private static void StaticAnalyzeThreadFunc(string _method, string _target, StaticAnalyzeCppWrap _StaticAnalyzeCppWrapInst, System.Windows.Forms.NotifyIcon _notifyIcon) { IToolResParse resParser = GetTool(_method, _target); if (_method == "csharp") { string[] args_arr = new string[] { _target }; de4dot.cui.Program.Main(args_arr); } else if (_method == "cpp") { string _toolpath = @"..\..\..\__LIBS\Manalyze\bin\manalyze.exe"; string _argflags = "--output=json --hashes --plugins=all"; string _fext = ".cpp.res.txt"; SAManager.RunToolOutCapture(_target, _toolpath, _argflags, _fext); } else if (_method == "yara") { string _toolpath = @"..\..\..\__LIBS\YARA\yara64.exe"; string _argflags = @"..\..\..\__LIBS\YARA\rules\index.yar -w"; string _fext = ".yara.res.txt"; SAManager.RunToolOutCapture(_target, _toolpath, _argflags, _fext); } ResContainer res = resParser.ParseResVerbose(); _notifyIcon.Visible = true; string appInfo = string.Empty; if (res.isMalware) { _notifyIcon.ShowBalloonTip(5000, "Malware App", "Malware App: " + _target, System.Windows.Forms.ToolTipIcon.Error); appInfo = String.Join("\n", res.suspiciousAttr.ToArray()); } if (res.isSuspicious) { _notifyIcon.ShowBalloonTip(5000, "Suspitious App", "Suspicious App: " + _target, System.Windows.Forms.ToolTipIcon.Warning); appInfo = String.Join("\n", res.suspiciousAttr.ToArray()); } else { _notifyIcon.ShowBalloonTip(5000, "Nothing Suspitious in App", "App: " + _target, System.Windows.Forms.ToolTipIcon.Info); } }
private static void PinThreadFunc(string _method, string _tool, string _target, System.Windows.Forms.NotifyIcon _notifyIcon) { IToolResParse resParser = GetTool(_tool); if (_method == "file") { PinToolManager.RunToolFile(_tool, _target); } else if (_method == "process") { PinToolManager.RunToolProcess(_tool, _target); } bool res = resParser.ParseRes(); _notifyIcon.Visible = true; if (res) { _notifyIcon.ShowBalloonTip(5000, "Suspitious App", "Suspitious Activity in App: " + _target, System.Windows.Forms.ToolTipIcon.Warning); } }
private static void StaticAnalyzeThreadFunc( string _method, string _target, System.Windows.Forms.NotifyIcon _notifyIcon, System.Windows.Forms.TextBox _info_textbox ) { if (_target == null) { return; } IToolResParse resParser = GetTool(_method, _target); if (resParser == null) { return; } System.Console.WriteLine(_method); System.Console.WriteLine(_target); System.Console.WriteLine(_notifyIcon.ToString()); if (!File.Exists(_target)) { return; } if (_method == "csharp") { Console.WriteLine("csharp analyze."); string[] args_arr = new string[] { _target }; de4dot.cui.Program.Main(args_arr); Console.WriteLine("csharp done."); } else if (_method == "cpp") { string _toolpath = @"Manalyze\bin\manalyze.exe"; string _argflags = "--output=json --hashes --plugins=all"; string _fext = ".cpp.res.txt"; SAManager.RunToolOutCapture(_target, _toolpath, _argflags, _fext); } else if (_method == "yara") { string _toolpath = @"YARA\yara64.exe"; string _argflags = @"YARA\rules\index.yar -w"; string _fext = ".yara.res.txt"; SAManager.RunToolOutCapture(_target, _toolpath, _argflags, _fext); } ResContainer res = resParser.ParseResVerbose(); if (res == null) { return; } _notifyIcon.Visible = true; _info_textbox.Clear(); string appInfo = string.Empty; if (res.isMalware) { _notifyIcon.ShowBalloonTip(5000, "Malware App", "Malware App: " + _target, System.Windows.Forms.ToolTipIcon.Error); appInfo = String.Join("\n", res.suspiciousAttr.ToArray()); _info_textbox.Text = appInfo; } else if (res.isSuspicious) { _notifyIcon.ShowBalloonTip(5000, "Suspitious App", "Suspicious App: " + _target, System.Windows.Forms.ToolTipIcon.Warning); appInfo = String.Join("\n", res.suspiciousAttr.ToArray()); _info_textbox.Text = appInfo; } else { _notifyIcon.ShowBalloonTip(5000, "Nothing Suspitious in App", "App: " + _target, System.Windows.Forms.ToolTipIcon.Info); _info_textbox.Text = appInfo; } }