///////////////////////////////////////////////////// // // // DoSignatureScan() // // // ///////////////////////////////////////////////////// //Description: Scans memory, disk and registry for // given signatures. Stores results in // class global results object. // //Returns: true if successful ////////////////////////////////////////////////////// private unsafe bool DoSignatureScan() { AgentScanLog.AppendLine(""); AgentScanLog.AppendLine("*********************************************"); AgentScanLog.AppendLine(" SIGNATURE SCAN "); AgentScanLog.AppendLine("*********************************************"); AgentScanLog.AppendLine(""); // //============================================= // SCAN FOR REGISTRY SIGNATURES //============================================= // RegistryHelper RegistryScanner = new RegistryHelper(); //mount NTUSER.DAT files (so every user's SID is mounted in HKEY_USERS) RegistryScanner.LoadNtUserDatFiles(false); if (AgentRegistrySignatures.Length > 0) { AgentScanLog.AppendLine("SCAN: Scanning registry for infections..."); //optionally scan HKCR for potentially malicious GUIDs //nb: if any found, auto added to malware_info.GUIDs container if (AgentSettings.ContainsKey("Option_Scan_GUIDs")) if (AgentSettings["Option_Scan_GUIDs"] == "True") RegistryScanner.ScanForMaliciousGUIDs(); //create a static GUID in our AgentRegistryGuidSignatures for every dynamic GUID RegistryScanner.LoadDynamicGUIDs(ref AgentRegistryGuidSignatures); // //perform actual scan // //initialization here is irrelevant; it will be allocated in the function RegistryScanner.ScanForRegistrySignatures(AgentRegistrySignatures, AgentRegistryGuidSignatures, ref AgentSignatureMatches.RegistrySignatureMatches); //append scan log AgentScanLog.AppendLine(RegistryScanner.RegistryHelperLog.ToString()); AgentScanLog.AppendLine("SCAN: Registry scan complete."); } // //============================================= // SCAN FOR FILE SIGNATURES //============================================= // FileHelper FileScanner = new FileHelper(); if (AgentFileSignatures.Length > 0) { AgentScanLog.AppendLine("SCAN: Scanning all attached disks for file signatures..."); //perform scan FileScanner.ScanForFileSignatures(AgentFileSignatures, ref AgentSignatureMatches.FileSignatureMatches); //append the file scan log AgentScanLog.AppendLine(FileScanner.FileHelperLog.ToString()); AgentScanLog.AppendLine("SCAN: Disk scans complete."); } // //============================================= // SCAN FOR MEMORY SIGNATURES //============================================= // MemoryHelper MemoryScanner = new MemoryHelper(); if (AgentMemorySignatures.Length > 0) { AgentScanLog.AppendLine("SCAN: Scanning active processes for memory signatures..."); //setup a few scan parameters based on agent settings // //search cmd line parameters? bool SearchCmdLine = false; if (AgentSettings.ContainsKey("MemorySignatures_SearchCmdLine")) if (AgentSettings["MemorySignatures_SearchCmdLine"] == "True") SearchCmdLine = true; //search heap space? bool SearchHeap = false; if (AgentSettings.ContainsKey("MemorySignatures_SearchHeapSpace")) if (AgentSettings["MemorySignatures_SearchHeapSpace"] == "True") SearchHeap = true; //search loaded module list (dlls)? bool SearchLoadedModuleList = false; if (AgentSettings.ContainsKey("MemorySignatures_SearchLoadedModules")) if (AgentSettings["MemorySignatures_SearchLoadedModules"] == "True") SearchLoadedModuleList = true; //search registry findings in process? bool SearchForRegistryFindings = false; if (AgentSettings.ContainsKey("MemorySignatures_UseRegistryFindings")) if (AgentSettings["MemorySignatures_UseRegistryFindings"] == "True") SearchForRegistryFindings = true; //perform scan MemoryScanner.ScanForMemorySignatures(AgentSignatureMatches.RegistrySignatureMatches, AgentMemorySignatures, ref AgentSignatureMatches.MemorySignatureMatches, SearchCmdLine, SearchHeap, SearchLoadedModuleList, SearchForRegistryFindings); //append the memory scanner log AgentScanLog.AppendLine(MemoryScanner.MemoryHelperLog.ToString()); AgentScanLog.AppendLine("SCAN: Process scan complete."); } //calculate total # of findings TotalFindingsCount = 0; if (AgentSignatureMatches.RegistrySignatureMatches != null) TotalFindingsCount += AgentSignatureMatches.RegistrySignatureMatches.Length; if (AgentSignatureMatches.FileSignatureMatches != null) TotalFindingsCount += AgentSignatureMatches.FileSignatureMatches.Length; if (AgentSignatureMatches.MemorySignatureMatches != null) TotalFindingsCount += AgentSignatureMatches.MemorySignatureMatches.Length; //unload NTUSER.DAT files RegistryScanner.LoadNtUserDatFiles(true); /* StreamWriter sw = new StreamWriter("AgentScanLog.txt"); sw.WriteLine(AgentScanLog.ToString()); sw.Close();*/ return true; }