// Loop through data and print summary.
public static List <Tuple <string, int> > printSummary()
{
Out.WriteLine("");
Out.WriteLine("");
Out.WriteLine("======================================================");
Out.WriteLine("\t\tSummary");
Out.WriteLine("======================================================");
List <string> ransomeWareProcesses = new List <string>();
List <Tuple <string, int> > summaryProcess = new List <Tuple <string, int> >();
foreach (DictionaryEntry de in directoryOperations)
{
DirectoryEventTracker det = (DirectoryEventTracker)directoryOperations[de.Key];
if (det.suspiciousWriteEvents.Count >= DirectoryEventTracker.SUSPICOUS_EVENTS_THRESHOLD)
{
//only print the new processes, shouldn't have more than one
if (!ransomeWareProcesses.Contains(det.processName))
{
Out.WriteLine("Ransomware behavior detected in process : [" + det.processName + "] PID [" + det.pid.ToString() + "]");
ransomeWareProcesses.Add(det.processName);
summaryProcess.Add(Tuple.Create(det.processName, det.pid));
}
}
}
return(summaryProcess);
}
//when a file is written check to see if it's the same PID that read it then check time stamp
public static void fileWriteEvent(FileIOReadWriteTraceData writeEvent)
{
string currDir = Path.GetDirectoryName(writeEvent.FileName);
if (pidList.Contains(writeEvent.ProcessID))
{
if (directoryOperations.ContainsKey(currDir))
{
//add our write event to the existing entry
DirectoryEventTracker tempDirEvent = (DirectoryEventTracker)directoryOperations[currDir];
tempDirEvent.addWriteEvent(writeEvent);
directoryOperations[currDir] = tempDirEvent;
}
else
{
//existing pid, new dir. Make new entry
DirectoryEventTracker tempDirEvent = new DirectoryEventTracker(writeEvent.ProcessID, writeEvent.TimeStampRelativeMSec, currDir, writeEvent.ProcessName, (StreamWriter)Out);
tempDirEvent.addWriteEvent(writeEvent);
directoryOperations[currDir] = tempDirEvent;
}
}
else
{
//otherwise add it to the list and create a new entry in dirOps
pidList.Add(writeEvent.ProcessID);
DirectoryEventTracker tempDirEvent = new DirectoryEventTracker(writeEvent.ProcessID, writeEvent.TimeStampRelativeMSec, currDir, writeEvent.ProcessName, (StreamWriter)Out);
tempDirEvent.addWriteEvent(writeEvent);
directoryOperations[currDir] = tempDirEvent;
}
}
//For each fileRead event that occurs we must check if we have a directory entry for it
public static void fileReadEvent(FileIOReadWriteTraceData readEvent)
{
//Avoid cached files for some apps (see IE_plus.zip_test.etl.zip)
if (!Path.HasExtension(readEvent.FileName))
{
Out.WriteLine("No extension, disregarding file read for: " + readEvent.FileName);
return;
}
string currDir = Path.GetDirectoryName(readEvent.FileName);
//first check if we have a directory entry for the incoming pid
if (pidList.Contains(readEvent.ProcessID))
{
//if PID exists append check for previos ops in the dir
if (directoryOperations.ContainsKey(currDir))
{
//if there's allready a read event for this Dir and PID just add the new one to the list
//and update the hashtable
DirectoryEventTracker tempDirEvent = (DirectoryEventTracker)directoryOperations[currDir];
tempDirEvent.addReadEvent(readEvent);
directoryOperations[currDir] = tempDirEvent;
}
else
{
//otherwise make a new entry for it and add in the read event
DirectoryEventTracker tempDirEvent = new DirectoryEventTracker(readEvent.ProcessID, readEvent.TimeStampRelativeMSec, currDir, readEvent.ProcessName, (StreamWriter)Out);
tempDirEvent.addReadEvent(readEvent);
directoryOperations[currDir] = tempDirEvent;
}
}
else
{
//otherwise add it to the list and create a new entry in dirOps
pidList.Add(readEvent.ProcessID);
DirectoryEventTracker tempDirEvent = new DirectoryEventTracker(readEvent.ProcessID, readEvent.TimeStampRelativeMSec, currDir, readEvent.ProcessName, (StreamWriter)Out);
tempDirEvent.addReadEvent(readEvent);
directoryOperations[currDir] = tempDirEvent;
}
}