コード例 #1
0
        public static void shannonReaction(string path)
        {
            //Thread.Sleep(2000);
            ProcMon.procmonTerminator(pathToBackingFile, BACKINGNAME + INDEXER);
            //Thread.Sleep(10000);

            INDEXER++;
            var cpmbf = new Thread(() => ProcMon.createProcmonBackingFile(pathToBackingFile, BACKINGNAME + INDEXER));

            cpmbf.Start();

            Thread.Sleep(3000);

            ProcMon.convertPMLfileToCSV(pathToBackingFile, BACKINGNAME + (INDEXER - 1) + ".PML", "convertedFile" + (INDEXER - 1) + ".CSV");
            //Thread.Sleep(3000);

            bool hasCSVbeenWritten = false;

            Console.WriteLine("Path to CSV file: " + pathToBackingFile + "\\" + "convertedFile" + (INDEXER - 1) + ".CSV");

            while (hasCSVbeenWritten == false)
            {
                try
                {
                    using (Stream stream = new FileStream(pathToBackingFile + "\\" + "convertedFile" + (INDEXER - 1) + ".CSV", FileMode.Open))
                    {
                        hasCSVbeenWritten = true;
                        stream.Dispose();
                    }
                }
                catch (IOException)
                {
                }
                Thread.Sleep(50);
            }

            List <CSVfileHandler> parsedData = CSVfileHandler.CSVparser(pathToBackingFile + "\\" + "convertedFile" + (INDEXER - 1) + ".CSV");

            foreach (var item in parsedData)
            {
                if (!item.processName.Equals("Explorer.EXE"))
                {
                    try
                    {
                        pID.Add(item.PID);
                        killedProcesses.Add(Process.GetProcessById(item.PID).ProcessName);
                        try
                        {
                            Console.WriteLine("Process: " + Process.GetProcessById(item.PID).ProcessName + " is killed due to suspicious behaviour");
                            killProcess(item.PID);
                        }
                        catch (Exception)
                        {
                            //Save processname as a temp
                            Console.WriteLine("Killing of the process failed");
                        }
                    }
                    catch
                    {
                    }
                }
            }

            try
            {
                /*
                 * Console.WriteLine("Process: " + Process.GetProcessById(pID.Last()).ProcessName + " is killed due to suspicious behaviour");
                 * killedProcesses.Add(Process.GetProcessById(pID.Last()).ProcessName);
                 * killProcess(pID.Last());*/
                if (!killedFirstProcess)
                {
                    firstKilledProcessTime = DateTime.Now;
                    killedFirstProcess     = true;
                }
            }
            catch (Exception)
            {
                Console.WriteLine("Killing of  -- FAILED.");
            }

            //Console.WriteLine("Do you wish to kill? ");
            //string killInput = Console.ReadLine();



            //Dataanalysis
        }
コード例 #2
0
ファイル: Program.cs プロジェクト: NBeuschau/Speciale
        public static void shannonEntropyFileMonDetection()
        {
            Logger.getPoCRansomware();

            Thread.Sleep(1000);

            Logger.postPoCFetched();

            while (!Logger.getHasFetched())
            {
                Thread.Sleep(500);
            }

            Logger.setRansomwareDownloaderPath(RANSOMWAREDOWNLOADERPATH);

            ActionTaker.setBackingName(BACKINGNAME);
            ActionTaker.setPathToBackingFile(pathToBackingFile);

            ProcMon.setPathToProcMon(ProcMonPath);

            FilemonEventHandler.setEntropyThreshold(entropyThreshold);
            FilemonEventHandler.setThresholdToReaction(thresholdToReaction);
            FilemonEventHandler.setSecondsInThreshold(secondsInThreshold);

            Logger.setPath1(path1);
            Logger.setPath2(path2);
            Logger.setPath3(path3);
            Logger.setPath4(path4);
            Logger.setPathFileWatch(PATH);

            //Find entropy of all files
            ShannonEntropy temp1 = new ShannonEntropy();

            temp1.getEntropyOfAllFilesInPath(path1);

            ShannonEntropy temp2 = new ShannonEntropy();

            temp2.getEntropyOfAllFilesInPath(path2);

            ShannonEntropy temp3 = new ShannonEntropy();

            temp3.getEntropyOfAllFilesInPath(path3);

            ShannonEntropy temp4 = new ShannonEntropy();

            temp4.getEntropyOfAllFilesInPath(path4);

            Dictionary <string, double> test = ShannonEntropy.getSavedEntropies();

            foreach (var item in test)
            {
                Console.WriteLine(item.Key + " - " + item.Value);
            }


            //Start procmon
            BACKINGNAME = BACKINGNAME + 0;
            var t = new Thread(() => ProcMon.createProcmonBackingFile(pathToBackingFile, BACKINGNAME));

            t.Start();

            //Start filemon
            //When filemon sees a reaction it posts to filemoneventhandler
            //Filemoneventhandler then deems if it is nessesary to take action, using actiontaker
            Console.WriteLine(Logger.getNAMEONTEST());

            //Start logger
            //TODO fix call to server such that it is not honeypotpoc that is called
            Logger.LogWriter(PATH);

            Logger.postPoCTested();
            Logger.postPoCPosted();

            Thread.Sleep(30000);
        }
コード例 #3
0
 public static void terminateProcmon()
 {
     ProcMon.procmonTerminator(pathToBackingFile, BACKINGNAME + INDEXER);
 }