item in savedEntropies)
            {
                if (item.Value == createdFileEntropy)
                {
                    //File has been moved
                    fileHasBeenMoved = true;
                    oldFilePath      = item.Key;
                }
            }

            if (fileHasBeenMoved)
            {
                ShannonEntropy.removeKeyFromSavedEntropies(oldFilePath);
                ShannonEntropy.addKeyAndDoubleToSavedEntropies(e.FullPath, createdFileEntropy);
            }
            else
            {
                //TODO find threshold på nye filer og om entropien er for høj
                ShannonEntropy.removeKeyFromSavedEntropies(oldFilePath);
                ShannonEntropy.addKeyAndDoubleToSavedEntropies(e.FullPath, createdFileEntropy);
                if (createdFileEntropy > entropyThreshold)
                {
                    react(e);
                }
            }
        }
Beispiel #5
0
 //Event handeler if an object is renamed
 private static void OnRenamed(object source, RenamedEventArgs e)
 {
     Console.WriteLine(e.OldFullPath + " is renamed to " + e.FullPath);
     if (e.OldFullPath.Contains(@"C:\Users\PoC2\Desktop") ||
         e.OldFullPath.Contains(@"C:\Users\PoC2\Documents") ||
         e.OldFullPath.Contains(@"C:\Users\PoC2\Downloads") ||
         e.OldFullPath.Contains(@"C:\Users\PoC2\Videos"))
     {
         if (ShannonEntropy.getSavedEntropies().ContainsKey(e.OldFullPath))
         {
             Double tempEntropy = ShannonEntropy.getSavedEntropies()[e.OldFullPath];
             ShannonEntropy.removeKeyFromSavedEntropies(e.OldFullPath);
             ShannonEntropy.addKeyAndDoubleToSavedEntropies(e.FullPath, tempEntropy);
         }
     }
 }
Beispiel #6
0
        public static void changeDetectedInFile(string path)
        {
            ShannonEntropy tempEntropyCalculator = new ShannonEntropy();
            //TODO what if the file doesn't exists anymore

            FileInfo tempFileInf = new FileInfo(path);

            double changedFileEntropy = tempEntropyCalculator.CalculateEntropy(tempFileInf);

            Console.WriteLine("File " + path + " has been changed to and has now and entropy of " + changedFileEntropy);
            if (changedFileEntropy == -1)
            {
                return;
            }

            List <DateTime> temp = new List <DateTime>();

            if ((changedFileEntropy - entropiesOfFiles[path]) > shannonThreshold)
            {
                DateTime now = DateTime.Now;
                foreach (DateTime t in threshold)
                {
                    if (600 < now.Subtract(t).Seconds)
                    {
                        temp.Add(t);
                    }
                }

                foreach (DateTime t in temp)
                {
                    threshold.Remove(t);
                }

                if (threshold.Count > thresholdNum)
                {
                    //ALERT!
                }
            }
        }
Beispiel #7
0
        public static void entropyCollector()
        {
            //Takes the entropy for each of the four directories and adds that to a single list.
            ShannonEntropy tempEntropyCalculator1 = new ShannonEntropy();

            tempEntropyCalculator1.getEntropyOfAllFilesInPath(path1).ToList().ForEach(x => entropiesOfFiles.Add(x.Key, x.Value));

            ShannonEntropy tempEntropyCalculator2 = new ShannonEntropy();

            tempEntropyCalculator2.getEntropyOfAllFilesInPath(path2).ToList().ForEach(x => entropiesOfFiles.Add(x.Key, x.Value));

            ShannonEntropy tempEntropyCalculator3 = new ShannonEntropy();

            tempEntropyCalculator3.getEntropyOfAllFilesInPath(path3).ToList().ForEach(x => entropiesOfFiles.Add(x.Key, x.Value));

            ShannonEntropy tempEntropyCalculator4 = new ShannonEntropy();

            tempEntropyCalculator4.getEntropyOfAllFilesInPath(path4).ToList().ForEach(x => entropiesOfFiles.Add(x.Key, x.Value));


            //TODO DOWNLOAD RANSOMWARE IF THE LOGGER IS READY AS WELL
        }
Beispiel #8
0
        public static void shannonEntropyFileMonDetection()
        {
            Logger.getPoCRansomware();

            Thread.Sleep(1000);

            Logger.postPoCFetched();

            while (!Logger.getHasFetched())
            {
                Thread.Sleep(500);
            }

            Logger.setRansomwareDownloaderPath(RANSOMWAREDOWNLOADERPATH);

            ActionTaker.setBackingName(BACKINGNAME);
            ActionTaker.setPathToBackingFile(pathToBackingFile);

            ProcMon.setPathToProcMon(ProcMonPath);

            FilemonEventHandler.setEntropyThreshold(entropyThreshold);
            FilemonEventHandler.setThresholdToReaction(thresholdToReaction);
            FilemonEventHandler.setSecondsInThreshold(secondsInThreshold);

            Logger.setPath1(path1);
            Logger.setPath2(path2);
            Logger.setPath3(path3);
            Logger.setPath4(path4);
            Logger.setPathFileWatch(PATH);

            //Find entropy of all files
            ShannonEntropy temp1 = new ShannonEntropy();

            temp1.getEntropyOfAllFilesInPath(path1);

            ShannonEntropy temp2 = new ShannonEntropy();

            temp2.getEntropyOfAllFilesInPath(path2);

            ShannonEntropy temp3 = new ShannonEntropy();

            temp3.getEntropyOfAllFilesInPath(path3);

            ShannonEntropy temp4 = new ShannonEntropy();

            temp4.getEntropyOfAllFilesInPath(path4);

            Dictionary <string, double> test = ShannonEntropy.getSavedEntropies();

            foreach (var item in test)
            {
                Console.WriteLine(item.Key + " - " + item.Value);
            }


            //Start procmon
            BACKINGNAME = BACKINGNAME + 0;
            var t = new Thread(() => ProcMon.createProcmonBackingFile(pathToBackingFile, BACKINGNAME));

            t.Start();

            //Start filemon
            //When filemon sees a reaction it posts to filemoneventhandler
            //Filemoneventhandler then deems if it is nessesary to take action, using actiontaker
            Console.WriteLine(Logger.getNAMEONTEST());

            //Start logger
            //TODO fix call to server such that it is not honeypotpoc that is called
            Logger.LogWriter(PATH);

            Logger.postPoCTested();
            Logger.postPoCPosted();

            Thread.Sleep(30000);
        }