static List <SemanticUnit> OnCreateProcess(SequenceUnit s) { List <SemanticUnit> sem = new List <SemanticUnit>(); SequenceUnit seq = (SequenceUnit)s; var cParam = (CreateProcessParameter)seq.API.Parameter; CreateProcessSemanticUnit su = new CreateProcessSemanticUnit(); su.ProcessName = cParam.ProcessName.ToUpper().Trim(); foreach (APIUnit api in seq.Consumers) { var remote = api.Parameter as CreateRemoteThreadParameter; if (remote != null) { su.Injected = true; sem.Add(new CodeInjectionSemanticUnit()); } } List <string> pathes = sample.APIs.Select(ss => { var f = (APIUnit)ss; if (f != null && f.Parameter is CreateFileParameter) { return(((CreateFileParameter)f.Parameter).Path); } else { return(""); } }).ToList(); if (pathes != null) { su.Dropped = pathes.Contains(su.ProcessName, StringComparer.OrdinalIgnoreCase); } sem.Add(su); return(sem); }
static List <SemanticUnit> OnProcess32First(SequenceUnit s) { List <SemanticUnit> sem = new List <SemanticUnit>(); SequenceUnit seq = (SequenceUnit)s; var cParam = (Process32FirstParameter)seq.API.Parameter; var su = new Process32FirstSemanticUnit(); sem.Add(su); return(sem); }
static List <SemanticUnit> OnCreateToolHelp(SequenceUnit s) { List <SemanticUnit> sem = new List <SemanticUnit>(); SequenceUnit seq = (SequenceUnit)s; var cParam = (CreateToolhelp32Snapshot)seq.API.Parameter; var su = new CreateToolHelpSemanticUnit(); su.Flags = cParam.Flags; sem.Add(su); return(sem); }
static List <SemanticUnit> OnSetWindowsHook(SequenceUnit s) { List <SemanticUnit> sem = new List <SemanticUnit>(); SequenceUnit seq = (SequenceUnit)s; var cParam = (SetWindowsHookParameter)seq.API.Parameter; var su = new SetWindowsHookSemanticUnit(); su.HookMode = cParam.HookType; sem.Add(su); return(sem); }
static List <SemanticUnit> OnSocketBind(SequenceUnit s) { List <SemanticUnit> sem = new List <SemanticUnit>(); SequenceUnit seq = (SequenceUnit)s; var cParam = (ConnectionParameter)seq.API.Parameter; var su = new SocketBindSemanticUnit(); su.Port = cParam.Port; sem.Add(su); return(sem); }
static List <SemanticUnit> OnShellExecute(SequenceUnit s) { List <SemanticUnit> sem = new List <SemanticUnit>(); SequenceUnit seq = (SequenceUnit)s; var cParam = (ShellExecuteParameter)seq.API.Parameter; var su = new ShellExecuteSemanticUnit(); su.Name = Path.Combine(cParam.Directory, cParam.Name); su.Parameters = cParam.Parameters; sem.Add(su); return(sem); }
static List <SemanticUnit> OnCreateService(SequenceUnit s) { List <SemanticUnit> sem = new List <SemanticUnit>(); SequenceUnit seq = (SequenceUnit)s; var cParam = (CreateServiceParameter)seq.API.Parameter; var su = new CreateServiceSemanticUnit(); su.Name = cParam.Name; su.Mode = cParam.Mode;/// ?Drop service sem.Add(su); return(sem); }
static List <SemanticUnit> OnFindFirstFile(SequenceUnit s) { List <SemanticUnit> sem = new List <SemanticUnit>(); SequenceUnit seq = (SequenceUnit)s; var cParam = (FindFirstFileParameter)seq.API.Parameter; var su = new FindFirstFileSemanticUnit(); su.Pattern = cParam.FileName.ToUpper().Trim(); sem.Add(su); return(sem); }
static List <SemanticUnit> OnUrlDownloadFile(SequenceUnit s) { List <SemanticUnit> sem = new List <SemanticUnit>(); InternetOperationSemanticUnit su = new InternetOperationSemanticUnit(); var p = s.API.Parameter as UrlDownloadToFileParameter; su.URL = p.Url; su.FilePath = p.FilePath; su.Operation = "Download"; try { su.FileDirectory = Path.GetDirectoryName(p.FilePath); } catch { } sem.Add(su); return(sem); }
static List <SemanticUnit> OnLoadLibrary(SequenceUnit s) { List <SemanticUnit> sem = new List <SemanticUnit>(); RuntimeLoadingSemanticUnit sU = new RuntimeLoadingSemanticUnit(); SequenceUnit seq = (SequenceUnit)s; var cParam = (LoadLibraryParameter)seq.API.Parameter; foreach (APIUnit api in seq.Consumers) { sem.Add(new RuntimeLoadingSemanticUnit() { Module = cParam.LibraryName.ToUpper().Trim(), Function = ((GetProcAddressParameter)api.Parameter).Proc }); } return(sem); }
static List <SemanticUnit> OnRegOpenKey(SequenceUnit s) { List <SemanticUnit> sem = new List <SemanticUnit>(); SequenceUnit seq = (SequenceUnit)s; var cParam = (RegOpenKeyParameter)seq.API.Parameter; foreach (APIUnit api in seq.Consumers) { RegSetValueParameter sParam = (RegSetValueParameter)api.Parameter; string value = string.Format(@"{0:X2}\{1}\{2}", cParam.HKey.ToInt32(), cParam.SubKey, sParam.Value); sem.Add(new RegSetValueSemanticUnit() { Value = value.ToUpper().Trim(), Data = sParam.Data.ToUpper().Trim() }); } return(sem); }
static List <SemanticUnit> OnDeleteFile(SequenceUnit s) { List <SemanticUnit> sem = new List <SemanticUnit>(); SequenceUnit seq = (SequenceUnit)s; var cParam = (DeleteFileParameter)seq.API.Parameter; var su = new DeleteFileSemanticUnit(); try { su.File = Path.GetDirectoryName(cParam.File).ToUpper().Trim(); } catch { su.File = cParam.File; } try { su.Extension = Path.GetExtension(cParam.File).ToUpper().Trim(); } catch { } if (IsExecutable(cParam.File)) { su.Extension = "EXE"; } sem.Add(su); return(sem); }
static List <SemanticUnit> OnCreateFile(SequenceUnit s) { List <SemanticUnit> sem = new List <SemanticUnit>(); CreateFileSemanticUnit sU = new CreateFileSemanticUnit(); var cParam = (CreateFileParameter)(((SequenceUnit)s).API.Parameter); sU.Access = cParam.Access; sU.Mode = cParam.Mode; try { sU.Directory = Path.GetDirectoryName(cParam.Path).ToUpper().Trim(); } catch { sU.Directory = cParam.Path; } try { sU.Extension = Path.GetExtension(cParam.Path).ToUpper().Trim(); } catch { } if (IsExecutable(cParam.Path)) { sU.Extension = "EXE"; } sem.Add(sU); return(sem); }