Exemple #1
0
        private static void StaticAnalyzeThreadFunc(string _method, string _target, StaticAnalyzeCppWrap _StaticAnalyzeCppWrapInst, System.Windows.Forms.NotifyIcon _notifyIcon)
        {
            IToolResParse resParser = GetTool(_method, _target);

            if (_method == "csharp")
            {
                string[] args_arr = new string[] { _target };
                de4dot.cui.Program.Main(args_arr);
            }
            else if (_method == "cpp")
            {
                string _toolpath = @"..\..\..\__LIBS\Manalyze\bin\manalyze.exe";
                string _argflags = "--output=json --hashes --plugins=all";
                string _fext     = ".cpp.res.txt";
                SAManager.RunToolOutCapture(_target, _toolpath, _argflags, _fext);
            }
            else if (_method == "yara")
            {
                string _toolpath = @"..\..\..\__LIBS\YARA\yara64.exe";
                string _argflags = @"..\..\..\__LIBS\YARA\rules\index.yar -w";
                string _fext     = ".yara.res.txt";
                SAManager.RunToolOutCapture(_target, _toolpath, _argflags, _fext);
            }
            ResContainer res = resParser.ParseResVerbose();

            _notifyIcon.Visible = true;
            string appInfo = string.Empty;

            if (res.isMalware)
            {
                _notifyIcon.ShowBalloonTip(5000, "Malware App", "Malware App: " + _target, System.Windows.Forms.ToolTipIcon.Error);
                appInfo = String.Join("\n", res.suspiciousAttr.ToArray());
            }
            if (res.isSuspicious)
            {
                _notifyIcon.ShowBalloonTip(5000, "Suspitious App", "Suspicious App: " + _target, System.Windows.Forms.ToolTipIcon.Warning);
                appInfo = String.Join("\n", res.suspiciousAttr.ToArray());
            }
            else
            {
                _notifyIcon.ShowBalloonTip(5000, "Nothing Suspitious in App", "App: " + _target, System.Windows.Forms.ToolTipIcon.Info);
            }
        }
        private static void PinThreadFunc(string _method, string _tool, string _target, System.Windows.Forms.NotifyIcon _notifyIcon)
        {
            IToolResParse resParser = GetTool(_tool);

            if (_method == "file")
            {
                PinToolManager.RunToolFile(_tool, _target);
            }
            else if (_method == "process")
            {
                PinToolManager.RunToolProcess(_tool, _target);
            }
            bool res = resParser.ParseRes();

            _notifyIcon.Visible = true;
            if (res)
            {
                _notifyIcon.ShowBalloonTip(5000, "Suspitious App", "Suspitious Activity in App: " + _target, System.Windows.Forms.ToolTipIcon.Warning);
            }
        }
Exemple #3
0
        private static void StaticAnalyzeThreadFunc(
            string _method,
            string _target,
            System.Windows.Forms.NotifyIcon _notifyIcon,
            System.Windows.Forms.TextBox _info_textbox
            )
        {
            if (_target == null)
            {
                return;
            }
            IToolResParse resParser = GetTool(_method, _target);

            if (resParser == null)
            {
                return;
            }

            System.Console.WriteLine(_method);
            System.Console.WriteLine(_target);
            System.Console.WriteLine(_notifyIcon.ToString());

            if (!File.Exists(_target))
            {
                return;
            }

            if (_method == "csharp")
            {
                Console.WriteLine("csharp analyze.");
                string[] args_arr = new string[] { _target };
                de4dot.cui.Program.Main(args_arr);
                Console.WriteLine("csharp done.");
            }
            else if (_method == "cpp")
            {
                string _toolpath = @"Manalyze\bin\manalyze.exe";
                string _argflags = "--output=json --hashes --plugins=all";
                string _fext     = ".cpp.res.txt";
                SAManager.RunToolOutCapture(_target, _toolpath, _argflags, _fext);
            }
            else if (_method == "yara")
            {
                string _toolpath = @"YARA\yara64.exe";
                string _argflags = @"YARA\rules\index.yar -w";
                string _fext     = ".yara.res.txt";
                SAManager.RunToolOutCapture(_target, _toolpath, _argflags, _fext);
            }
            ResContainer res = resParser.ParseResVerbose();

            if (res == null)
            {
                return;
            }
            _notifyIcon.Visible = true;
            _info_textbox.Clear();
            string appInfo = string.Empty;

            if (res.isMalware)
            {
                _notifyIcon.ShowBalloonTip(5000, "Malware App", "Malware App: " + _target, System.Windows.Forms.ToolTipIcon.Error);
                appInfo            = String.Join("\n", res.suspiciousAttr.ToArray());
                _info_textbox.Text = appInfo;
            }
            else if (res.isSuspicious)
            {
                _notifyIcon.ShowBalloonTip(5000, "Suspitious App", "Suspicious App: " + _target, System.Windows.Forms.ToolTipIcon.Warning);
                appInfo            = String.Join("\n", res.suspiciousAttr.ToArray());
                _info_textbox.Text = appInfo;
            }
            else
            {
                _notifyIcon.ShowBalloonTip(5000, "Nothing Suspitious in App", "App: " + _target, System.Windows.Forms.ToolTipIcon.Info);
                _info_textbox.Text = appInfo;
            }
        }