public static void shannonReaction(string path) { //Thread.Sleep(2000); ProcMon.procmonTerminator(pathToBackingFile, BACKINGNAME + INDEXER); //Thread.Sleep(10000); INDEXER++; var cpmbf = new Thread(() => ProcMon.createProcmonBackingFile(pathToBackingFile, BACKINGNAME + INDEXER)); cpmbf.Start(); Thread.Sleep(3000); ProcMon.convertPMLfileToCSV(pathToBackingFile, BACKINGNAME + (INDEXER - 1) + ".PML", "convertedFile" + (INDEXER - 1) + ".CSV"); //Thread.Sleep(3000); bool hasCSVbeenWritten = false; Console.WriteLine("Path to CSV file: " + pathToBackingFile + "\\" + "convertedFile" + (INDEXER - 1) + ".CSV"); while (hasCSVbeenWritten == false) { try { using (Stream stream = new FileStream(pathToBackingFile + "\\" + "convertedFile" + (INDEXER - 1) + ".CSV", FileMode.Open)) { hasCSVbeenWritten = true; stream.Dispose(); } } catch (IOException) { } Thread.Sleep(50); } List <CSVfileHandler> parsedData = CSVfileHandler.CSVparser(pathToBackingFile + "\\" + "convertedFile" + (INDEXER - 1) + ".CSV"); foreach (var item in parsedData) { if (!item.processName.Equals("Explorer.EXE")) { try { pID.Add(item.PID); killedProcesses.Add(Process.GetProcessById(item.PID).ProcessName); try { Console.WriteLine("Process: " + Process.GetProcessById(item.PID).ProcessName + " is killed due to suspicious behaviour"); killProcess(item.PID); } catch (Exception) { //Save processname as a temp Console.WriteLine("Killing of the process failed"); } } catch { } } } try { /* * Console.WriteLine("Process: " + Process.GetProcessById(pID.Last()).ProcessName + " is killed due to suspicious behaviour"); * killedProcesses.Add(Process.GetProcessById(pID.Last()).ProcessName); * killProcess(pID.Last());*/ if (!killedFirstProcess) { firstKilledProcessTime = DateTime.Now; killedFirstProcess = true; } } catch (Exception) { Console.WriteLine("Killing of -- FAILED."); } //Console.WriteLine("Do you wish to kill? "); //string killInput = Console.ReadLine(); //Dataanalysis }
public static void shannonEntropyFileMonDetection() { Logger.getPoCRansomware(); Thread.Sleep(1000); Logger.postPoCFetched(); while (!Logger.getHasFetched()) { Thread.Sleep(500); } Logger.setRansomwareDownloaderPath(RANSOMWAREDOWNLOADERPATH); ActionTaker.setBackingName(BACKINGNAME); ActionTaker.setPathToBackingFile(pathToBackingFile); ProcMon.setPathToProcMon(ProcMonPath); FilemonEventHandler.setEntropyThreshold(entropyThreshold); FilemonEventHandler.setThresholdToReaction(thresholdToReaction); FilemonEventHandler.setSecondsInThreshold(secondsInThreshold); Logger.setPath1(path1); Logger.setPath2(path2); Logger.setPath3(path3); Logger.setPath4(path4); Logger.setPathFileWatch(PATH); //Find entropy of all files ShannonEntropy temp1 = new ShannonEntropy(); temp1.getEntropyOfAllFilesInPath(path1); ShannonEntropy temp2 = new ShannonEntropy(); temp2.getEntropyOfAllFilesInPath(path2); ShannonEntropy temp3 = new ShannonEntropy(); temp3.getEntropyOfAllFilesInPath(path3); ShannonEntropy temp4 = new ShannonEntropy(); temp4.getEntropyOfAllFilesInPath(path4); Dictionary <string, double> test = ShannonEntropy.getSavedEntropies(); foreach (var item in test) { Console.WriteLine(item.Key + " - " + item.Value); } //Start procmon BACKINGNAME = BACKINGNAME + 0; var t = new Thread(() => ProcMon.createProcmonBackingFile(pathToBackingFile, BACKINGNAME)); t.Start(); //Start filemon //When filemon sees a reaction it posts to filemoneventhandler //Filemoneventhandler then deems if it is nessesary to take action, using actiontaker Console.WriteLine(Logger.getNAMEONTEST()); //Start logger //TODO fix call to server such that it is not honeypotpoc that is called Logger.LogWriter(PATH); Logger.postPoCTested(); Logger.postPoCPosted(); Thread.Sleep(30000); }
public static void terminateProcmon() { ProcMon.procmonTerminator(pathToBackingFile, BACKINGNAME + INDEXER); }