public PSEventEntry checkSystem()
{
entry.malware = false;
entry.opencommand = false;
int processID = getISEProcess();
// check if a PowerShell process ISE is running
if (getISEProcess() > 0)
{
entry.processID = processID;
entry.runcount = entry.runcount + 1;
entry.opencommand = true;
return(entry);
}
// check if a PowerShell process is running
processID = getPSProcess();
if (getISEProcess() > 0)
{
entry.processID = processID;
entry.runcount = entry.runcount + 1;
entry.opencommand = true;
return(entry);
}
// if no process found -- check the eventlog
PSEventEntry event_tmp = getPSEvent();
if (event_tmp.processID != 0)
{
return(event_tmp);
}
return(event_tmp);
}
private void psscanner_DoWork(object sender, DoWorkEventArgs e)
{
BackgroundWorker worker = sender as BackgroundWorker;
while (true)
{
if (worker.CancellationPending == true)
{
e.Cancel = true;
break;
}
else
{
PSEventEntry entry = monitor.checkSystem();
if (start < start.AddDays(1) && entry != null)
{
if (entry.malware)
{
ceateMessageBox("Suspicious script block logged !!! Are u hacked?", "Suspicious script blocked");
porcessManager(entry.processID);
}
if (entry.runcount > count)
{
createBalloon("User: "******"PowerShell command executed!\nCount: " + entry.runcount + "\nDate logged: " + entry.datetime.ToString());
porcessManager(entry.processID);
}
if (entry.runcount >= this.trashold)
{
ceateMessageBox("To many PowerShell events detected! Are you hacked?", "Threshold reached!!");
porcessManager(entry.processID);
}
if (entry.opencommand && paranoidModeButton.Checked)
{
createBalloon("User: "******"PowerShell command was opened!\nDate logged: " + entry.datetime.ToString());
porcessManager(entry.processID);
}
count = entry.runcount;
}
else
{
entry.runcount = 0;
start = DateTime.Now;
}
Thread.Sleep(SLEEPTIME);
}
}
}
