/// <summary> /// Begin a scan /// </summary> /// <param name="targ">Target to scan</param> /// <param name="reload">If rules should be reloaded</param> public void StartDetectItEasyScan(BinaryTarget targ, bool reload = false) { targ.ClearSignatureHits(CONSTANTS.eSignatureType.DIE); if (rgatState.ConnectedToRemote && rgatState.NetworkBridge.GUIMode) { JObject cmdparams = new JObject(); cmdparams.Add("Type", "DIE"); cmdparams.Add("TargetSHA1", targ.GetSHA1Hash()); cmdparams.Add("Reload", reload); rgatState.NetworkBridge.SendCommand("StartSigScan", null, null, cmdparams); return; } if (reload) { string scriptsPath = GetScriptsPath(GlobalConfig.GetSettingPath(CONSTANTS.PathKey.DiESigsDirectory)); dielib.ReloadScriptDatabase(scriptsPath, out string?error); if (error is not null) { Logging.RecordError($"Error loading database: {error}"); } } if (!dielib.DatabaseLoaded) { return; } if (!File.Exists(targ.FilePath)) { return; } ulong handle = 0; lock (scansLock) { handle = dielib.CreateScanHandle(); if (DIEScanHandles.ContainsKey(targ)) { DIEScanHandles[targ] = handle; } else { DIEScanHandles.Add(targ, handle); } } List <object> args = new List <object>() { dielib, targ, handle }; Thread DIEThread = new Thread(new ParameterizedThreadStart(DetectItScanThread)); DIEThread.Name = "DetectItEasy_" + targ.FileName; DIEThread.Start(args); }
/// <summary> /// Set the status of a remote yara scan /// </summary> /// <param name="target"></param> /// <param name="loadedRules"></param> /// <param name="status"></param> public void SetRemoteStatus(BinaryTarget target, uint loadedRules, eYaraScanProgress status) { lock (_scanLock) { targetScanProgress[target] = status; _remoteLoadedRules = loadedRules; } }
/// <summary> /// Get the progress of a YARA scan /// </summary> /// <param name="target">The target being scanned</param> /// <returns>a eYaraScanProgress value</returns> public eYaraScanProgress Progress(BinaryTarget target) { lock (_scanLock) { if (targetScanProgress.TryGetValue(target, out eYaraScanProgress result)) { return(result); } } return(eYaraScanProgress.eNotStarted); }
/// <summary> /// Create a basic block processing worker /// </summary> /// <param name="binaryTarg">Binary target associated with the trace</param> /// <param name="runrecord">TraceRecord associated with the trace</param> /// <param name="remotePipeID">ID of the pipe receiving basic block data</param> public BlockHandlerThread(BinaryTarget binaryTarg, TraceRecord runrecord, uint?remotePipeID = null) { target = binaryTarg; trace = runrecord; bitWidth = target.BitWidth; _remotePipeID = remotePipeID; //todo don't create in headless mode X86DisassembleMode disasMode = (bitWidth == 32) ? X86DisassembleMode.Bit32 : X86DisassembleMode.Bit64; disassembler = CapstoneDisassembler.CreateX86Disassembler(disasMode); }
private void YARATargetScanThread(object?argslist) { List <object> args = (List <object>)argslist !; BinaryTarget targ = (BinaryTarget)args[0]; try { Inner(targ); } catch (Exception e) { Logging.RecordException($"Yara Target scan thread error: {e.Message}", e); } }
public static void StartRemoteTrace(BinaryTarget target, ProcessLaunchSettings settings, long testID = -1) { if (!target.RemoteAccessible) { Logging.RecordLogEvent($"Could not trace {target.FilePath} on non-connected host {target.RemoteHost}", Logging.LogFilterType.Alert); return; } JObject startParamObj = new JObject(); if (testID != -1) { startParamObj.Add("TestID", testID); } startParamObj.Add("Settings", JObject.FromObject(settings)); rgatState.NetworkBridge.SendCommand("StartTrace", null, null, startParamObj); }
/// <summary> /// Begin tracing a binary in command line mode /// </summary> /// <param name="targetPath">Binary to trace</param> /// <param name="saveDirectory">Where to save the result</param> /// <param name="recordVideo">If a video is being recorded</param> public static void TraceBinary(string targetPath, string?saveDirectory = null, bool recordVideo = false) { Logging.WriteConsole($"Command line mode tracing binary {targetPath}"); BinaryTarget target = new BinaryTarget(targetPath); if (!GlobalConfig.Settings.GetPreviousLaunchSettings(target.GetSHA1Hash(), out ProcessLaunchSettings? settings) || settings is null) { settings = new ProcessLaunchSettings(targetPath); settings.TraceChoices.InitDefaultExclusions(); } ProcessLaunching.StartLocalTrace(target.BitWidth, settings, target.PEFileObj); while (true) { Thread.Sleep(1000); var targets = rgatState.targets.GetBinaryTargets(); int traces = 0, running = 0; foreach (var previousTarget in targets) { foreach (var previousTrace in previousTarget.GetTracesList()) { traces += 1; if (previousTrace.IsRunning) { running += 1; } } } Logging.WriteConsole($"{running}/{traces} traces running accross {targets.Count} targets"); if (traces > 0 && running == 0) //also wait for keypress { Logging.WriteConsole("All traces done. Saving and exiting."); rgatState.SaveAllTargets(); rgatState.Shutdown(); break; } } }
/// <summary> /// Scan a target binary file /// </summary> /// <param name="targ">File path</param> /// <param name="reload">reload the signatures first</param> public void StartYARATargetScan(BinaryTarget targ, bool reload = false) { targ.ClearSignatureHits(CONSTANTS.eSignatureType.YARA); if (rgatState.ConnectedToRemote && rgatState.NetworkBridge.GUIMode) { JObject cmdparams = new JObject(); cmdparams.Add("Type", "YARA"); cmdparams.Add("Reload", reload); cmdparams.Add("TargetSHA1", targ.GetSHA1Hash()); rgatState.NetworkBridge.SendCommand("StartSigScan", null, null, cmdparams); return; } try { if (reload) { RefreshRules(GlobalConfig.GetSettingPath(CONSTANTS.PathKey.YaraRulesDirectory), forceRecompile: true); } if (!File.Exists(targ.FilePath)) { return; } List <object> args = new List <object>() { targ }; Thread YaraThread = new Thread(new ParameterizedThreadStart(YARATargetScanThread)); YaraThread.Name = "YARA_F_" + targ.FileName; YaraThread.Start(args); } catch (Exception e) { Logging.RecordException($"Error starting YARA scan: {e.Message}", e); } }
/// <summary> /// A DIE scan thread /// </summary> /// <param name="argslist">scanner, target args object</param> private void DetectItScanThread(object?argslist) { if (argslist is null) { return; } List <object> args = (List <object>)argslist; DiELibDotNet.DieLib scanner = (DiELibDotNet.DieLib)args[0]; BinaryTarget targ = (BinaryTarget)args[1]; if (!scanner.DatabaseLoaded) { return; } ulong handle = (ulong)args[2]; string result; try { DiELibDotNet.DieScript.SCAN_OPTIONS options = new DiELibDotNet.DieScript.SCAN_OPTIONS(); options.showOptions = true; options.showVersion = true; options.showType = true; options.deepScan = false; //very slow while (true) { if (rgatState.NetworkBridge.Connected && rgatState.NetworkBridge.GUIMode is false) { DieScript.SCANPROGRESS?progress = dielib.QueryProgress(handle); JObject statusObj = new JObject { { "TargetSHA1", targ.GetSHA1Hash() }, { "Type", "DIE" },
int Inner(BinaryTarget targ) { try { lock (_scanLock) { if (LoadedRuleCount() == 0) { if (rgatState.NetworkBridge.Connected && rgatState.NetworkBridge.GUIMode is false) { JObject statusObj = new JObject { { "TargetSHA1", targ.GetSHA1Hash() }, { "Type", "YARA" }, { "Loaded", 0 }, { "State", eYaraScanProgress.eNotStarted.ToString() } }; rgatState.NetworkBridge.SendAsyncData("SigStatus", statusObj); } return(0); } byte[] fileContentsBuf; try { if (targ.PEFileObj is not null) { fileContentsBuf = targ.PEFileObj.RawFile.ToArray(); } else { fileContentsBuf = File.ReadAllBytes(targ.FilePath); } } catch (Exception e) { Logging.RecordException($"Failed to get file bytes to YARA scan: {e.Message}", e); return(0); } if (rgatState.NetworkBridge.Connected && rgatState.NetworkBridge.GUIMode is false) { JObject statusObj = new JObject { { "TargetSHA1", targ.GetSHA1Hash() }, { "Type", "YARA" }, { "Loaded", LoadedRuleCount() }, { "State", eYaraScanProgress.eRunning.ToString() } }; rgatState.NetworkBridge.SendAsyncData("SigStatus", statusObj); } targetScanProgress[targ] = eYaraScanProgress.eRunning; // Initialize the scanner var scanner = new dnYara.CustomScanner(loadedRules); ExternalVariables externalVariables = new ExternalVariables(); externalVariables.StringVariables.Add("filename", targ.FileName); try { //bugs here tend to happen in unmanaged code, so this try-catch is unlikely to help List <ScanResult> scanResults = scanner.ScanMemory(ref fileContentsBuf, externalVariables); foreach (ScanResult sighit in scanResults) { targ.AddYaraSignatureHit(sighit); } } catch (Exception e) { Logging.RecordException($"Yara ScanMemory exception: {e.Message}", e); } finally { scanner.Release(); } if (rgatState.NetworkBridge.Connected && rgatState.NetworkBridge.GUIMode is false) { JObject statusObj = new JObject { { "TargetSHA1", targ.GetSHA1Hash() }, { "Type", "YARA" }, { "Loaded", LoadedRuleCount() }, { "State", eYaraScanProgress.eComplete.ToString() } }; rgatState.NetworkBridge.SendAsyncData("SigStatus", statusObj); } } } catch (dnYara.Exceptions.YaraException e) { Logging.RecordException("YARA Scan failed with exeption: " + e.Message, e); targetScanProgress[targ] = eYaraScanProgress.eFailed; } catch (Exception e) { Logging.RecordException("YARA Scan failed with exeption: " + e.Message, e); targetScanProgress[targ] = eYaraScanProgress.eFailed; } targetScanProgress[targ] = eYaraScanProgress.eComplete; return(0); }
public static Target FromBinary(byte[] bytes, int start, int len) { BinaryTarget bt = new BinaryTarget(bytes, start, len); return(bt.ToTarget()); }
public static Target FromBinary(byte[] bytes) { BinaryTarget bt = new BinaryTarget(bytes); return(bt.ToTarget()); }
public byte[] ToBinary() { BinaryTarget bt = new BinaryTarget(this); return(bt.ToArray()); }