public List <MaliciousFileContainer> FindAllMaliciousFiles(int clusterToStartWith = 0)
{
using (HdWalk hdWalk = new HdWalk(_log, clusterToStartWith))
{
var tmpMaliciousList = MaliciousImageList;
MaliciousImageList = new List <MaliciousFileContainer>();
List <int> tmpList = GetRange(tmpMaliciousList.Count);
do
{
HdWalkResult res = hdWalk.GetNextBytes();
if (res == null || res.Bytes == null)
{
return(MaliciousImageList);
}
if (res.IsNewSection)
{
ResetAllStates(tmpMaliciousList);
OnNewCLusterWasScanned(MaliciousImageList, res.LastCluster);
}
_log.Info("Reading the " + res.SeekCount + "Bytes offset of HD.");
int i = 0;
while (i < res.Bytes.Length)
{
bool foundSomeMatch = false;
if (i % HdWalk.CLUSTER_SIZE == 0)
{
// Reset List.
tmpList = GetRange(tmpMaliciousList.Count);
}
for (int j = tmpList.Count - 1; j >= 0; j--)
{
if (tmpMaliciousList[tmpList[j]].LocationOffset < _startOfFile.Length)
{
if (_startOfFile[tmpMaliciousList[tmpList[j]].LocationOffset] == res.Bytes[i])
{
tmpMaliciousList[tmpList[j]].LocationOffset++;
foundSomeMatch = true;
}
else
{
tmpMaliciousList[tmpList[j]].LocationOffset = 0;
tmpList.RemoveAt(j);
continue;
}
}
else
{
if (tmpMaliciousList[tmpList[j]].File[tmpMaliciousList[tmpList[j]].LocationOffset] ==
res.Bytes[i])
{
tmpMaliciousList[tmpList[j]].LocationOffset++;
foundSomeMatch = true;
}
else
{
tmpMaliciousList[tmpList[j]].LocationOffset = 0;
tmpList.RemoveAt(j);
continue;
}
}
if (tmpMaliciousList[tmpList[j]].LocationOffset == tmpMaliciousList[tmpList[j]].File.Length)
{
_log.Info("Image found!! " + tmpMaliciousList[tmpList[j]].PathOfDummyFile);
tmpMaliciousList[tmpList[j]].LocationOffset = res.SeekCount + i + 1 -
tmpMaliciousList[tmpList[j]].File.Length;
MaliciousImageList.Add(tmpMaliciousList[tmpList[j]]);
tmpMaliciousList.RemoveAt(tmpList[j]);
// Make the rest zero.
ResetAllStates(tmpMaliciousList);
// Set the flag for reset.
foundSomeMatch = false;
break;
}
}
if (!foundSomeMatch)
{
// Fetch next cluster.
i = i / HdWalk.CLUSTER_SIZE;
int numClusters = i;
i = (i + 1) * HdWalk.CLUSTER_SIZE;
ResetAllStates(tmpMaliciousList);
// Indicate that scan state may be saved.
OnNewCLusterWasScanned(MaliciousImageList, res.LastCluster + numClusters);
}
else
{
i++;
}
}
} while (tmpMaliciousList.Count > 0 && !hdWalk.EndOfStream);
return(MaliciousImageList);
}
}
public int GetNumberOfExistingLegitFiles()
{
_log.Info("### Searching for the remaining of legit files...");
int counter = 0;
StringBuilder builder = new StringBuilder(260);
QueryDosDevice("C:", builder, 260);
using (BinaryReader reader = new BinaryReader(new DeviceStream(
String.Format(@"\\.\{0}", builder.ToString().Replace(@"\Device\", "")))))//@"\\.\HarddiskVolume4")))
{
BitArray bitmap = HdWalk.GetNtfsClusterBitmap("C:");
for (int i = 0; i < MaliciousImageList.Count; i++)
{
LegitFileContainer legitFileContainer = LegitImageList[MaliciousImageList[i].PathOfDummyFile];
// MUST READ IN CLUSTER SIZE CHUNKS!
var buffer = new byte[legitFileContainer.SizeOnDisk];
long locationOfLegit = MaliciousImageList[i].LocationOffset - legitFileContainer.SizeOnDisk;
if (bitmap[((int)(locationOfLegit / HdWalk.CLUSTER_SIZE))])
{
_log.Debug("Legit File is not set as free in bitmap YYAY!! :)");
//continue;
}
try
{
reader.BaseStream.Seek(locationOfLegit, SeekOrigin.Begin);
int count = reader.Read(buffer, 0, buffer.Length);
if (count < legitFileContainer.Size)
{
continue;
}
}
catch (Exception e)
{
_log.Error("Error At watching for files. Error: " + e);
continue;
}
for (int j = 0; j < legitFileContainer.File.Length; j++)
{
if (j < _startOfFile.Length)
{
if (buffer[j] != _startOfFile[j])
{
break;
}
}
else
{
if (legitFileContainer.File[j] != buffer[j])
{
break;
}
else if (j == legitFileContainer.File.Length - 1)
{
if (bitmap[((int)(locationOfLegit / HdWalk.CLUSTER_SIZE))])
{
_log.Debug("Legit File is not set as free in bitmap AND the file is the same!! YYAY!! :)");
break;
}
counter++;
break;
}
}
}
}
return(counter);
}
}
