/// <summary>
/// Begin a scan
/// </summary>
/// <param name="targ">Target to scan</param>
/// <param name="reload">If rules should be reloaded</param>
public void StartDetectItEasyScan(BinaryTarget targ, bool reload = false)
{
targ.ClearSignatureHits(CONSTANTS.eSignatureType.DIE);
if (rgatState.ConnectedToRemote && rgatState.NetworkBridge.GUIMode)
{
JObject cmdparams = new JObject();
cmdparams.Add("Type", "DIE");
cmdparams.Add("TargetSHA1", targ.GetSHA1Hash());
cmdparams.Add("Reload", reload);
rgatState.NetworkBridge.SendCommand("StartSigScan", null, null, cmdparams);
return;
}
if (reload)
{
string scriptsPath = GetScriptsPath(GlobalConfig.GetSettingPath(CONSTANTS.PathKey.DiESigsDirectory));
dielib.ReloadScriptDatabase(scriptsPath, out string?error);
if (error is not null)
{
Logging.RecordError($"Error loading database: {error}");
}
}
if (!dielib.DatabaseLoaded)
{
return;
}
if (!File.Exists(targ.FilePath))
{
return;
}
ulong handle = 0;
lock (scansLock)
{
handle = dielib.CreateScanHandle();
if (DIEScanHandles.ContainsKey(targ))
{
DIEScanHandles[targ] = handle;
}
else
{
DIEScanHandles.Add(targ, handle);
}
}
List <object> args = new List <object>()
{
dielib, targ, handle
};
Thread DIEThread = new Thread(new ParameterizedThreadStart(DetectItScanThread));
DIEThread.Name = "DetectItEasy_" + targ.FileName;
DIEThread.Start(args);
}
/// <summary>
/// Set the status of a remote yara scan
/// </summary>
/// <param name="target"></param>
/// <param name="loadedRules"></param>
/// <param name="status"></param>
public void SetRemoteStatus(BinaryTarget target, uint loadedRules, eYaraScanProgress status)
{
lock (_scanLock)
{
targetScanProgress[target] = status;
_remoteLoadedRules = loadedRules;
}
}
/// <summary>
/// Get the progress of a YARA scan
/// </summary>
/// <param name="target">The target being scanned</param>
/// <returns>a eYaraScanProgress value</returns>
public eYaraScanProgress Progress(BinaryTarget target)
{
lock (_scanLock)
{
if (targetScanProgress.TryGetValue(target, out eYaraScanProgress result))
{
return(result);
}
}
return(eYaraScanProgress.eNotStarted);
}
/// <summary>
/// Create a basic block processing worker
/// </summary>
/// <param name="binaryTarg">Binary target associated with the trace</param>
/// <param name="runrecord">TraceRecord associated with the trace</param>
/// <param name="remotePipeID">ID of the pipe receiving basic block data</param>
public BlockHandlerThread(BinaryTarget binaryTarg, TraceRecord runrecord, uint?remotePipeID = null)
{
target = binaryTarg;
trace = runrecord;
bitWidth = target.BitWidth;
_remotePipeID = remotePipeID;
//todo don't create in headless mode
X86DisassembleMode disasMode = (bitWidth == 32) ? X86DisassembleMode.Bit32 : X86DisassembleMode.Bit64;
disassembler = CapstoneDisassembler.CreateX86Disassembler(disasMode);
}
private void YARATargetScanThread(object?argslist)
{
List <object> args = (List <object>)argslist !;
BinaryTarget targ = (BinaryTarget)args[0];
try
{
Inner(targ);
}
catch (Exception e)
{
Logging.RecordException($"Yara Target scan thread error: {e.Message}", e);
}
}
public static void StartRemoteTrace(BinaryTarget target, ProcessLaunchSettings settings, long testID = -1)
{
if (!target.RemoteAccessible)
{
Logging.RecordLogEvent($"Could not trace {target.FilePath} on non-connected host {target.RemoteHost}", Logging.LogFilterType.Alert);
return;
}
JObject startParamObj = new JObject();
if (testID != -1)
{
startParamObj.Add("TestID", testID);
}
startParamObj.Add("Settings", JObject.FromObject(settings));
rgatState.NetworkBridge.SendCommand("StartTrace", null, null, startParamObj);
}
/// <summary>
/// Begin tracing a binary in command line mode
/// </summary>
/// <param name="targetPath">Binary to trace</param>
/// <param name="saveDirectory">Where to save the result</param>
/// <param name="recordVideo">If a video is being recorded</param>
public static void TraceBinary(string targetPath, string?saveDirectory = null, bool recordVideo = false)
{
Logging.WriteConsole($"Command line mode tracing binary {targetPath}");
BinaryTarget target = new BinaryTarget(targetPath);
if (!GlobalConfig.Settings.GetPreviousLaunchSettings(target.GetSHA1Hash(), out ProcessLaunchSettings? settings) || settings is null)
{
settings = new ProcessLaunchSettings(targetPath);
settings.TraceChoices.InitDefaultExclusions();
}
ProcessLaunching.StartLocalTrace(target.BitWidth, settings, target.PEFileObj);
while (true)
{
Thread.Sleep(1000);
var targets = rgatState.targets.GetBinaryTargets();
int traces = 0, running = 0;
foreach (var previousTarget in targets)
{
foreach (var previousTrace in previousTarget.GetTracesList())
{
traces += 1;
if (previousTrace.IsRunning)
{
running += 1;
}
}
}
Logging.WriteConsole($"{running}/{traces} traces running accross {targets.Count} targets");
if (traces > 0 && running == 0) //also wait for keypress
{
Logging.WriteConsole("All traces done. Saving and exiting.");
rgatState.SaveAllTargets();
rgatState.Shutdown();
break;
}
}
}
/// <summary>
/// Scan a target binary file
/// </summary>
/// <param name="targ">File path</param>
/// <param name="reload">reload the signatures first</param>
public void StartYARATargetScan(BinaryTarget targ, bool reload = false)
{
targ.ClearSignatureHits(CONSTANTS.eSignatureType.YARA);
if (rgatState.ConnectedToRemote && rgatState.NetworkBridge.GUIMode)
{
JObject cmdparams = new JObject();
cmdparams.Add("Type", "YARA");
cmdparams.Add("Reload", reload);
cmdparams.Add("TargetSHA1", targ.GetSHA1Hash());
rgatState.NetworkBridge.SendCommand("StartSigScan", null, null, cmdparams);
return;
}
try
{
if (reload)
{
RefreshRules(GlobalConfig.GetSettingPath(CONSTANTS.PathKey.YaraRulesDirectory), forceRecompile: true);
}
if (!File.Exists(targ.FilePath))
{
return;
}
List <object> args = new List <object>()
{
targ
};
Thread YaraThread = new Thread(new ParameterizedThreadStart(YARATargetScanThread));
YaraThread.Name = "YARA_F_" + targ.FileName;
YaraThread.Start(args);
}
catch (Exception e)
{
Logging.RecordException($"Error starting YARA scan: {e.Message}", e);
}
}
/// <summary>
/// A DIE scan thread
/// </summary>
/// <param name="argslist">scanner, target args object</param>
private void DetectItScanThread(object?argslist)
{
if (argslist is null)
{
return;
}
List <object> args = (List <object>)argslist;
DiELibDotNet.DieLib scanner = (DiELibDotNet.DieLib)args[0];
BinaryTarget targ = (BinaryTarget)args[1];
if (!scanner.DatabaseLoaded)
{
return;
}
ulong handle = (ulong)args[2];
string result;
try
{
DiELibDotNet.DieScript.SCAN_OPTIONS options = new DiELibDotNet.DieScript.SCAN_OPTIONS();
options.showOptions = true;
options.showVersion = true;
options.showType = true;
options.deepScan = false; //very slow
while (true)
{
if (rgatState.NetworkBridge.Connected && rgatState.NetworkBridge.GUIMode is false)
{
DieScript.SCANPROGRESS?progress = dielib.QueryProgress(handle);
JObject statusObj = new JObject {
{ "TargetSHA1", targ.GetSHA1Hash() },
{ "Type", "DIE" },
int Inner(BinaryTarget targ)
{
try
{
lock (_scanLock)
{
if (LoadedRuleCount() == 0)
{
if (rgatState.NetworkBridge.Connected && rgatState.NetworkBridge.GUIMode is false)
{
JObject statusObj = new JObject {
{ "TargetSHA1", targ.GetSHA1Hash() },
{ "Type", "YARA" },
{ "Loaded", 0 },
{ "State", eYaraScanProgress.eNotStarted.ToString() }
};
rgatState.NetworkBridge.SendAsyncData("SigStatus", statusObj);
}
return(0);
}
byte[] fileContentsBuf;
try
{
if (targ.PEFileObj is not null)
{
fileContentsBuf = targ.PEFileObj.RawFile.ToArray();
}
else
{
fileContentsBuf = File.ReadAllBytes(targ.FilePath);
}
}
catch (Exception e)
{
Logging.RecordException($"Failed to get file bytes to YARA scan: {e.Message}", e);
return(0);
}
if (rgatState.NetworkBridge.Connected && rgatState.NetworkBridge.GUIMode is false)
{
JObject statusObj = new JObject {
{ "TargetSHA1", targ.GetSHA1Hash() },
{ "Type", "YARA" },
{ "Loaded", LoadedRuleCount() },
{ "State", eYaraScanProgress.eRunning.ToString() }
};
rgatState.NetworkBridge.SendAsyncData("SigStatus", statusObj);
}
targetScanProgress[targ] = eYaraScanProgress.eRunning;
// Initialize the scanner
var scanner = new dnYara.CustomScanner(loadedRules);
ExternalVariables externalVariables = new ExternalVariables();
externalVariables.StringVariables.Add("filename", targ.FileName);
try
{
//bugs here tend to happen in unmanaged code, so this try-catch is unlikely to help
List <ScanResult> scanResults = scanner.ScanMemory(ref fileContentsBuf, externalVariables);
foreach (ScanResult sighit in scanResults)
{
targ.AddYaraSignatureHit(sighit);
}
}
catch (Exception e)
{
Logging.RecordException($"Yara ScanMemory exception: {e.Message}", e);
}
finally
{
scanner.Release();
}
if (rgatState.NetworkBridge.Connected && rgatState.NetworkBridge.GUIMode is false)
{
JObject statusObj = new JObject {
{ "TargetSHA1", targ.GetSHA1Hash() },
{ "Type", "YARA" },
{ "Loaded", LoadedRuleCount() },
{ "State", eYaraScanProgress.eComplete.ToString() }
};
rgatState.NetworkBridge.SendAsyncData("SigStatus", statusObj);
}
}
}
catch (dnYara.Exceptions.YaraException e)
{
Logging.RecordException("YARA Scan failed with exeption: " + e.Message, e);
targetScanProgress[targ] = eYaraScanProgress.eFailed;
}
catch (Exception e)
{
Logging.RecordException("YARA Scan failed with exeption: " + e.Message, e);
targetScanProgress[targ] = eYaraScanProgress.eFailed;
}
targetScanProgress[targ] = eYaraScanProgress.eComplete;
return(0);
}
public static Target FromBinary(byte[] bytes, int start, int len)
{
BinaryTarget bt = new BinaryTarget(bytes, start, len);
return(bt.ToTarget());
}
public static Target FromBinary(byte[] bytes)
{
BinaryTarget bt = new BinaryTarget(bytes);
return(bt.ToTarget());
}
public byte[] ToBinary()
{
BinaryTarget bt = new BinaryTarget(this);
return(bt.ToArray());
}
