public PSEventEntry checkSystem() { entry.malware = false; entry.opencommand = false; int processID = getISEProcess(); // check if a PowerShell process ISE is running if (getISEProcess() > 0) { entry.processID = processID; entry.runcount = entry.runcount + 1; entry.opencommand = true; return(entry); } // check if a PowerShell process is running processID = getPSProcess(); if (getISEProcess() > 0) { entry.processID = processID; entry.runcount = entry.runcount + 1; entry.opencommand = true; return(entry); } // if no process found -- check the eventlog PSEventEntry event_tmp = getPSEvent(); if (event_tmp.processID != 0) { return(event_tmp); } return(event_tmp); }
private void psscanner_DoWork(object sender, DoWorkEventArgs e) { BackgroundWorker worker = sender as BackgroundWorker; while (true) { if (worker.CancellationPending == true) { e.Cancel = true; break; } else { PSEventEntry entry = monitor.checkSystem(); if (start < start.AddDays(1) && entry != null) { if (entry.malware) { ceateMessageBox("Suspicious script block logged !!! Are u hacked?", "Suspicious script blocked"); porcessManager(entry.processID); } if (entry.runcount > count) { createBalloon("User: "******"PowerShell command executed!\nCount: " + entry.runcount + "\nDate logged: " + entry.datetime.ToString()); porcessManager(entry.processID); } if (entry.runcount >= this.trashold) { ceateMessageBox("To many PowerShell events detected! Are you hacked?", "Threshold reached!!"); porcessManager(entry.processID); } if (entry.opencommand && paranoidModeButton.Checked) { createBalloon("User: "******"PowerShell command was opened!\nDate logged: " + entry.datetime.ToString()); porcessManager(entry.processID); } count = entry.runcount; } else { entry.runcount = 0; start = DateTime.Now; } Thread.Sleep(SLEEPTIME); } } }