static void Main(string[] args)
{
// Get Version
Version DllVersion = YSInstance.GetVersion();
// All API calls happens here
YSInstance instance = new YSInstance();
// Get list of YARA rules
List <string> ruleFilenames = Directory.GetFiles(@"D:\Test\yara", "*.yar", SearchOption.AllDirectories).ToList();
// Declare external variables (could be null)
Dictionary <string, object> externals = new Dictionary <string, object>()
{
{ "filename", string.Empty },
{ "filepath", string.Empty },
{ "extension", string.Empty }
};
// Context is where yara is initialized
// From yr_initialize() to yr_finalize()
using (YSContext context = new YSContext())
{
// Compiling rules
using (YSCompiler compiler = instance.CompileFromFiles(ruleFilenames, externals))
{
// Get compiled rules
YSRules rules = compiler.GetRules();
// Get errors
YSReport errors = compiler.GetErrors();
// Get warnings
YSReport warnings = compiler.GetWarnings();
// Some file to test yara rules
string Filename = @"";
// Get matches
List <YSMatches> Matches = instance.ScanFile(Filename, rules,
new Dictionary <string, object>()
{
{ "filename", Alphaleonis.Win32.Filesystem.Path.GetFileName(Filename) },
{ "filepath", Alphaleonis.Win32.Filesystem.Path.GetFullPath(Filename) },
{ "extension", Alphaleonis.Win32.Filesystem.Path.GetExtension(Filename) }
},
0);
// Iterate over matches
foreach (YSMatches Match in Matches)
{
//...
}
}
// Log errors
}
}
public static void Init()
{
Connector.Logger.WriteLine("[YaraIntegration.Init] Start");
Instance = new YSInstance();
Dictionary <string, object> externals = new Dictionary <string, object>()
{
{ "filename", string.Empty },
{ "filepath", string.Empty },
{ "extension", string.Empty }
};
Connector.Logger.WriteLine("[YaraIntegration.Init] Загрука YARA правил");
List <string> ruleFilenames = Directory.GetFiles(MODULE__SCAN.Configuration.YaraRulesDir, "*.yar", MODULE__SCAN.Configuration.YaraRulesSearchOption).ToList();
Connector.Logger.WriteLine($"[YaraIntegration.Init] Загружено {ruleFilenames.Count} файлов ");
Context = new YSContext();
Compiler = Instance.CompileFromFiles(ruleFilenames, externals);
Rules = Compiler.GetRules();
Errors = Compiler.GetErrors();
Warnings = Compiler.GetWarnings();
var ErrDump = Errors.Dump();
var WrnDump = Warnings.Dump();
foreach (var key in ErrDump)
{
Connector.Logger.WriteLine($"[YaraIntegration.Init] Error!");
}
foreach (var key in WrnDump)
{
Connector.Logger.WriteLine($"[YaraIntegration.Init] Warning!");
}
Connector.Logger.WriteLine($"[YaraIntegration.Init] Загрузка завершена");
}
public static YSScanner CompileRules(List <string> yaraRuleFiles, Action <string> loggingFunction)
{
YSRules result = null;
using (YSCompiler compiler = _yaraInstance.CompileFromFiles(yaraRuleFiles, null))
{
string yaraWarnings = string.Empty;
string yaraErrors = string.Empty;
YSReport warnings = compiler.GetWarnings();
if (!warnings.IsEmpty())
{
yaraWarnings = string.Join(Environment.NewLine,
warnings.Dump().Select(kvp => $"{kvp.Key}:" + Environment.NewLine + string.Join(Environment.NewLine + "\t", kvp.Value)));
}
if (!string.IsNullOrWhiteSpace(yaraWarnings))
{
loggingFunction.Invoke("YARA reported warnings.");
loggingFunction.Invoke(yaraWarnings);
loggingFunction.Invoke("");
}
YSReport errors = compiler.GetErrors();
if (!errors.IsEmpty())
{
yaraErrors = string.Join(Environment.NewLine,
errors.Dump().Select(kvp => $"{kvp.Key}:" + Environment.NewLine + string.Join(Environment.NewLine + "\t", kvp.Value)));
yaraErrors += Environment.NewLine;
}
if (!string.IsNullOrWhiteSpace(yaraErrors))
{
throw new Exception("YARA reported errors compiling rules:" + Environment.NewLine + yaraErrors);
}
result = compiler.GetRules();
}
return(new YSScanner(result, null));
}
public void CheckWarningsStillScan()
{
string inputFileBase = "CheckWarningStillScans";
string yaraRuleFile = Path.Combine(TestDataDirectory, $"{inputFileBase}.yar");
string yaraInputFile = Path.Combine(TestDataDirectory, $"{inputFileBase}.txt");
YSInstance yaraInstance = new YSInstance();
using (YSContext context = new YSContext())
{
using (YSCompiler compiler = new YSCompiler(null))
{
compiler.AddFile(yaraRuleFile);
YSReport compilerErrors = compiler.GetErrors();
YSReport compilerWarnings = compiler.GetWarnings();
YSScanner scanner = new YSScanner(compiler.GetRules(), null);
Assert.IsTrue(scanner.ScanFile(yaraInputFile).Any(r => r.Rule.Identifier == "WarningRule"));
}
}
}
private void InitializeYara()
{
var externals = new Dictionary <string, object>()
{
{ "filename", string.Empty },
{ "filepath", string.Empty },
{ "extension", string.Empty }
};
var ruleFilenames = System.IO.Directory.GetFiles(Path.Combine(AppContext.BaseDirectory, "rules"), "*.yara").ToList();
using (YSContext context = new YSContext())
{
using (YSCompiler compiler = ysInstance.CompileFromFiles(ruleFilenames, externals))
{
YSRules rules = compiler.GetRules();
YSReport errors = compiler.GetErrors();
YSReport warnings = compiler.GetWarnings();
}
}
}
private void OnExecute()
{
// Print custom help
if (Help)
{
SilkUtility.PrintHelp();
return;
}
// Print trivia
if (Trivia)
{
SilkUtility.PrintTrivia();
return;
}
// What type of collector are we creating?
if (CollectorType == CollectorType.None)
{
SilkUtility.ReturnStatusMessage("[!] Select valid collector type (-t|--type)", ConsoleColor.Red);
return;
}
else if (CollectorType == CollectorType.Kernel)
{
if (KernelKeywords == KernelKeywords.None)
{
SilkUtility.ReturnStatusMessage("[!] Select valid Kernel keyword (-kk|--kernelkeyword)", ConsoleColor.Red);
return;
}
}
else if (CollectorType == CollectorType.User)
{
if (String.IsNullOrEmpty(ProviderName))
{
SilkUtility.ReturnStatusMessage("[!] Specify valid provider name (-pn|--providername)", ConsoleColor.Red);
return;
}
// Check and convert UserKeywords to ulong
if (String.IsNullOrEmpty(UserKeywords))
{
SilkUtility.ReturnStatusMessage("[!] Specify valid keywords mask (-uk|--userkeyword)", ConsoleColor.Red);
return;
}
else
{
try
{
if (UserKeywords.StartsWith("0x"))
{
SilkUtility.UlongUserKeywords = Convert.ToUInt64(UserKeywords, 16);
}
else
{
SilkUtility.UlongUserKeywords = Convert.ToUInt64(UserKeywords);
}
}
catch
{
SilkUtility.ReturnStatusMessage("[!] Specify valid keywords mask (-uk|--userkeyword)", ConsoleColor.Red);
return;
}
}
}
// Validate output parameters
if (OutputType == OutputType.None)
{
SilkUtility.ReturnStatusMessage("[!] Select valid output type (-ot|--outputtype)", ConsoleColor.Red);
return;
}
else
{
if (OutputType == OutputType.file)
{
if (String.IsNullOrEmpty(Path))
{
SilkUtility.ReturnStatusMessage("[!] Specify valid output file (-p|--path)", ConsoleColor.Red);
return;
}
else
{
try
{
FileAttributes CheckAttrib = File.GetAttributes(Path);
if (CheckAttrib.HasFlag(FileAttributes.Directory))
{
SilkUtility.ReturnStatusMessage("[!] Specify an output filepath not a directory (-p|--path)", ConsoleColor.Red);
return;
}
}
catch { }
if (!(Directory.Exists(System.IO.Path.GetDirectoryName(Path))))
{
SilkUtility.ReturnStatusMessage("[!] Invalid path specified (-p|--path)", ConsoleColor.Red);
return;
}
else
{
if (!(SilkUtility.DirectoryHasPermission(System.IO.Path.GetDirectoryName(Path), System.Security.AccessControl.FileSystemRights.Write)))
{
SilkUtility.ReturnStatusMessage("[!] No write access to output path (-p|--path)", ConsoleColor.Red);
return;
}
}
}
}
else
{
if (String.IsNullOrEmpty(Path))
{
SilkUtility.ReturnStatusMessage("[!] Specify valid URL (-p|--path)", ConsoleColor.Red);
return;
}
else
{
Uri uriResult;
bool UrlResult = Uri.TryCreate(Path, UriKind.Absolute, out uriResult) && (uriResult.Scheme == Uri.UriSchemeHttp || uriResult.Scheme == Uri.UriSchemeHttps);
if (!UrlResult)
{
SilkUtility.ReturnStatusMessage("[!] Invalid URL specified (-p|--path)", ConsoleColor.Red);
return;
}
}
}
}
// Validate filter options
// None, EventName, ProcessID, ProcessName, Opcode
if (FilterOption != FilterOption.None)
{
if (String.IsNullOrEmpty(FilterValue))
{
SilkUtility.ReturnStatusMessage("[!] Specify a valid filter value (-fv|--filtervalue) in conjunction with -f", ConsoleColor.Red);
return;
}
if (FilterOption == FilterOption.ProcessID)
{
try
{
SilkUtility.FilterValueObject = Convert.ToUInt32(FilterValue);
}
catch
{
SilkUtility.ReturnStatusMessage("[!] Specify a valid ProcessID", ConsoleColor.Red);
return;
}
}
else if (FilterOption == FilterOption.Opcode)
{
try
{
SilkUtility.FilterValueObject = byte.Parse(FilterValue);
if ((byte)SilkUtility.FilterValueObject > 9)
{
SilkUtility.ReturnStatusMessage("[!] Opcode outside valid range (0-9)", ConsoleColor.Red);
return;
}
}
catch
{
SilkUtility.ReturnStatusMessage("[!] Specify a valid Opcode", ConsoleColor.Red);
return;
}
}
else
{
SilkUtility.FilterValueObject = FilterValue;
}
}
// Validate Yara folder path
if (YaraScan != String.Empty)
{
try
{
FileAttributes CheckAttrib = File.GetAttributes(YaraScan);
if (!(CheckAttrib.HasFlag(FileAttributes.Directory)))
{
SilkUtility.ReturnStatusMessage("[!] Specified path is not a folder (-y|--yara)", ConsoleColor.Red);
return;
}
else
{
List <string> YaraRuleCollection = Directory.GetFiles(YaraScan, "*.yar", SearchOption.AllDirectories).ToList();
if (YaraRuleCollection.Count == 0)
{
SilkUtility.ReturnStatusMessage("[!] Yara folder path does not contain any *.yar files (-y|--yara)", ConsoleColor.Red);
return;
}
else
{
// We already initialize yara for performace,
// new rules can not be added at runtime.
SilkUtility.YaraInstance = new YSInstance();
SilkUtility.YaraContext = new YSContext();
SilkUtility.YaraCompiler = SilkUtility.YaraInstance.CompileFromFiles(YaraRuleCollection, null);
SilkUtility.YaraRules = SilkUtility.YaraCompiler.GetRules();
YSReport YaraReport = SilkUtility.YaraCompiler.GetErrors();
if (!(YaraReport.IsEmpty()))
{
SilkUtility.ReturnStatusMessage("[!] The following yara errors were detected (-y|--yara)", ConsoleColor.Red);
Dictionary <string, List <string> > Errors = YaraReport.Dump();
foreach (KeyValuePair <string, List <string> > Error in Errors)
{
SilkUtility.ReturnStatusMessage("==> " + Error.Key, ConsoleColor.Yellow);
foreach (String ErrorMsg in Error.Value)
{
SilkUtility.ReturnStatusMessage(" + " + ErrorMsg, ConsoleColor.Yellow);
}
}
return;
}
}
}
}
catch
{
SilkUtility.ReturnStatusMessage("[!] Specify a valid yara rule folder path (-y|--yara)", ConsoleColor.Red);
return;
}
if (YaraOptions == YaraOptions.None)
{
SilkUtility.ReturnStatusMessage("[!] Specify a valid yara option (-yo|--yaraoptions)", ConsoleColor.Red);
return;
}
}
// We passed all collector parameter checks
SilkUtility.ReturnStatusMessage("[+] Collector parameter validation success..", ConsoleColor.Green);
// Launch the collector
if (CollectorType == CollectorType.Kernel)
{
ETWCollector.StartTrace(CollectorType, (ulong)KernelKeywords, OutputType, Path, FilterOption, SilkUtility.FilterValueObject, YaraScan, YaraOptions);
}
else
{
ETWCollector.StartTrace(CollectorType, SilkUtility.UlongUserKeywords, OutputType, Path, FilterOption, SilkUtility.FilterValueObject, YaraScan, YaraOptions, ProviderName, UserTraceEventLevel);
}
}
// Spin up collector threads
public static Boolean ValidateCollectorParameters(List <CollectorParameters> Collectors)
{
// Loop collector configs
for (int i = 0; i < Collectors.Count; i++)
{
// Assign list instance to variable
CollectorParameters Collector = Collectors[i];
// What type of collector are we creating?
if (Collector.CollectorType == CollectorType.None)
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Invalid CollectorType specified", true);
return(false);
}
else if (Collector.CollectorType == CollectorType.Kernel)
{
if (Collector.KernelKeywords == KernelKeywords.None)
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Invalid KernelKeywords specified", true);
return(false);
}
}
else if (Collector.CollectorType == CollectorType.User)
{
if (String.IsNullOrEmpty(Collector.ProviderName))
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Invalid ProviderName specified", true);
return(false);
}
// Check and convert UserKeywords to ulong
if (String.IsNullOrEmpty((String)Collector.UserKeywords))
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Invalid UserKeywords specified", true);
return(false);
}
else
{
try
{
if (((String)Collector.UserKeywords).StartsWith("0x"))
{
Collector.UserKeywords = Convert.ToUInt64((String)Collector.UserKeywords, 16);
}
else
{
Collector.UserKeywords = Convert.ToUInt64((String)Collector.UserKeywords);
}
}
catch
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Invalid UserKeywords mask specified", true);
return(false);
}
}
}
// Validate output parameters
if (Collector.OutputType == OutputType.None)
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Invalid OutputType specified", true);
return(false);
}
else
{
if (Collector.OutputType == OutputType.file)
{
if (String.IsNullOrEmpty(Collector.Path))
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Invalid output path specified", true);
return(false);
}
else
{
try
{
FileAttributes CheckAttrib = File.GetAttributes(Collector.Path);
if (CheckAttrib.HasFlag(FileAttributes.Directory))
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Output path is a directory, not a file", true);
return(false);
}
}
catch { }
if (!(Directory.Exists(System.IO.Path.GetDirectoryName(Collector.Path))))
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Output path does not exist", true);
return(false);
}
else
{
if (!(SilkUtility.DirectoryHasPermission(System.IO.Path.GetDirectoryName(Collector.Path), System.Security.AccessControl.FileSystemRights.Write)))
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "No write access to output path", true);
return(false);
}
}
}
}
else if (Collector.OutputType == OutputType.url)
{
if (String.IsNullOrEmpty(Collector.Path))
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "No URL specified", true);
return(false);
}
else
{
Uri uriResult;
bool UrlResult = Uri.TryCreate(Collector.Path, UriKind.Absolute, out uriResult) && (uriResult.Scheme == Uri.UriSchemeHttp || uriResult.Scheme == Uri.UriSchemeHttps);
if (!UrlResult)
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Invalid URL specified", true);
return(false);
}
}
}
else if (Collector.OutputType == OutputType.eventlog)
{
Collector.Path = "SilkService-Log";
}
}
// Validate filter options
// None, EventName, ProcessID, ProcessName, Opcode
if (Collector.FilterOption != FilterOption.None)
{
if (String.IsNullOrEmpty((String)Collector.FilterValue))
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Invalid FilterValue specified", true);
return(false);
}
if (Collector.FilterOption == FilterOption.ProcessID)
{
try
{
Collector.FilterValue = Convert.ToUInt32((String)Collector.FilterValue);
}
catch
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Invalid ProcessID specified", true);
return(false);
}
}
if (Collector.FilterOption == FilterOption.Opcode)
{
try
{
Collector.FilterValue = byte.Parse((String)Collector.FilterValue);
if ((byte)Collector.FilterValue > 9)
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Opcode outside valid range (0-9)", true);
return(false);
}
}
catch
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Invalid Opcode specified", true);
return(false);
}
}
else
{
Collector.FilterValue = (String)Collector.FilterValue;
}
}
// Validate Yara folder path
if (Collector.YaraScan != String.Empty)
{
try
{
FileAttributes CheckAttrib = File.GetAttributes(Collector.YaraScan);
if (!(CheckAttrib.HasFlag(FileAttributes.Directory)))
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "YaraScan path is not a directory", true);
return(false);
}
else
{
List <string> YaraRuleCollection = Directory.GetFiles(Collector.YaraScan, "*.yar", SearchOption.AllDirectories).ToList();
if (YaraRuleCollection.Count == 0)
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "YaraScan directory does not conatin any *.yar files", true);
return(false);
}
else
{
// We already initialize yara for performace,
// new rules can not be added at runtime.
Collector.YaraInstance = new YSInstance();
Collector.YaraContext = new YSContext();
Collector.YaraCompiler = Collector.YaraInstance.CompileFromFiles(YaraRuleCollection, null);
Collector.YaraRules = Collector.YaraCompiler.GetRules();
YSReport YaraReport = Collector.YaraCompiler.GetErrors();
if (!(YaraReport.IsEmpty()))
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "The following yara errors were detected", true);
Dictionary <string, List <string> > Errors = YaraReport.Dump();
foreach (KeyValuePair <string, List <string> > Error in Errors)
{
SilkUtility.WriteToServiceTextLog("==> " + Error.Key);
foreach (String ErrorMsg in Error.Value)
{
SilkUtility.WriteToServiceTextLog(" + " + ErrorMsg);
}
}
return(false);
}
}
}
}
catch
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Invalid YaraScan folder path", true);
return(false);
}
if (Collector.YaraOptions == YaraOptions.None)
{
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Invalid YaraOptions specified", true);
return(false);
}
}
// Overwrite list entry
Collectors[i] = Collector;
// We passed all collector parameter checks
SilkUtility.WriteCollectorGuidMessageToServiceTextLog(Collector.CollectorGUID, "Parameter validation success", false);
}
// Validation complete
return(true);
}
/// <summary>
/// Forward user to form where he can check if his file is malicious.
/// </summary>
///
/// <param name="sender"></param>
/// <param name="e"></param>
private void IsThisMaliciousSign_MouseClick(object sender, MouseEventArgs e)
{
// TODO: only for clamp database.
// Get path to \Downloads folder.
string downloadsPath = KnownFolders.Downloads.Path;
DialogResult result = this.chooseFileToDetermineIfMaliciousDialog.ShowDialog(); // Show the dialog.
if (result == DialogResult.OK) // Test result.
{
string file = this.chooseFileToDetermineIfMaliciousDialog.FileName;
string script = "../../../../[PYTHON]/extractFeatures.py";
#region handle non-english charachters in path
// Move script to \Downloads.
File.Copy(Path.GetFullPath(script).Replace("/", @"\\"), downloadsPath + @"\\" + Path.GetFileName(script), true);
// Move file to \Downloads.
File.Copy(file, downloadsPath + @"\\" + Path.GetFileName(file), true);
var targetDirPath = new DirectoryInfo(downloadsPath + @"\\Python");
var sourceDirPath = new DirectoryInfo(Path.GetFullPath("../../../../[PYTHON]/Python/"));
CopyAll(targetDirPath, sourceDirPath);
script = downloadsPath + @"\\" + Path.GetFileName(script);
string outputFile = (downloadsPath + @"\" + Path.GetFileName(file) + rand.Next(10000).ToString() + "_clamp_features.csv").ToString();
#endregion
#region extract features with python script
try
{
// Create process info.
var psi = new ProcessStartInfo();
// Location to python.
psi.FileName = Path.GetFullPath(@"../../../../[PYTHON]/Python/python.exe").ToString();
// Provide script and arguments.
psi.Arguments = string.Format("{0} {1} {2}", script, downloadsPath + @"\\" + Path.GetFileName(file), outputFile);
// Process configuration.
psi.UseShellExecute = false;
psi.CreateNoWindow = true;
psi.RedirectStandardOutput = true;
psi.RedirectStandardError = true;
// Execute process and get output.
var errors = "";
var results = "";
// Execute script.
using (var process = Process.Start(psi))
{
errors = process.StandardError.ReadToEnd();
results = process.StandardOutput.ReadToEnd();
}
if (errors != "")
{
throw new Exception("[IsThisMaliciousSign_MouseClick]\r\n" + errors);
}
}
catch (IOException)
{
throw new Exception("[UploadSign_MouseClick] Coudn't process the file.");
}
#endregion
int packed = 0;
string packer = "NoPacker";
#region find out packer and packer type using YaraSharp
// All API calls happens here.
YSInstance instance = new YSInstance();
// Declare external variables (could be null).
Dictionary <string, object> externals = new Dictionary <string, object>()
{
{ "filename", string.Empty },
{ "filepath", string.Empty },
{ "extension", string.Empty }
};
// Get list of YARA rules.
List <string> rulesFile = new List <string>();
// Download rules (peid.yara) to users computer since YaraSharp can't read non-english charachters in file path.
WebClient Client = new WebClient();
Client.DownloadFile(new Uri("https://raw.githubusercontent.com/urwithajit9/ClaMP/master/scripts/peid.yara"), downloadsPath + @"\peid.yara");
rulesFile.Add(Path.GetFullPath(downloadsPath + @"\peid.yara").ToString());
// Context is where yara is initialized.
// From yr_initialize() to yr_finalize().
using (YSContext context = new YSContext())
{
// Compiling rules.
using (YSCompiler compiler = instance.CompileFromFiles(rulesFile, externals))
{
// Get compiled rules.
YSRules rules = compiler.GetRules();
// Get errors.
YSReport errors = compiler.GetErrors();
// Get warnings.
YSReport warnings = compiler.GetWarnings();
// Some file to test yara rules.
string Filename = file;
// Get matches.
List <YSMatches> Matches = instance.ScanFile(Filename, rules,
new Dictionary <string, object>()
{
{ "filename", Path.GetFileName(Filename) },
{ "filepath", Path.GetFullPath(Filename) },
{ "extension", Path.GetExtension(Filename) }
},
0);
// Get packer name if packed.
if (Matches.Count > 0)
{
packed = 1;
packer = Matches[0].Rule.Identifier;
}
}
}
#endregion
#region determine if file is malicious using best model so far
DataTable fileFeatures = new DataTable();
#region csv to datatable
using (StreamReader sr = new StreamReader(outputFile))
{
string[] headers = sr.ReadLine().Split(',');
foreach (string header in headers)
{
fileFeatures.Columns.Add(header);
}
while (!sr.EndOfStream)
{
string[] rows = sr.ReadLine().Split(',');
if (rows[0] == "")
{
continue;
}
DataRow dr = fileFeatures.NewRow();
for (int i = 0; i < headers.Length; i++)
{
if (headers[i] == "packer")
{
dr[i] = packed;
continue;
}
if (headers[i] == "packer_type")
{
dr[i] = packer;
continue;
}
dr[i] = rows[i];
}
fileFeatures.Rows.Add(dr);
}
}
#endregion
double evaluation = this.detection.model.symbolicTree.Evaluate(fileFeatures.Rows[0]);
if (evaluation >= 0)
{
string mnok = "Your file is malicious!";
CustomDialogBox dialog = new CustomDialogBox("Malicious", mnok, global::antico.Properties.Resources.nok_shield, MessageBoxButtons.OK);
dialog.ShowDialog();
}
else
{
string mok = "Your file is benign!";
CustomDialogBox dialog = new CustomDialogBox("Benign", mok, global::antico.Properties.Resources.ok_shield, MessageBoxButtons.OK);
dialog.ShowDialog();
}
#endregion
#region handle non-english charachters in path
// Delete and move files at the end.
if (File.Exists(downloadsPath + @"\\" + Path.GetFileName(script)))
{
// Delete script from \Downloads directory.
File.Delete(downloadsPath + @"\\" + Path.GetFileName(script));
}
if (File.Exists(outputFile))
{
// Move file to its true destination.
File.Move(outputFile, @"..\\..\\..\\..\\[PYTHON]\\ExtractedFeatures\\" + Path.GetFileName(outputFile));
}
if (File.Exists(downloadsPath + @"\\" + Path.GetFileName(file)))
{
File.Delete(downloadsPath + @"\\" + Path.GetFileName(file));
}
if (Directory.Exists(downloadsPath + @"\\Python"))
{
Directory.Delete(downloadsPath + @"\\Python", true);
}
#endregion
// Delete downloaded peid.yara file.
if (File.Exists(downloadsPath + @"\peid.yara"))
{
File.Delete(downloadsPath + @"\peid.yara");
}
}
}
