/// <summary> /// Begin a scan /// </summary> /// <param name="targ">Target to scan</param> /// <param name="reload">If rules should be reloaded</param> public void StartDetectItEasyScan(BinaryTarget targ, bool reload = false) { targ.ClearSignatureHits(CONSTANTS.eSignatureType.DIE); if (rgatState.ConnectedToRemote && rgatState.NetworkBridge.GUIMode) { JObject cmdparams = new JObject(); cmdparams.Add("Type", "DIE"); cmdparams.Add("TargetSHA1", targ.GetSHA1Hash()); cmdparams.Add("Reload", reload); rgatState.NetworkBridge.SendCommand("StartSigScan", null, null, cmdparams); return; } if (reload) { string scriptsPath = GetScriptsPath(GlobalConfig.GetSettingPath(CONSTANTS.PathKey.DiESigsDirectory)); dielib.ReloadScriptDatabase(scriptsPath, out string?error); if (error is not null) { Logging.RecordError($"Error loading database: {error}"); } } if (!dielib.DatabaseLoaded) { return; } if (!File.Exists(targ.FilePath)) { return; } ulong handle = 0; lock (scansLock) { handle = dielib.CreateScanHandle(); if (DIEScanHandles.ContainsKey(targ)) { DIEScanHandles[targ] = handle; } else { DIEScanHandles.Add(targ, handle); } } List <object> args = new List <object>() { dielib, targ, handle }; Thread DIEThread = new Thread(new ParameterizedThreadStart(DetectItScanThread)); DIEThread.Name = "DetectItEasy_" + targ.FileName; DIEThread.Start(args); }
/// <summary> /// Begin tracing a binary in command line mode /// </summary> /// <param name="targetPath">Binary to trace</param> /// <param name="saveDirectory">Where to save the result</param> /// <param name="recordVideo">If a video is being recorded</param> public static void TraceBinary(string targetPath, string?saveDirectory = null, bool recordVideo = false) { Logging.WriteConsole($"Command line mode tracing binary {targetPath}"); BinaryTarget target = new BinaryTarget(targetPath); if (!GlobalConfig.Settings.GetPreviousLaunchSettings(target.GetSHA1Hash(), out ProcessLaunchSettings? settings) || settings is null) { settings = new ProcessLaunchSettings(targetPath); settings.TraceChoices.InitDefaultExclusions(); } ProcessLaunching.StartLocalTrace(target.BitWidth, settings, target.PEFileObj); while (true) { Thread.Sleep(1000); var targets = rgatState.targets.GetBinaryTargets(); int traces = 0, running = 0; foreach (var previousTarget in targets) { foreach (var previousTrace in previousTarget.GetTracesList()) { traces += 1; if (previousTrace.IsRunning) { running += 1; } } } Logging.WriteConsole($"{running}/{traces} traces running accross {targets.Count} targets"); if (traces > 0 && running == 0) //also wait for keypress { Logging.WriteConsole("All traces done. Saving and exiting."); rgatState.SaveAllTargets(); rgatState.Shutdown(); break; } } }
/// <summary> /// Scan a target binary file /// </summary> /// <param name="targ">File path</param> /// <param name="reload">reload the signatures first</param> public void StartYARATargetScan(BinaryTarget targ, bool reload = false) { targ.ClearSignatureHits(CONSTANTS.eSignatureType.YARA); if (rgatState.ConnectedToRemote && rgatState.NetworkBridge.GUIMode) { JObject cmdparams = new JObject(); cmdparams.Add("Type", "YARA"); cmdparams.Add("Reload", reload); cmdparams.Add("TargetSHA1", targ.GetSHA1Hash()); rgatState.NetworkBridge.SendCommand("StartSigScan", null, null, cmdparams); return; } try { if (reload) { RefreshRules(GlobalConfig.GetSettingPath(CONSTANTS.PathKey.YaraRulesDirectory), forceRecompile: true); } if (!File.Exists(targ.FilePath)) { return; } List <object> args = new List <object>() { targ }; Thread YaraThread = new Thread(new ParameterizedThreadStart(YARATargetScanThread)); YaraThread.Name = "YARA_F_" + targ.FileName; YaraThread.Start(args); } catch (Exception e) { Logging.RecordException($"Error starting YARA scan: {e.Message}", e); } }
/// <summary> /// A DIE scan thread /// </summary> /// <param name="argslist">scanner, target args object</param> private void DetectItScanThread(object?argslist) { if (argslist is null) { return; } List <object> args = (List <object>)argslist; DiELibDotNet.DieLib scanner = (DiELibDotNet.DieLib)args[0]; BinaryTarget targ = (BinaryTarget)args[1]; if (!scanner.DatabaseLoaded) { return; } ulong handle = (ulong)args[2]; string result; try { DiELibDotNet.DieScript.SCAN_OPTIONS options = new DiELibDotNet.DieScript.SCAN_OPTIONS(); options.showOptions = true; options.showVersion = true; options.showType = true; options.deepScan = false; //very slow while (true) { if (rgatState.NetworkBridge.Connected && rgatState.NetworkBridge.GUIMode is false) { DieScript.SCANPROGRESS?progress = dielib.QueryProgress(handle); JObject statusObj = new JObject { { "TargetSHA1", targ.GetSHA1Hash() }, { "Type", "DIE" },
int Inner(BinaryTarget targ) { try { lock (_scanLock) { if (LoadedRuleCount() == 0) { if (rgatState.NetworkBridge.Connected && rgatState.NetworkBridge.GUIMode is false) { JObject statusObj = new JObject { { "TargetSHA1", targ.GetSHA1Hash() }, { "Type", "YARA" }, { "Loaded", 0 }, { "State", eYaraScanProgress.eNotStarted.ToString() } }; rgatState.NetworkBridge.SendAsyncData("SigStatus", statusObj); } return(0); } byte[] fileContentsBuf; try { if (targ.PEFileObj is not null) { fileContentsBuf = targ.PEFileObj.RawFile.ToArray(); } else { fileContentsBuf = File.ReadAllBytes(targ.FilePath); } } catch (Exception e) { Logging.RecordException($"Failed to get file bytes to YARA scan: {e.Message}", e); return(0); } if (rgatState.NetworkBridge.Connected && rgatState.NetworkBridge.GUIMode is false) { JObject statusObj = new JObject { { "TargetSHA1", targ.GetSHA1Hash() }, { "Type", "YARA" }, { "Loaded", LoadedRuleCount() }, { "State", eYaraScanProgress.eRunning.ToString() } }; rgatState.NetworkBridge.SendAsyncData("SigStatus", statusObj); } targetScanProgress[targ] = eYaraScanProgress.eRunning; // Initialize the scanner var scanner = new dnYara.CustomScanner(loadedRules); ExternalVariables externalVariables = new ExternalVariables(); externalVariables.StringVariables.Add("filename", targ.FileName); try { //bugs here tend to happen in unmanaged code, so this try-catch is unlikely to help List <ScanResult> scanResults = scanner.ScanMemory(ref fileContentsBuf, externalVariables); foreach (ScanResult sighit in scanResults) { targ.AddYaraSignatureHit(sighit); } } catch (Exception e) { Logging.RecordException($"Yara ScanMemory exception: {e.Message}", e); } finally { scanner.Release(); } if (rgatState.NetworkBridge.Connected && rgatState.NetworkBridge.GUIMode is false) { JObject statusObj = new JObject { { "TargetSHA1", targ.GetSHA1Hash() }, { "Type", "YARA" }, { "Loaded", LoadedRuleCount() }, { "State", eYaraScanProgress.eComplete.ToString() } }; rgatState.NetworkBridge.SendAsyncData("SigStatus", statusObj); } } } catch (dnYara.Exceptions.YaraException e) { Logging.RecordException("YARA Scan failed with exeption: " + e.Message, e); targetScanProgress[targ] = eYaraScanProgress.eFailed; } catch (Exception e) { Logging.RecordException("YARA Scan failed with exeption: " + e.Message, e); targetScanProgress[targ] = eYaraScanProgress.eFailed; } targetScanProgress[targ] = eYaraScanProgress.eComplete; return(0); }