public AgentScanner()
{
AgentScanLog = new StringBuilder();
AgentSettings = new Dictionary<string, string>();
AgentHeuristicMatches = new CwXML.CodewordAgentHeuristicMatches();
AgentHeuristicMatches.KernelModeMatches = new CwXML.KernelModeHeuristicMatches();
AgentHeuristicMatches.UserModeMatches = new CwXML.UserModeHeuristicMatches();
AgentSignatureMatches = new CwXML.CodewordAgentSignatureMatches();
AgentSignatureMatches.RegistrySignatureMatches = new CwXML.RegistrySignatureMatch[0];
AgentSignatureMatches.MemorySignatureMatches = new CwXML.MemorySignatureMatch[0];
AgentSignatureMatches.FileSignatureMatches = new CwXML.FileSignatureMatch[0];
}
/////////////////////////////////////////////////////
// //
// StartScanTask() //
// //
/////////////////////////////////////////////////////
//Description: This function only performs the setup
// necessary to perform a scan of registry,
// disk and memory, and to report those
// results back to the admin console.
//
//Returns: a stringbuilder object containing log data.
/////////////////////////////////////////////////////
internal StringBuilder StartScanTask(ref CwXML.CodewordAgentAnomalyReport anomalyReport)
{
//clear any existing results
anomalyReport = new CwXML.CodewordAgentAnomalyReport();
AgentHeuristicMatches = new CwXML.CodewordAgentHeuristicMatches();
AgentHeuristicMatches.KernelModeMatches = new CwXML.KernelModeHeuristicMatches();
AgentHeuristicMatches.UserModeMatches = new CwXML.UserModeHeuristicMatches();
AgentSignatureMatches = new CwXML.CodewordAgentSignatureMatches();
AgentSignatureMatches.RegistrySignatureMatches = new CwXML.RegistrySignatureMatch[0];
AgentSignatureMatches.MemorySignatureMatches = new CwXML.MemorySignatureMatch[0];
AgentSignatureMatches.FileSignatureMatches = new CwXML.FileSignatureMatch[0];
//
//1. Load settings from XML file extracted to local dir from MSI
//
AgentScanLog.AppendLine("INITIALIZE: Loading scan settings...");
if (!LoadAgentSettings(ref AgentSettings))
return AgentScanLog;
//
//2. Load signatures - this only needs to be done once here for the whole file
//
AgentScanLog.AppendLine("SCAN: Loading signatures from XML file...");
if (!LoadAgentSignatures())
return AgentScanLog;
//
//3. Disable .NET security
//
EnvironmentHelper.ToggleDotnetSecurity("Off", "INITIALIZE");
//
//4. kick off scan
//
AgentScanLog.AppendLine("SCAN: Scan starting on " + DateTime.Now.ToString("MM/dd/yyyy HH:mm:ss"));
DoSignatureScan();
//IMPORTANT: pin the scan results object so the garbage collector doesn't mangle it...
//GCHandle gchAgentSignatureMatches = GCHandle.Alloc(AgentSignatureMatches, GCHandleType.Pinned);
//only auto-mitigate if option set.
if (AgentSettings["Option_AutoMitigate"] == "True")
DoMitigate();
DoUserModeHeuristics();
DoKernelModeHeuristics();
AgentScanLog.AppendLine("SCAN: Scan finished on " + DateTime.Now.ToString("MM/dd/yyyy HH:mm:ss"));
//
//5. re-enable .NET security
//
EnvironmentHelper.ToggleDotnetSecurity("On", "FINALIZE");
//
//6. return our results object byref
//
//sanitize the XML by escaping invalid characters first
int count = 0;
foreach (CwXML.RegistrySignatureMatch match in AgentSignatureMatches.RegistrySignatureMatches)
{
match.RegistryValueData = CwXML.ReplaceInvalidXmlChars(match.RegistryValueData);
match.RegistryValueName = CwXML.ReplaceInvalidXmlChars(match.RegistryValueName);
AgentSignatureMatches.RegistrySignatureMatches[count] = match;
count++;
}
count = 0;
foreach (CwXML.MemorySignatureMatch match in AgentSignatureMatches.MemorySignatureMatches)
{
//keywords are not required in memory search - could just be looking for presence of a process name
if (match.Keywords != null)
match.Keywords = CwXML.ReplaceInvalidXmlChars(match.Keywords);
match.MatchingBlock = CwXML.ReplaceInvalidXmlChars(match.MatchingBlock);
AgentSignatureMatches.MemorySignatureMatches[count] = match;
count++;
}
//assign the fields of the passed-in object byref
anomalyReport.SignatureMatches = AgentSignatureMatches;
anomalyReport.HeuristicMatches = AgentHeuristicMatches;
//release our pinned handle to results
//gchAgentSignatureMatches.Free();
return AgentScanLog;
}
