/////////////////////////////////////////////////////
// //
// DoCollect() //
// //
/////////////////////////////////////////////////////
//Description: Collects all files identified in the scan
// as malicious and stuffs them into a
// password-protected, encrypted ZIP file.
//
// NOTE: depends on DoSignatureScan()
//
//
//Returns: true if successful
//////////////////////////////////////////////////////
private unsafe bool DoCollect()
{
AgentScanLog.AppendLine("");
AgentScanLog.AppendLine("*********************************************");
AgentScanLog.AppendLine(" COLLECT ");
AgentScanLog.AppendLine("*********************************************");
AgentScanLog.AppendLine("");
AgentScanLog.AppendLine("COLLECT: Collecting evidence files...");
//collect the following files to wrap up in archive file:
// 1. all identified malware files
// 2. infection log (Infection_Log.txt) which we create
// 3. usb device list file (USB_Devices.txt) which we create
// 4. .net installation log (if exists)
//
//---------------------------------
// BUILD ZIP NAME
//---------------------------------
ZipFileName = Collect.BuildZipName(TotalFindingsCount);
ZipFile zip = new ZipFile(ZipFileName);
if (AgentSettings.ContainsKey("Reporting_Archive_Password"))
{
IntPtr pptr = IntPtr.Zero;
//do this secure string thing if password specified
char[] str = AgentSettings["Reporting_Archive_Password"].ToCharArray();
fixed (char* pChars = str)
{
ZipPassword = new SecureString(pChars, str.Length);
}
//decrypt our password in memory
pptr = Marshal.SecureStringToBSTR(ZipPassword);
zip.Password = Marshal.PtrToStringBSTR(pptr);
//zero the password memory
Marshal.ZeroFreeBSTR(pptr);
}
zip.TempFileFolder = ".";
ArrayList CollectList = new ArrayList();
int count = 0;
AgentScanLog.AppendLine("COLLECT: Searching file signature matches for files...");
//loop through file signatures
foreach (CwXML.FileSignatureMatch fileMatch in AgentSignatureMatches.FileSignatureMatches)
if (Collect.AddToZip(zip, fileMatch.FullPath))
count++;
AgentScanLog.AppendLine("COLLECT: Added " + count + " files.");
count = 0;
AgentScanLog.AppendLine("COLLECT: Searching registry signature matches for files...");
//loop through registry signatures
foreach (CwXML.RegistrySignatureMatch registryMatch in AgentSignatureMatches.RegistrySignatureMatches)
if (registryMatch.IsFileOnDisk)
if (Collect.AddToZip(zip, registryMatch.RegistryValueData))
count++;
AgentScanLog.AppendLine("COLLECT: Added " + count + " files.");
AgentScanLog.AppendLine("COLLECT: Generating infection summary report...");
//---------------------------------
// ADD INFECTION LOG
//---------------------------------
//2. infection log (Infection_Log.txt) which we create
StreamWriter infectionlog = new StreamWriter("InfectionLog.txt");
StringBuilder InfectionSummaryReport = new StringBuilder();
//print infection summary for each signature type
RegistryHelper RegHelper = new RegistryHelper();
FileHelper FileHelper = new FileHelper();
MemoryHelper MemHelper = new MemoryHelper();
RegHelper.PrintRegistryFindings(AgentSignatureMatches.RegistrySignatureMatches, ref InfectionSummaryReport);
FileHelper.PrintFileFindings(AgentSignatureMatches.FileSignatureMatches, ref InfectionSummaryReport);
MemHelper.PrintMemoryFindings(AgentSignatureMatches.MemorySignatureMatches, ref InfectionSummaryReport);
infectionlog.WriteLine(InfectionSummaryReport.ToString());
infectionlog.Close();
zip.AddFile("InfectionLog.txt");
AgentScanLog.AppendLine("COLLECT: Enumerating USB Devices...");
//---------------------------------
// ADD USB DEVICES LOG
//---------------------------------
//3. usb device list file (USB_Devices.txt) which we create
StreamWriter usblogfile = new StreamWriter("USB_Devices.txt");
StringBuilder UsbDevicesReport = new StringBuilder();
Collect.EnumerateUSBDevices(ref UsbDevicesReport);
usblogfile.WriteLine(UsbDevicesReport.ToString());
usblogfile.Close();
zip.AddFile("USB_Devices.txt");
//---------------------------------
// ADD .NET LOG
//---------------------------------
//4. .net installation log (if exists)
try
{
FileInfo dotnetfxLogfile = new FileInfo("dotnetfx_install_log.txt");
if (dotnetfxLogfile.Exists)
zip.AddFile("dotnetfx_install_log.txt");
}
catch { } //no biggie..
AgentScanLog.AppendLine("COLLECT: All evidence collected.");
AgentScanLog.AppendLine("COLLECT: Saving zip to disk...");
zip.Save();
zip.Dispose(); //at this point zip is closed and written to disk
return true;
}