C# (CSharp) ETW_POC ReadEventTracker Exemples

Langage de programmation: C# (CSharp)

Espace de nommage/Pack: ETW_POC

Class/Type: ReadEventTracker

Exemples au hotexamples.com: 2

C# (CSharp) ETW_POC ReadEventTracker - 2 exemples trouvés. Ce sont les exemples réels les mieux notés de ETW_POC.ReadEventTracker extraits de projets open source. Vous pouvez noter les exemples pour nous aider à en améliorer la qualité.

Méthodes fréquemment utilisées

Afficher Cacher

updateEvent(1)

Méthodes fréquemment utilisées

updateEvent (1)

Associées

Solution

TcpPackage

Types.AddressBook

TargetMostRecentlyUsedState

LeaveAppFormByUserModel

Cachemanager

Player

ICustomerCallQueueCallAttemptService

MobicomStartRequest

ConstructionPlacementSystem

Related in langs

dealer (PHP)

nextFilename (PHP)

d1000_start_t_move (C++)

nbr_cmp (C++)

Router (Go)

Nil (Go)

Token (Java)

TargetProductSelector (Java)

Post (Python)

EmoticonsDiv1 (Python)

Exemple #1

0

Afficher le fichier

Fichier : Program.cs Projet : tkouba/Ruxcon2016ETW

public void addReadEvent(FileIOReadWriteTraceData readEvent) { //first check for correlation string currFileName = Path.GetFileNameWithoutExtension(readEvent.FileName); ReadEventTracker existingReadEvent = null; foreach (ReadEventTracker ret in readEvents) { if (Path.GetFileNameWithoutExtension(ret.fileName).ToLower() == currFileName.ToLower()) { existingReadEvent = ret; break; } } //new read event if (existingReadEvent == null) { ReadEventTracker ret = new ReadEventTracker(readEvent); readEvents.Add(ret); } else { readEvents.Remove(existingReadEvent); existingReadEvent.updateEvent(readEvent); readEvents.Add(existingReadEvent); } }

Exemple #2

0

Afficher le fichier

Fichier : Program.cs Projet : tkouba/Ruxcon2016ETW

public void addWriteEvent(FileIOReadWriteTraceData writeEvent) { //first check for correlation string currFileName = Path.GetFileNameWithoutExtension(writeEvent.FileName); ReadEventTracker correspondingReadEvent = null; int corrReadEvent = -1; int i = 0; foreach (ReadEventTracker ret in readEvents) { if (Path.GetFileNameWithoutExtension(ret.fileName).ToLower() == currFileName.ToLower()) { corrReadEvent = i; correspondingReadEvent = ret; break; } i++; } // There are times when we receive writes before reads are detected. The obvious case is // when the file written to has changed it's name drastically and we fail to recognize it. // For now these events are dropped. if (corrReadEvent == -1) { return; } // check timestamp // doesn't matter if the writeEvent is new or old it still needs to be under the threshold if (writeEvent.TimeStampRelativeMSec - correspondingReadEvent.eventTime > IO_DELTA_THRESHOLD) { Out.WriteLine("Timestamp for incoming writeEvent is outside of threshold [" + (writeEvent.TimeStampRelativeMSec - correspondingReadEvent.eventTime).ToString() + "]. Disregarding: " + writeEvent.FileName); return; } ////////////////////////////////////// // at this point we know there has been a Read and a write to the same file, from the same process // and it was within the timing threshold. All that's left is to check the size of the read first // the file write. ////////////////////////////////////// // Check if previous event exist WriteEventTracker tempWE = null; foreach (WriteEventTracker wet in writeEvents) { if (writeEvent.FileName == wet.fileName) { tempWE = wet; break; } } //if it's new if (tempWE == null) { //update time stamps firstWriteTime = writeEvent.TimeStampRelativeMSec; lastWriteTime = writeEvent.TimeStampRelativeMSec; bool suspicious = false; if (writeEvent.IoSize - correspondingReadEvent.fileSize >= 0 && writeEvent.IoSize - correspondingReadEvent.fileSize <= READ_WRITE_SIZE_DIFF_THRESHOLD) { suspicious = true; Out.WriteLine("[!] Suspicious write event detected! " + writeEvent.FileName); Out.WriteLine("\tSize of file write(s): " + writeEvent.IoSize.ToString() + " Size of file read(s): " + correspondingReadEvent.fileSize.ToString() + ". PID: " + writeEvent.ProcessID.ToString() + ". Process name: " + writeEvent.ProcessName); //if we encounter a certain number of suspicious events we call it ransomware! if (suspiciousWriteEvents.Count >= SUSPICOUS_EVENTS_THRESHOLD) { Out.WriteLine("[!!] Ransomware detected! - PID[" + writeEvent.ProcessID.ToString() + "] Process Name: " + writeEvent.ProcessName); } //don't add duplicates bool dup = false; foreach (WriteEventTracker swe in suspiciousWriteEvents) { if (swe.fileName == writeEvent.FileName) { dup = true; Out.WriteLine("\t Already detected entry, not added"); } } if (!dup) { suspiciousWriteEvents.Add(new WriteEventTracker(writeEvent, false)); } } WriteEventTracker wet = new WriteEventTracker(writeEvent, suspicious); writeEvents.Add(wet); } //update existing write event else { //remove old before we add in our updated version writeEvents.Remove(tempWE); //update time stamps firstWriteTime = writeEvent.TimeStampRelativeMSec; lastWriteTime = writeEvent.TimeStampRelativeMSec; //update time, file size with current time then check tempWE.updateEvent(writeEvent); if (tempWE.fileSize - correspondingReadEvent.fileSize >= 0 && tempWE.fileSize - correspondingReadEvent.fileSize <= READ_WRITE_SIZE_DIFF_THRESHOLD) { Out.WriteLine("[!] Suspicious write event on existing file: " + writeEvent.FileName); Out.WriteLine("\tSize of file write(s): " + tempWE.fileSize.ToString() + " Size of file read(s): " + correspondingReadEvent.fileSize.ToString() + ". PID: " + correspondingReadEvent.pid.ToString() + ". Process name: " + writeEvent.ProcessName); //if we encounter a certain number of suspicious events we call it cryptolocker if (suspiciousWriteEvents.Count >= SUSPICOUS_EVENTS_THRESHOLD) { Out.WriteLine("[!!] Ransomware detected! - PID[" + writeEvent.ProcessID.ToString() + "] Process Name: " + writeEvent.ProcessName); } //don't add duplicates bool dup = false; foreach (WriteEventTracker swe in suspiciousWriteEvents) { if (swe.fileName == tempWE.fileName) { dup = true; Out.WriteLine("\tAlready detected entry, not added"); } } if (!dup) { suspiciousWriteEvents.Add(tempWE); } } writeEvents.Add(tempWE); } }