public static List <Detection> Scan(string file, out int detectionCount)
{
AssemblySettings asmSettings = new AssemblySettings();
bool isNet = true;
try
{
asmSettings.Module = ModuleDefMD.Load(file);
}
catch (Exception)
{
isNet = false;
}
if (!isNet)
{
try
{
asmSettings.NativeImage = new PEImage(file);
}
catch (Exception ex)
{
// Cannot continue execution
Console.WriteLine(ex);
Console.ReadLine();
detectionCount = 0;
return(new List <Detection>());
}
}
else
{
asmSettings.NativeImage = asmSettings.Module.MetaData.PEImage as PEImage;
}
List <IDetectionProcess> dp = new List <IDetectionProcess>();
if (isNet)
{
dp.Add(new ResourceDetection());
dp.Add(new StringDetection());
dp.Add(new ReflectionDetection());
dp.Add(new PInvokeDetection());
}
dp.Add(new EOFDetection());
dp.Add(new SectionDetection());
dp.Add(new SignatureDetection());
int totalDetections = dp.Sum(x => x.Detect(asmSettings));
DetectionDatabase.Save();
detectionCount = totalDetections;
return(asmSettings.TotalDetections);
}
static void AddDets()
{
PInvokeEntry p = new PInvokeEntry()
{
Category = "Dynamic Calls",
Description = "Get Process Address",
Trigger = "GetProcAddress",
Tag = "DynCalls"
};
DetectionDatabase.AddDetection(p);
p = new PInvokeEntry()
{
Category = "Memory",
Description = "Read Process Memory",
Trigger = "ReadProcessMemory",
Tag = "Mem"
};
DetectionDatabase.AddDetection(p);
p = new PInvokeEntry()
{
Category = "Memory",
Description = "Write Process Memory",
Trigger = "WriteProcessMemory",
Tag = "Mem"
};
DetectionDatabase.AddDetection(p);
p = new PInvokeEntry()
{
Category = "Thread",
Description = "Resume Thread",
Trigger = "ResumeThread",
Tag = "Threads"
};
DetectionDatabase.AddDetection(p);
p = new PInvokeEntry()
{
Category = "Process",
Description = "Create new process",
Trigger = "CreateProcess",
Tag = "Procs"
};
DetectionDatabase.AddDetection(p);
p = new PInvokeEntry()
{
Category = "Process",
Description = "Open process",
Trigger = "OpenProcess",
Tag = "Procs"
};
DetectionDatabase.AddDetection(p);
p = new PInvokeEntry()
{
Category = "Memory",
Description = "Protect Memory",
Trigger = "VirtualProtect",
Tag = "Mem"
};
DetectionDatabase.AddDetection(p);
p = new PInvokeEntry()
{
Category = "Memory",
Description = "Allocate Memory",
Trigger = "VirtualAlloc",
Tag = "Mem"
};
DetectionDatabase.AddDetection(p);
p = new PInvokeEntry()
{
Category = "Process",
Description = "Terminate process",
Trigger = "TerminateProcess",
Tag = "Procs"
};
DetectionDatabase.AddDetection(p);
p = new PInvokeEntry()
{
Category = "Anti-Debug",
Description = "Output to debugger",
Trigger = "OutputDebugString",
Tag = "Debug"
};
DetectionDatabase.AddDetection(p);
p = new PInvokeEntry()
{
Category = "Anti-Debug",
Description = "Check if debugger present",
Trigger = "IsDebuggerPresent",
Tag = "Debug"
};
DetectionDatabase.AddDetection(p);
p = new PInvokeEntry()
{
Category = "Process",
Description = "Set Critical Process",
Trigger = "RtlSetProcessIsCritical",
Tag = "Procs"
};
DetectionDatabase.AddDetection(p);
p = new PInvokeEntry()
{
Category = "Dynamic Calls",
Description = "Load External Library",
Trigger = "LoadLibrary",
Tag = "DynCalls"
};
DetectionDatabase.AddDetection(p);
p = new PInvokeEntry()
{
Category = "Thread",
Description = "Set thread context",
Trigger = "SetThreadContext",
Tag = "Threads"
};
DetectionDatabase.AddDetection(p);
p = new PInvokeEntry()
{
Category = "Thread",
Description = "Set thread context x64",
Trigger = "Wow64SetThreadContext",
Tag = "Threads"
};
DetectionDatabase.AddDetection(p);
p = new PInvokeEntry()
{
Category = "Hook",
Description = "Low level Windows Hook",
Trigger = "SetWindowsHook",
Tag = "Hooks"
};
DetectionDatabase.AddDetection(p);
ReflectionEntry r = new ReflectionEntry()
{
Trigger = "System.AppDomain::Load",
Description = "Loading Assembly (Appdomain)",
Category = "Load",
Tag = "Load"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Reflection.Assembly::Load",
Description = "Loading Assembly",
Category = "Load",
Tag = "Load"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Runtime.CompilerServices.RuntimeHelpers",
Description = "Loading Assembly by Invoke (RuntimeHelpers)",
Category = "Load",
Tag = "Load"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Reflection.Assembly::get_EntryPoint",
Description = "Getting Assembly EntryPoint",
Category = "Invoke",
Tag = "Invoke"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Reflection.MethodBase::Invoke",
Description = "Invoking method with MethodBase",
Category = "Invoke",
Tag = "Invoke"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Type::InvokeMember",
Description = "Invoking method with Type.InvokeMember",
Category = "Invoke",
Tag = "Invoke"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "Microsoft.VisualBasic.CompilerServices.NewLateBinding::",
Description = "Late binding to invoke data",
Category = "Invoke",
Tag = "Invoke"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "Microsoft.VisualBasic.CompilerServices.Operators::OrObject",
Description = "Or Object is used with NewLateBinding",
Category = "Invoke",
Tag = "Invoke"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Reflection.Module::ResolveSignature",
Description = "Resolve signature to byte array (store data)",
Category = "Resources",
Tag = "Resources"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Reflection.Module::ResolveMethod",
Description = "Resolve a method from MD Token",
Category = "Invoke",
Tag = "Invoke"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Type::GetMethod",
Description = "Gets Method(s) from a type",
Category = "Invoke",
Tag = "Invoke"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Module::GetTypes",
Description = "Gets Type(s) from a Module",
Category = "Invoke",
Tag = "Invoke"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Reflection.Emit.OpCodes",
Description = "Initializing CIL related data",
Category = "Dynamic",
Tag = "Dynamic"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Reflection.Emit.ILGenerator",
Description = "Using IL Generator",
Category = "Dynamic",
Tag = "Dynamic"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Runtime.InteropServices.Marshal::Alloc",
Description = "Marshal Memory Allocation",
Category = "Dynamic",
Tag = "Dynamic"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Runtime.InteropServices.GCHandle::Alloc",
Description = "GC Handle Allocation",
Category = "Dynamic",
Tag = "Dynamic"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Resources.ResourceManager::.ctor",
Description = "Initializing ResourceManager",
Category = "Resources",
Tag = "Resources"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Resources.ResourceManager::GetObject",
Description = "Getting Object from Resource Manager",
Category = "Resources",
Tag = "Resources"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Reflection.Assembly::GetManifestResource",
Description = "Getting Resource from Assembly",
Category = "Resources",
Tag = "Resources"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Reflection.Assembly::GetManifestResource",
Description = "Getting Resource from Assembly",
Category = "Resources",
Tag = "Resources"
};
DetectionDatabase.AddDetection(r);
r = new ReflectionEntry()
{
Trigger = "System.Reflection.Assembly::GetManifestResourceNames",
Description = "Getting Resource Names from Assembly",
Category = "Resources",
Tag = "Resources"
};
DetectionDatabase.AddDetection(r);
}
