C# (CSharp) ShannonPOC FilemonEventHandler Exemples

Exemple #1

Fichier : FileMon.cs Projet : NBeuschau/Speciale

        //Event handeler if an object is changed
        private static void OnChanged(object source, FileSystemEventArgs e)
        {
            //Cancel out appdata
            Console.WriteLine(e.FullPath + " is " + e.ChangeType);

            if (e.FullPath.Contains(@"C:\Users\Baseline\Desktop") ||
                e.FullPath.Contains(@"C:\Users\Baseline\Documents") ||
                e.FullPath.Contains(@"C:\Users\Baseline\Downloads") ||
                e.FullPath.Contains(@"C:\Users\Baseline\Videos"))
            {
                if (e.FullPath.Contains("."))
                {
                    if (e.ChangeType.ToString().Equals("Changed"))
                    {
                        FilemonEventHandler.changeOccured(e);
                    }
                    else if (e.ChangeType.ToString().Equals("Created"))
                    {
                        FilemonEventHandler.creationOccured(e);
                    }
                    else if (e.ChangeType.ToString().Equals("Deleted"))
                    {
                        FilemonEventHandler.deletionOccured(e);
                    }
                }
            }
        }

Exemple #2

Fichier : Program.cs Projet : NBeuschau/Speciale

        public static void shannonEntropyFileMonDetection()
        {
            //Get name of ransomware
            Logger.getPoCRansomware();

            Thread.Sleep(1000);

            //Post name to server that the ransomware has been fetched
            Logger.postPoCFetched();

            //Wait for the server to respond
            while (!Logger.getHasFetched())
            {
                Thread.Sleep(500);
            }

            //Initialize variables
            Logger.setRansomwareDownloaderPath(RANSOMWAREDOWNLOADERPATH);

            ActionTaker.setBackingName(BACKINGNAME);
            ActionTaker.setPathToBackingFile(pathToBackingFile);

            ProcMon.setPathToProcMon(ProcMonPath);

            FilemonEventHandler.setEntropyThreshold(entropyThreshold);
            FilemonEventHandler.setThresholdToReaction(thresholdToReaction);
            FilemonEventHandler.setSecondsInThreshold(secondsInThreshold);

            Logger.setPath1(path1);
            Logger.setPath2(path2);
            Logger.setPath3(path3);
            Logger.setPath4(path4);
            Logger.setPathFileWatch(PATH);

            //Find entropy of all files
            ShannonEntropy temp1 = new ShannonEntropy();

            temp1.getEntropyOfAllFilesInPath(path1);

            ShannonEntropy temp2 = new ShannonEntropy();

            temp2.getEntropyOfAllFilesInPath(path2);

            ShannonEntropy temp3 = new ShannonEntropy();

            temp3.getEntropyOfAllFilesInPath(path3);

            ShannonEntropy temp4 = new ShannonEntropy();

            temp4.getEntropyOfAllFilesInPath(path4);

            //Print the entropies
            Dictionary <string, double> test = ShannonEntropy.getSavedEntropies();

            foreach (var item in test)
            {
                Console.WriteLine(item.Key + " - " + item.Value);
            }


            //Start procmon
            BACKINGNAME = BACKINGNAME + 0;
            var t = new Thread(() => ProcMon.createProcmonBackingFile(pathToBackingFile, BACKINGNAME));

            t.Start();

            //Start filemon
            //When filemon sees a reaction it posts to filemoneventhandler
            //Filemoneventhandler then deems if it is nessesary to take action, using actiontaker
            Console.WriteLine(Logger.getNAMEONTEST());

            //Start logger
            Logger.LogWriter(PATH);

            //Post to server that it has been tested
            Logger.postPoCTested();

            //Post to server the results
            Logger.postPoCPosted();

            Thread.Sleep(30000);
        }