///////////////////////////////////////////////////// // // // DoCollect() // // // ///////////////////////////////////////////////////// //Description: Collects all files identified in the scan // as malicious and stuffs them into a // password-protected, encrypted ZIP file. // // NOTE: depends on DoSignatureScan() // // //Returns: true if successful ////////////////////////////////////////////////////// private unsafe bool DoCollect() { AgentScanLog.AppendLine(""); AgentScanLog.AppendLine("*********************************************"); AgentScanLog.AppendLine(" COLLECT "); AgentScanLog.AppendLine("*********************************************"); AgentScanLog.AppendLine(""); AgentScanLog.AppendLine("COLLECT: Collecting evidence files..."); //collect the following files to wrap up in archive file: // 1. all identified malware files // 2. infection log (Infection_Log.txt) which we create // 3. usb device list file (USB_Devices.txt) which we create // 4. .net installation log (if exists) // //--------------------------------- // BUILD ZIP NAME //--------------------------------- ZipFileName = Collect.BuildZipName(TotalFindingsCount); ZipFile zip = new ZipFile(ZipFileName); if (AgentSettings.ContainsKey("Reporting_Archive_Password")) { IntPtr pptr = IntPtr.Zero; //do this secure string thing if password specified char[] str = AgentSettings["Reporting_Archive_Password"].ToCharArray(); fixed (char* pChars = str) { ZipPassword = new SecureString(pChars, str.Length); } //decrypt our password in memory pptr = Marshal.SecureStringToBSTR(ZipPassword); zip.Password = Marshal.PtrToStringBSTR(pptr); //zero the password memory Marshal.ZeroFreeBSTR(pptr); } zip.TempFileFolder = "."; ArrayList CollectList = new ArrayList(); int count = 0; AgentScanLog.AppendLine("COLLECT: Searching file signature matches for files..."); //loop through file signatures foreach (CwXML.FileSignatureMatch fileMatch in AgentSignatureMatches.FileSignatureMatches) if (Collect.AddToZip(zip, fileMatch.FullPath)) count++; AgentScanLog.AppendLine("COLLECT: Added " + count + " files."); count = 0; AgentScanLog.AppendLine("COLLECT: Searching registry signature matches for files..."); //loop through registry signatures foreach (CwXML.RegistrySignatureMatch registryMatch in AgentSignatureMatches.RegistrySignatureMatches) if (registryMatch.IsFileOnDisk) if (Collect.AddToZip(zip, registryMatch.RegistryValueData)) count++; AgentScanLog.AppendLine("COLLECT: Added " + count + " files."); AgentScanLog.AppendLine("COLLECT: Generating infection summary report..."); //--------------------------------- // ADD INFECTION LOG //--------------------------------- //2. infection log (Infection_Log.txt) which we create StreamWriter infectionlog = new StreamWriter("InfectionLog.txt"); StringBuilder InfectionSummaryReport = new StringBuilder(); //print infection summary for each signature type RegistryHelper RegHelper = new RegistryHelper(); FileHelper FileHelper = new FileHelper(); MemoryHelper MemHelper = new MemoryHelper(); RegHelper.PrintRegistryFindings(AgentSignatureMatches.RegistrySignatureMatches, ref InfectionSummaryReport); FileHelper.PrintFileFindings(AgentSignatureMatches.FileSignatureMatches, ref InfectionSummaryReport); MemHelper.PrintMemoryFindings(AgentSignatureMatches.MemorySignatureMatches, ref InfectionSummaryReport); infectionlog.WriteLine(InfectionSummaryReport.ToString()); infectionlog.Close(); zip.AddFile("InfectionLog.txt"); AgentScanLog.AppendLine("COLLECT: Enumerating USB Devices..."); //--------------------------------- // ADD USB DEVICES LOG //--------------------------------- //3. usb device list file (USB_Devices.txt) which we create StreamWriter usblogfile = new StreamWriter("USB_Devices.txt"); StringBuilder UsbDevicesReport = new StringBuilder(); Collect.EnumerateUSBDevices(ref UsbDevicesReport); usblogfile.WriteLine(UsbDevicesReport.ToString()); usblogfile.Close(); zip.AddFile("USB_Devices.txt"); //--------------------------------- // ADD .NET LOG //--------------------------------- //4. .net installation log (if exists) try { FileInfo dotnetfxLogfile = new FileInfo("dotnetfx_install_log.txt"); if (dotnetfxLogfile.Exists) zip.AddFile("dotnetfx_install_log.txt"); } catch { } //no biggie.. AgentScanLog.AppendLine("COLLECT: All evidence collected."); AgentScanLog.AppendLine("COLLECT: Saving zip to disk..."); zip.Save(); zip.Dispose(); //at this point zip is closed and written to disk return true; }