private static void StaticAnalyzeThreadFunc(string _method, string _target, StaticAnalyzeCppWrap _StaticAnalyzeCppWrapInst, System.Windows.Forms.NotifyIcon _notifyIcon)
{
IToolResParse resParser = GetTool(_method, _target);
if (_method == "csharp")
{
string[] args_arr = new string[] { _target };
de4dot.cui.Program.Main(args_arr);
}
else if (_method == "cpp")
{
string _toolpath = @"..\..\..\__LIBS\Manalyze\bin\manalyze.exe";
string _argflags = "--output=json --hashes --plugins=all";
string _fext = ".cpp.res.txt";
SAManager.RunToolOutCapture(_target, _toolpath, _argflags, _fext);
}
else if (_method == "yara")
{
string _toolpath = @"..\..\..\__LIBS\YARA\yara64.exe";
string _argflags = @"..\..\..\__LIBS\YARA\rules\index.yar -w";
string _fext = ".yara.res.txt";
SAManager.RunToolOutCapture(_target, _toolpath, _argflags, _fext);
}
ResContainer res = resParser.ParseResVerbose();
_notifyIcon.Visible = true;
string appInfo = string.Empty;
if (res.isMalware)
{
_notifyIcon.ShowBalloonTip(5000, "Malware App", "Malware App: " + _target, System.Windows.Forms.ToolTipIcon.Error);
appInfo = String.Join("\n", res.suspiciousAttr.ToArray());
}
if (res.isSuspicious)
{
_notifyIcon.ShowBalloonTip(5000, "Suspitious App", "Suspicious App: " + _target, System.Windows.Forms.ToolTipIcon.Warning);
appInfo = String.Join("\n", res.suspiciousAttr.ToArray());
}
else
{
_notifyIcon.ShowBalloonTip(5000, "Nothing Suspitious in App", "App: " + _target, System.Windows.Forms.ToolTipIcon.Info);
}
}
private static void PinThreadFunc(string _method, string _tool, string _target, System.Windows.Forms.NotifyIcon _notifyIcon)
{
IToolResParse resParser = GetTool(_tool);
if (_method == "file")
{
PinToolManager.RunToolFile(_tool, _target);
}
else if (_method == "process")
{
PinToolManager.RunToolProcess(_tool, _target);
}
bool res = resParser.ParseRes();
_notifyIcon.Visible = true;
if (res)
{
_notifyIcon.ShowBalloonTip(5000, "Suspitious App", "Suspitious Activity in App: " + _target, System.Windows.Forms.ToolTipIcon.Warning);
}
}
private static void StaticAnalyzeThreadFunc(
string _method,
string _target,
System.Windows.Forms.NotifyIcon _notifyIcon,
System.Windows.Forms.TextBox _info_textbox
)
{
if (_target == null)
{
return;
}
IToolResParse resParser = GetTool(_method, _target);
if (resParser == null)
{
return;
}
System.Console.WriteLine(_method);
System.Console.WriteLine(_target);
System.Console.WriteLine(_notifyIcon.ToString());
if (!File.Exists(_target))
{
return;
}
if (_method == "csharp")
{
Console.WriteLine("csharp analyze.");
string[] args_arr = new string[] { _target };
de4dot.cui.Program.Main(args_arr);
Console.WriteLine("csharp done.");
}
else if (_method == "cpp")
{
string _toolpath = @"Manalyze\bin\manalyze.exe";
string _argflags = "--output=json --hashes --plugins=all";
string _fext = ".cpp.res.txt";
SAManager.RunToolOutCapture(_target, _toolpath, _argflags, _fext);
}
else if (_method == "yara")
{
string _toolpath = @"YARA\yara64.exe";
string _argflags = @"YARA\rules\index.yar -w";
string _fext = ".yara.res.txt";
SAManager.RunToolOutCapture(_target, _toolpath, _argflags, _fext);
}
ResContainer res = resParser.ParseResVerbose();
if (res == null)
{
return;
}
_notifyIcon.Visible = true;
_info_textbox.Clear();
string appInfo = string.Empty;
if (res.isMalware)
{
_notifyIcon.ShowBalloonTip(5000, "Malware App", "Malware App: " + _target, System.Windows.Forms.ToolTipIcon.Error);
appInfo = String.Join("\n", res.suspiciousAttr.ToArray());
_info_textbox.Text = appInfo;
}
else if (res.isSuspicious)
{
_notifyIcon.ShowBalloonTip(5000, "Suspitious App", "Suspicious App: " + _target, System.Windows.Forms.ToolTipIcon.Warning);
appInfo = String.Join("\n", res.suspiciousAttr.ToArray());
_info_textbox.Text = appInfo;
}
else
{
_notifyIcon.ShowBalloonTip(5000, "Nothing Suspitious in App", "App: " + _target, System.Windows.Forms.ToolTipIcon.Info);
_info_textbox.Text = appInfo;
}
}
