//static string path1 = @"C:\Users\viruseater1\Documents";
//static string path2 = @"C:\Users\viruseater1\Desktop";
//static string path3 = @"C:\Users\viruseater1\Downloads";
//static string path4 = @"C:\Users\viruseater1\Videos";
public static Boolean LogWriter(string PATH)
{
//Sets what aspects are to be monitored
cpuUsageCounter = new PerformanceCounter("Processor", "% Processor Time", "_Total");
ramUsageCounter = new PerformanceCounter("Memory", "Available MBytes");
harddiskUsageCounter = new PerformanceCounter("PhysicalDisk", "% Disk Time", "_Total");
threadCounter = new PerformanceCounter("Process", "Thread Count", "_Total");
handleCounter = new PerformanceCounter("Process", "Handle Count", "_Total");
//Create the dictionaries for the hashed files for each path
Dictionary <string, string> hashedFilesAtStart = new Dictionary <string, string>();
hashedFilesAtStart = testParseTXTfile(hashedFilePath);
programExecuter.executeProgram(ransomwareDownloaderPath);
postBaseTaken();
//Adds the hashed files to a single list
//Starts the filewatcher
var fw = new Thread(() => FileMon.CreateFileWatcher(pathFileWatch));
fw.Start();
//Find the start timestamp
DateTime startTimeStamp = DateTime.Now;
amountOfLoops = 0;
//Loops in an interval given by MINUTESOFLOGGING
TimeSpan span = DateTime.Now.Subtract(startTimeStamp);
Console.WriteLine("Starting loop");
while (span.Minutes < MINUTESOFLOGGING)
{
amountOfLoops++;
cpuList.Add(getCurrentCpuUsage());
ramList.Add(getAvailableRAM());
harddiskList.Add(getHarddiskUsage());
threadList.Add(getThreadCount());
handleList.Add(getHandleCount());
Thread.Sleep(INTERVALFORLOOP);
span = DateTime.Now.Subtract(startTimeStamp);
}
Console.WriteLine("Ending loop \n starting process to post");
//Stops the filemon log such that there aren't written to it during iteration
FileMon.setStopAddingToLog(true);
fileMonChanges = FileMon.getFilemonChanges();
FileMon.setWatcherToStop();
//Creates the dictionaries for the hashed files at the end
Dictionary <string, string> hashedFilesAtEnd = new Dictionary <string, string>();
Dictionary <string, string> hashedFilesAtEndtemp1 = new Dictionary <string, string>();
Dictionary <string, string> hashedFilesAtEndtemp2 = new Dictionary <string, string>();
Dictionary <string, string> hashedFilesAtEndtemp3 = new Dictionary <string, string>();
Dictionary <string, string> hashedFilesAtEndtemp4 = new Dictionary <string, string>();
//Hashes the files and adds them to the dictionaries
Hasher tempEndHasher1 = new Hasher();
hashedFilesAtEndtemp1 = tempEndHasher1.fileHasher(path1);
Hasher tempEndHasher2 = new Hasher();
hashedFilesAtEndtemp2 = tempEndHasher2.fileHasher(path2);
Hasher tempEndHasher3 = new Hasher();
hashedFilesAtEndtemp3 = tempEndHasher3.fileHasher(path3);
Hasher tempEndHasher4 = new Hasher();
hashedFilesAtEndtemp4 = tempEndHasher4.fileHasher(path4);
//Adds all dictonaries to a single one.
hashedFilesAtEndtemp1.ToList().ForEach(x => hashedFilesAtEnd.Add(x.Key, x.Value));
hashedFilesAtEndtemp2.ToList().ForEach(x => hashedFilesAtEnd.Add(x.Key, x.Value));
hashedFilesAtEndtemp3.ToList().ForEach(x => hashedFilesAtEnd.Add(x.Key, x.Value));
hashedFilesAtEndtemp4.ToList().ForEach(x => hashedFilesAtEnd.Add(x.Key, x.Value));
//Find the end timestamp
DateTime endTimeStamp = DateTime.Now;
//Figure out what has changed.
removeKeyList = new List <string>();
changedKeyList = new List <string>();
inStartDictionary = new List <string>();
inEndDictionary = new List <string>();
foreach (var item in hashedFilesAtStart)
{
//If the hashed files at start and hashed files at end is of the same path
if (hashedFilesAtEnd.ContainsKey(item.Key))
{
//If they have the same hashvalue
if (hashedFilesAtStart[item.Key].Equals(hashedFilesAtEnd[item.Key]))
{
//Add them to a list where these elements have not been hit by ransomware
removeKeyList.Add(item.Key);
}
else
{
//If the path is the same but the hash is different then it has been changed
changedKeyList.Add(item.Key);
}
}
else
{
//If it is in start but not in the end then it has been deleted
inStartDictionary.Add(item.Key);
}
}
//Removing non changed duplicates
for (int i = 0; i < removeKeyList.Count; i++)
{
hashedFilesAtStart.Remove(removeKeyList[i]);
hashedFilesAtEnd.Remove(removeKeyList[i]);
}
//Removes changed files, they are still stored in the list changedKeyList
for (int i = 0; i < changedKeyList.Count; i++)
{
hashedFilesAtStart.Remove(changedKeyList[i]);
hashedFilesAtEnd.Remove(changedKeyList[i]);
}
//Finding files that has been created since start
foreach (var item in hashedFilesAtEnd)
{
//If it is in the end but not the start then it has been created since
if (!hashedFilesAtStart.ContainsKey(item.Key))
{
inEndDictionary.Add(item.Key);
}
}
hashedFilesAtStartKeys = hashedFilesAtStart.Keys;
hashedFilesAtEndKeys = hashedFilesAtEnd.Keys;
//Old part, can create a txt log of what is observed
/*
* string filePath = PATH + "\\RansomwareLog.txt";
* if (!File.Exists(filePath))
* {
* // Create a file to write to.
* using (StreamWriter sw = File.CreateText(filePath))
* {
* sw.WriteLine(NAMEONTEST);
* sw.WriteLine(MONITORSTATUS);
* sw.WriteLine(startTimeStamp.ToString());
* sw.WriteLine(endTimeStamp.ToString());
* sw.WriteLine(amountOfLoops);
* sw.WriteLine(changedKeyList.Count);
* sw.WriteLine(hashedFilesAtStartKeys.Count);
* sw.WriteLine(hashedFilesAtEndKeys.Count);
* sw.WriteLine(fileMonChanges.Count);
* string cpuReturn = returnMonitorListAsString(cpuList);
* string ramReturn = returnMonitorListAsString(ramList);
* string harddiskReturn = returnMonitorListAsString(harddiskList);
* string threadReturn = returnMonitorListAsString(threadList);
* string handleReturn = returnMonitorListAsString(handleList);
*
* string changedFilesReturn = "";
* string deletedFilesReturn = "";
* string newFilesReturn = "";
* string filemonChangesReturn = "";
*
* for (int i = 0; i < changedKeyList.Count; i++)
* {
* changedFilesReturn += changedKeyList[i];
* changedFilesReturn += "?";
* }
* foreach (string s in hashedFilesAtStartKeys)
* {
* deletedFilesReturn += s;
* deletedFilesReturn += "?";
* }
* foreach (string s in hashedFilesAtEndKeys)
* {
* newFilesReturn += s;
* newFilesReturn += "?";
* }
* foreach (var item in fileMonChanges)
* {
* filemonChangesReturn += item.Value + "<>" + item.Key.ToString("dd/MM/yyyy HH:mm:ss.fff");
* filemonChangesReturn += "?";
* }
*
* sw.WriteLine(cpuReturn);
* sw.WriteLine(ramReturn);
* sw.WriteLine(harddiskReturn);
* sw.WriteLine(threadReturn);
* sw.WriteLine(handleReturn);
* sw.WriteLine(changedFilesReturn);
* sw.WriteLine(deletedFilesReturn);
* sw.WriteLine(newFilesReturn);
* sw.WriteLine(filemonChangesReturn);
*
* }
* }*/
return(true);
}
//Posts to the server the results of this baseline
public static async void postBasePosted()
{
//Turns the monitored data into strings
string cpuReturn = returnMonitorListAsString(cpuList);
string ramReturn = returnMonitorListAsString(ramList);
string harddiskReturn = returnMonitorListAsString(harddiskList);
string threadReturn = returnMonitorListAsString(threadList);
string handleReturn = returnMonitorListAsString(handleList);
string changedFilesReturn = "";
string deletedFilesReturn = "";
string newFilesReturn = "";
string filemonChangesReturn = "";
for (int i = 0; i < changedKeyList.Count - 1; i++)
{
changedFilesReturn += changedKeyList[i];
changedFilesReturn += "?";
}
foreach (string s in hashedFilesAtStartKeys)
{
deletedFilesReturn += s;
deletedFilesReturn += "?";
}
foreach (string s in hashedFilesAtEndKeys)
{
newFilesReturn += s;
newFilesReturn += "?";
}
foreach (var item in fileMonChanges)
{
filemonChangesReturn += item.Value + ":" + item.Key.ToString("dd/MM/yyyy HH:mm:ss.fff");
filemonChangesReturn += "?";
}
//Creates the element that is send with JSON
var options = new
{
RansomwareName = NAMEONTEST,
MonitorStatus = "1",
MonitorCount = amountOfLoops.ToString(),
CountChangedFiles = changedKeyList.Count().ToString(),
CountDeletedFiles = hashedFilesAtStartKeys.Count().ToString(),
CountNewFiles = hashedFilesAtEndKeys.Count().ToString(),
CountFilemonObservations = fileMonChanges.Count().ToString(),
CPU = cpuReturn,
RAM = ramReturn,
HDD = harddiskReturn,
ThreadCount = threadReturn,
HandleCount = handleReturn,
ListChangedFiles = changedFilesReturn,
ListDeletedFiles = deletedFilesReturn,
ListNewFiles = newFilesReturn,
ListFilemonObservations = filemonChangesReturn
};
//Converts this into a payload
var stringPayload = JsonConvert.SerializeObject(options);
var content = new StringContent(stringPayload, Encoding.UTF8, "application/json");
//Send to the server
var response = client.PostAsync("http://192.168.8.102/v1/index.php/postbaseposted", content).Result;
var result = await response.Content.ReadAsByteArrayAsync();
//Start the filemon log again, this doesn't have a purpose
FileMon.setStopAddingToLog(false);
}
