//static string path1 = @"C:\Users\viruseater1\Documents"; //static string path2 = @"C:\Users\viruseater1\Desktop"; //static string path3 = @"C:\Users\viruseater1\Downloads"; //static string path4 = @"C:\Users\viruseater1\Videos"; public static Boolean LogWriter(string PATH) { //Sets what aspects are to be monitored cpuUsageCounter = new PerformanceCounter("Processor", "% Processor Time", "_Total"); ramUsageCounter = new PerformanceCounter("Memory", "Available MBytes"); harddiskUsageCounter = new PerformanceCounter("PhysicalDisk", "% Disk Time", "_Total"); threadCounter = new PerformanceCounter("Process", "Thread Count", "_Total"); handleCounter = new PerformanceCounter("Process", "Handle Count", "_Total"); //Create the dictionaries for the hashed files for each path Dictionary <string, string> hashedFilesAtStart = new Dictionary <string, string>(); hashedFilesAtStart = testParseTXTfile(hashedFilePath); programExecuter.executeProgram(ransomwareDownloaderPath); postBaseTaken(); //Adds the hashed files to a single list //Starts the filewatcher var fw = new Thread(() => FileMon.CreateFileWatcher(pathFileWatch)); fw.Start(); //Find the start timestamp DateTime startTimeStamp = DateTime.Now; amountOfLoops = 0; //Loops in an interval given by MINUTESOFLOGGING TimeSpan span = DateTime.Now.Subtract(startTimeStamp); Console.WriteLine("Starting loop"); while (span.Minutes < MINUTESOFLOGGING) { amountOfLoops++; cpuList.Add(getCurrentCpuUsage()); ramList.Add(getAvailableRAM()); harddiskList.Add(getHarddiskUsage()); threadList.Add(getThreadCount()); handleList.Add(getHandleCount()); Thread.Sleep(INTERVALFORLOOP); span = DateTime.Now.Subtract(startTimeStamp); } Console.WriteLine("Ending loop \n starting process to post"); //Stops the filemon log such that there aren't written to it during iteration FileMon.setStopAddingToLog(true); fileMonChanges = FileMon.getFilemonChanges(); FileMon.setWatcherToStop(); //Creates the dictionaries for the hashed files at the end Dictionary <string, string> hashedFilesAtEnd = new Dictionary <string, string>(); Dictionary <string, string> hashedFilesAtEndtemp1 = new Dictionary <string, string>(); Dictionary <string, string> hashedFilesAtEndtemp2 = new Dictionary <string, string>(); Dictionary <string, string> hashedFilesAtEndtemp3 = new Dictionary <string, string>(); Dictionary <string, string> hashedFilesAtEndtemp4 = new Dictionary <string, string>(); //Hashes the files and adds them to the dictionaries Hasher tempEndHasher1 = new Hasher(); hashedFilesAtEndtemp1 = tempEndHasher1.fileHasher(path1); Hasher tempEndHasher2 = new Hasher(); hashedFilesAtEndtemp2 = tempEndHasher2.fileHasher(path2); Hasher tempEndHasher3 = new Hasher(); hashedFilesAtEndtemp3 = tempEndHasher3.fileHasher(path3); Hasher tempEndHasher4 = new Hasher(); hashedFilesAtEndtemp4 = tempEndHasher4.fileHasher(path4); //Adds all dictonaries to a single one. hashedFilesAtEndtemp1.ToList().ForEach(x => hashedFilesAtEnd.Add(x.Key, x.Value)); hashedFilesAtEndtemp2.ToList().ForEach(x => hashedFilesAtEnd.Add(x.Key, x.Value)); hashedFilesAtEndtemp3.ToList().ForEach(x => hashedFilesAtEnd.Add(x.Key, x.Value)); hashedFilesAtEndtemp4.ToList().ForEach(x => hashedFilesAtEnd.Add(x.Key, x.Value)); //Find the end timestamp DateTime endTimeStamp = DateTime.Now; //Figure out what has changed. removeKeyList = new List <string>(); changedKeyList = new List <string>(); inStartDictionary = new List <string>(); inEndDictionary = new List <string>(); foreach (var item in hashedFilesAtStart) { //If the hashed files at start and hashed files at end is of the same path if (hashedFilesAtEnd.ContainsKey(item.Key)) { //If they have the same hashvalue if (hashedFilesAtStart[item.Key].Equals(hashedFilesAtEnd[item.Key])) { //Add them to a list where these elements have not been hit by ransomware removeKeyList.Add(item.Key); } else { //If the path is the same but the hash is different then it has been changed changedKeyList.Add(item.Key); } } else { //If it is in start but not in the end then it has been deleted inStartDictionary.Add(item.Key); } } //Removing non changed duplicates for (int i = 0; i < removeKeyList.Count; i++) { hashedFilesAtStart.Remove(removeKeyList[i]); hashedFilesAtEnd.Remove(removeKeyList[i]); } //Removes changed files, they are still stored in the list changedKeyList for (int i = 0; i < changedKeyList.Count; i++) { hashedFilesAtStart.Remove(changedKeyList[i]); hashedFilesAtEnd.Remove(changedKeyList[i]); } //Finding files that has been created since start foreach (var item in hashedFilesAtEnd) { //If it is in the end but not the start then it has been created since if (!hashedFilesAtStart.ContainsKey(item.Key)) { inEndDictionary.Add(item.Key); } } hashedFilesAtStartKeys = hashedFilesAtStart.Keys; hashedFilesAtEndKeys = hashedFilesAtEnd.Keys; //Old part, can create a txt log of what is observed /* * string filePath = PATH + "\\RansomwareLog.txt"; * if (!File.Exists(filePath)) * { * // Create a file to write to. * using (StreamWriter sw = File.CreateText(filePath)) * { * sw.WriteLine(NAMEONTEST); * sw.WriteLine(MONITORSTATUS); * sw.WriteLine(startTimeStamp.ToString()); * sw.WriteLine(endTimeStamp.ToString()); * sw.WriteLine(amountOfLoops); * sw.WriteLine(changedKeyList.Count); * sw.WriteLine(hashedFilesAtStartKeys.Count); * sw.WriteLine(hashedFilesAtEndKeys.Count); * sw.WriteLine(fileMonChanges.Count); * string cpuReturn = returnMonitorListAsString(cpuList); * string ramReturn = returnMonitorListAsString(ramList); * string harddiskReturn = returnMonitorListAsString(harddiskList); * string threadReturn = returnMonitorListAsString(threadList); * string handleReturn = returnMonitorListAsString(handleList); * * string changedFilesReturn = ""; * string deletedFilesReturn = ""; * string newFilesReturn = ""; * string filemonChangesReturn = ""; * * for (int i = 0; i < changedKeyList.Count; i++) * { * changedFilesReturn += changedKeyList[i]; * changedFilesReturn += "?"; * } * foreach (string s in hashedFilesAtStartKeys) * { * deletedFilesReturn += s; * deletedFilesReturn += "?"; * } * foreach (string s in hashedFilesAtEndKeys) * { * newFilesReturn += s; * newFilesReturn += "?"; * } * foreach (var item in fileMonChanges) * { * filemonChangesReturn += item.Value + "<>" + item.Key.ToString("dd/MM/yyyy HH:mm:ss.fff"); * filemonChangesReturn += "?"; * } * * sw.WriteLine(cpuReturn); * sw.WriteLine(ramReturn); * sw.WriteLine(harddiskReturn); * sw.WriteLine(threadReturn); * sw.WriteLine(handleReturn); * sw.WriteLine(changedFilesReturn); * sw.WriteLine(deletedFilesReturn); * sw.WriteLine(newFilesReturn); * sw.WriteLine(filemonChangesReturn); * * } * }*/ return(true); }
//Posts to the server the results of this baseline public static async void postBasePosted() { //Turns the monitored data into strings string cpuReturn = returnMonitorListAsString(cpuList); string ramReturn = returnMonitorListAsString(ramList); string harddiskReturn = returnMonitorListAsString(harddiskList); string threadReturn = returnMonitorListAsString(threadList); string handleReturn = returnMonitorListAsString(handleList); string changedFilesReturn = ""; string deletedFilesReturn = ""; string newFilesReturn = ""; string filemonChangesReturn = ""; for (int i = 0; i < changedKeyList.Count - 1; i++) { changedFilesReturn += changedKeyList[i]; changedFilesReturn += "?"; } foreach (string s in hashedFilesAtStartKeys) { deletedFilesReturn += s; deletedFilesReturn += "?"; } foreach (string s in hashedFilesAtEndKeys) { newFilesReturn += s; newFilesReturn += "?"; } foreach (var item in fileMonChanges) { filemonChangesReturn += item.Value + ":" + item.Key.ToString("dd/MM/yyyy HH:mm:ss.fff"); filemonChangesReturn += "?"; } //Creates the element that is send with JSON var options = new { RansomwareName = NAMEONTEST, MonitorStatus = "1", MonitorCount = amountOfLoops.ToString(), CountChangedFiles = changedKeyList.Count().ToString(), CountDeletedFiles = hashedFilesAtStartKeys.Count().ToString(), CountNewFiles = hashedFilesAtEndKeys.Count().ToString(), CountFilemonObservations = fileMonChanges.Count().ToString(), CPU = cpuReturn, RAM = ramReturn, HDD = harddiskReturn, ThreadCount = threadReturn, HandleCount = handleReturn, ListChangedFiles = changedFilesReturn, ListDeletedFiles = deletedFilesReturn, ListNewFiles = newFilesReturn, ListFilemonObservations = filemonChangesReturn }; //Converts this into a payload var stringPayload = JsonConvert.SerializeObject(options); var content = new StringContent(stringPayload, Encoding.UTF8, "application/json"); //Send to the server var response = client.PostAsync("http://192.168.8.102/v1/index.php/postbaseposted", content).Result; var result = await response.Content.ReadAsByteArrayAsync(); //Start the filemon log again, this doesn't have a purpose FileMon.setStopAddingToLog(false); }