internal static void changeOccured(FileSystemEventArgs e)
{
//Kig på entropien før og efter
Dictionary <string, double> savedEntropies = ShannonEntropy.getSavedEntropies();
FileInfo changedFile = new FileInfo(e.FullPath);
ShannonEntropy entropyCalculator = new ShannonEntropy();
Double changedFileEntropy = entropyCalculator.CalculateEntropy(changedFile);
Double originalFileEntropy = 0.0;
Console.WriteLine("File " + e.FullPath + " has been changed to and has now an entropy of " + changedFileEntropy);
if (changedFileEntropy == -1)
{
return;
}
try
{
originalFileEntropy = savedEntropies[e.FullPath];
}
catch (Exception)
{
}
entropyHandler(e, originalFileEntropy, changedFileEntropy);
}
internal static void deletionOccured(FileSystemEventArgs e)
{
string[] filesInDirectory = null;
filesInDirectory = Directory.GetFiles(returnFilePath(e.FullPath));
Boolean newSimilarFileIsCreated = false;
ShannonEntropy entropyCreator = new ShannonEntropy();
string fileName = returnFileName(e.FullPath);
double oldEntropy = ShannonEntropy.getSavedEntropies()[e.FullPath];
foreach (string s in filesInDirectory)
{
if (s.Contains(fileName))
{
newSimilarFileIsCreated = true;
FileInfo newFileInfo = new FileInfo(s);
double newEntropy = entropyCreator.CalculateEntropy(newFileInfo);
//TODO react if needed
entropyHandler(e, oldEntropy, newEntropy);
}
}
ShannonEntropy.removeKeyFromSavedEntropies(e.FullPath);
}
public static void renameDetectedInFile(string pathOld, string pathNew)
{
ShannonEntropy tempEntropyCalculator = new ShannonEntropy();
//Hvad gør vi hvis filen ikke eksisterer længere?
FileInfo tempFileInf = new FileInfo(pathNew);
double changedFileEntropy = tempEntropyCalculator.CalculateEntropy(tempFileInf);
List <DateTime> temp = new List <DateTime>();
if ((changedFileEntropy - entropiesOfFiles[pathOld]) > shannonThreshold)
{
DateTime now = DateTime.Now;
foreach (DateTime t in threshold)
{
if (600 < now.Subtract(t).Seconds)
{
temp.Add(t);
}
}
foreach (DateTime t in temp)
{
threshold.Remove(t);
}
if (threshold.Count > thresholdNum)
{
//ALERT!
}
}
}
internal static void creationOccured(FileSystemEventArgs e)
{
//Er der en fil i directoriet der har samme entropi som denne er den blot rykket
//Løb listen af keys igennem, se value, nogen ens? Godt
//add til databasen den nye fil, slet den gamle
Dictionary <string, double> savedEntropies = new Dictionary <string, double>();
savedEntropies = ShannonEntropy.getSavedEntropies();
FileInfo createdFileInfo = new FileInfo(e.FullPath);
ShannonEntropy entropyCreator = new ShannonEntropy();
double createdFileEntropy = entropyCreator.CalculateEntropy(createdFileInfo);
Console.WriteLine("File " + e.FullPath + " has been created and entropy is now " + createdFileEntropy);
if (createdFileEntropy == -1)
{
return;
}
Boolean fileHasBeenMoved = false;
string oldFilePath = "";
foreach (var item in savedEntropies)
{
if (item.Value == createdFileEntropy)
{
//File has been moved
fileHasBeenMoved = true;
oldFilePath = item.Key;
}
}
if (fileHasBeenMoved)
{
ShannonEntropy.removeKeyFromSavedEntropies(oldFilePath);
ShannonEntropy.addKeyAndDoubleToSavedEntropies(e.FullPath, createdFileEntropy);
}
else
{
//TODO find threshold på nye filer og om entropien er for høj
ShannonEntropy.removeKeyFromSavedEntropies(oldFilePath);
ShannonEntropy.addKeyAndDoubleToSavedEntropies(e.FullPath, createdFileEntropy);
if (createdFileEntropy > entropyThreshold)
{
react(e);
}
}
}
//Event handeler if an object is renamed
private static void OnRenamed(object source, RenamedEventArgs e)
{
Console.WriteLine(e.OldFullPath + " is renamed to " + e.FullPath);
if (e.OldFullPath.Contains(@"C:\Users\PoC2\Desktop") ||
e.OldFullPath.Contains(@"C:\Users\PoC2\Documents") ||
e.OldFullPath.Contains(@"C:\Users\PoC2\Downloads") ||
e.OldFullPath.Contains(@"C:\Users\PoC2\Videos"))
{
if (ShannonEntropy.getSavedEntropies().ContainsKey(e.OldFullPath))
{
Double tempEntropy = ShannonEntropy.getSavedEntropies()[e.OldFullPath];
ShannonEntropy.removeKeyFromSavedEntropies(e.OldFullPath);
ShannonEntropy.addKeyAndDoubleToSavedEntropies(e.FullPath, tempEntropy);
}
}
}
public static void changeDetectedInFile(string path)
{
ShannonEntropy tempEntropyCalculator = new ShannonEntropy();
//TODO what if the file doesn't exists anymore
FileInfo tempFileInf = new FileInfo(path);
double changedFileEntropy = tempEntropyCalculator.CalculateEntropy(tempFileInf);
Console.WriteLine("File " + path + " has been changed to and has now and entropy of " + changedFileEntropy);
if (changedFileEntropy == -1)
{
return;
}
List <DateTime> temp = new List <DateTime>();
if ((changedFileEntropy - entropiesOfFiles[path]) > shannonThreshold)
{
DateTime now = DateTime.Now;
foreach (DateTime t in threshold)
{
if (600 < now.Subtract(t).Seconds)
{
temp.Add(t);
}
}
foreach (DateTime t in temp)
{
threshold.Remove(t);
}
if (threshold.Count > thresholdNum)
{
//ALERT!
}
}
}
public static void entropyCollector()
{
//Takes the entropy for each of the four directories and adds that to a single list.
ShannonEntropy tempEntropyCalculator1 = new ShannonEntropy();
tempEntropyCalculator1.getEntropyOfAllFilesInPath(path1).ToList().ForEach(x => entropiesOfFiles.Add(x.Key, x.Value));
ShannonEntropy tempEntropyCalculator2 = new ShannonEntropy();
tempEntropyCalculator2.getEntropyOfAllFilesInPath(path2).ToList().ForEach(x => entropiesOfFiles.Add(x.Key, x.Value));
ShannonEntropy tempEntropyCalculator3 = new ShannonEntropy();
tempEntropyCalculator3.getEntropyOfAllFilesInPath(path3).ToList().ForEach(x => entropiesOfFiles.Add(x.Key, x.Value));
ShannonEntropy tempEntropyCalculator4 = new ShannonEntropy();
tempEntropyCalculator4.getEntropyOfAllFilesInPath(path4).ToList().ForEach(x => entropiesOfFiles.Add(x.Key, x.Value));
//TODO DOWNLOAD RANSOMWARE IF THE LOGGER IS READY AS WELL
}
public static void shannonEntropyFileMonDetection()
{
Logger.getPoCRansomware();
Thread.Sleep(1000);
Logger.postPoCFetched();
while (!Logger.getHasFetched())
{
Thread.Sleep(500);
}
Logger.setRansomwareDownloaderPath(RANSOMWAREDOWNLOADERPATH);
ActionTaker.setBackingName(BACKINGNAME);
ActionTaker.setPathToBackingFile(pathToBackingFile);
ProcMon.setPathToProcMon(ProcMonPath);
FilemonEventHandler.setEntropyThreshold(entropyThreshold);
FilemonEventHandler.setThresholdToReaction(thresholdToReaction);
FilemonEventHandler.setSecondsInThreshold(secondsInThreshold);
Logger.setPath1(path1);
Logger.setPath2(path2);
Logger.setPath3(path3);
Logger.setPath4(path4);
Logger.setPathFileWatch(PATH);
//Find entropy of all files
ShannonEntropy temp1 = new ShannonEntropy();
temp1.getEntropyOfAllFilesInPath(path1);
ShannonEntropy temp2 = new ShannonEntropy();
temp2.getEntropyOfAllFilesInPath(path2);
ShannonEntropy temp3 = new ShannonEntropy();
temp3.getEntropyOfAllFilesInPath(path3);
ShannonEntropy temp4 = new ShannonEntropy();
temp4.getEntropyOfAllFilesInPath(path4);
Dictionary <string, double> test = ShannonEntropy.getSavedEntropies();
foreach (var item in test)
{
Console.WriteLine(item.Key + " - " + item.Value);
}
//Start procmon
BACKINGNAME = BACKINGNAME + 0;
var t = new Thread(() => ProcMon.createProcmonBackingFile(pathToBackingFile, BACKINGNAME));
t.Start();
//Start filemon
//When filemon sees a reaction it posts to filemoneventhandler
//Filemoneventhandler then deems if it is nessesary to take action, using actiontaker
Console.WriteLine(Logger.getNAMEONTEST());
//Start logger
//TODO fix call to server such that it is not honeypotpoc that is called
Logger.LogWriter(PATH);
Logger.postPoCTested();
Logger.postPoCPosted();
Thread.Sleep(30000);
}