/////////////////////////////////////////////////////
// //
// DoSignatureScan() //
// //
/////////////////////////////////////////////////////
//Description: Scans memory, disk and registry for
// given signatures. Stores results in
// class global results object.
//
//Returns: true if successful
//////////////////////////////////////////////////////
private unsafe bool DoSignatureScan()
{
AgentScanLog.AppendLine("");
AgentScanLog.AppendLine("*********************************************");
AgentScanLog.AppendLine(" SIGNATURE SCAN ");
AgentScanLog.AppendLine("*********************************************");
AgentScanLog.AppendLine("");
//
//=============================================
// SCAN FOR REGISTRY SIGNATURES
//=============================================
//
RegistryHelper RegistryScanner = new RegistryHelper();
//mount NTUSER.DAT files (so every user's SID is mounted in HKEY_USERS)
RegistryScanner.LoadNtUserDatFiles(false);
if (AgentRegistrySignatures.Length > 0)
{
AgentScanLog.AppendLine("SCAN: Scanning registry for infections...");
//optionally scan HKCR for potentially malicious GUIDs
//nb: if any found, auto added to malware_info.GUIDs container
if (AgentSettings.ContainsKey("Option_Scan_GUIDs"))
if (AgentSettings["Option_Scan_GUIDs"] == "True")
RegistryScanner.ScanForMaliciousGUIDs();
//create a static GUID in our AgentRegistryGuidSignatures for every dynamic GUID
RegistryScanner.LoadDynamicGUIDs(ref AgentRegistryGuidSignatures);
//
//perform actual scan
//
//initialization here is irrelevant; it will be allocated in the function
RegistryScanner.ScanForRegistrySignatures(AgentRegistrySignatures, AgentRegistryGuidSignatures, ref AgentSignatureMatches.RegistrySignatureMatches);
//append scan log
AgentScanLog.AppendLine(RegistryScanner.RegistryHelperLog.ToString());
AgentScanLog.AppendLine("SCAN: Registry scan complete.");
}
//
//=============================================
// SCAN FOR FILE SIGNATURES
//=============================================
//
FileHelper FileScanner = new FileHelper();
if (AgentFileSignatures.Length > 0)
{
AgentScanLog.AppendLine("SCAN: Scanning all attached disks for file signatures...");
//perform scan
FileScanner.ScanForFileSignatures(AgentFileSignatures, ref AgentSignatureMatches.FileSignatureMatches);
//append the file scan log
AgentScanLog.AppendLine(FileScanner.FileHelperLog.ToString());
AgentScanLog.AppendLine("SCAN: Disk scans complete.");
}
//
//=============================================
// SCAN FOR MEMORY SIGNATURES
//=============================================
//
MemoryHelper MemoryScanner = new MemoryHelper();
if (AgentMemorySignatures.Length > 0)
{
AgentScanLog.AppendLine("SCAN: Scanning active processes for memory signatures...");
//setup a few scan parameters based on agent settings
//
//search cmd line parameters?
bool SearchCmdLine = false;
if (AgentSettings.ContainsKey("MemorySignatures_SearchCmdLine"))
if (AgentSettings["MemorySignatures_SearchCmdLine"] == "True")
SearchCmdLine = true;
//search heap space?
bool SearchHeap = false;
if (AgentSettings.ContainsKey("MemorySignatures_SearchHeapSpace"))
if (AgentSettings["MemorySignatures_SearchHeapSpace"] == "True")
SearchHeap = true;
//search loaded module list (dlls)?
bool SearchLoadedModuleList = false;
if (AgentSettings.ContainsKey("MemorySignatures_SearchLoadedModules"))
if (AgentSettings["MemorySignatures_SearchLoadedModules"] == "True")
SearchLoadedModuleList = true;
//search registry findings in process?
bool SearchForRegistryFindings = false;
if (AgentSettings.ContainsKey("MemorySignatures_UseRegistryFindings"))
if (AgentSettings["MemorySignatures_UseRegistryFindings"] == "True")
SearchForRegistryFindings = true;
//perform scan
MemoryScanner.ScanForMemorySignatures(AgentSignatureMatches.RegistrySignatureMatches, AgentMemorySignatures, ref AgentSignatureMatches.MemorySignatureMatches, SearchCmdLine, SearchHeap, SearchLoadedModuleList, SearchForRegistryFindings);
//append the memory scanner log
AgentScanLog.AppendLine(MemoryScanner.MemoryHelperLog.ToString());
AgentScanLog.AppendLine("SCAN: Process scan complete.");
}
//calculate total # of findings
TotalFindingsCount = 0;
if (AgentSignatureMatches.RegistrySignatureMatches != null)
TotalFindingsCount += AgentSignatureMatches.RegistrySignatureMatches.Length;
if (AgentSignatureMatches.FileSignatureMatches != null)
TotalFindingsCount += AgentSignatureMatches.FileSignatureMatches.Length;
if (AgentSignatureMatches.MemorySignatureMatches != null)
TotalFindingsCount += AgentSignatureMatches.MemorySignatureMatches.Length;
//unload NTUSER.DAT files
RegistryScanner.LoadNtUserDatFiles(true);
/*
StreamWriter sw = new StreamWriter("AgentScanLog.txt");
sw.WriteLine(AgentScanLog.ToString());
sw.Close();*/
return true;
}
